Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ClickShare-Extension-Pack-01.01.02.0007.msi

Overview

General Information

Sample name:ClickShare-Extension-Pack-01.01.02.0007.msi
Analysis ID:1427889
MD5:56d913ebbe38ab3a7f48abe1a3e9daa6
SHA1:fb6518265932a3d810183f3a6e6a0fde14a2b66e
SHA256:26f4dc0f8ccedc064aea7fda31a2a8bec32cf7b646fa044cbfdd352f559764e0
Infos:

Detection

Score:9
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Startup Folder File Write
Spawns drivers
Stores files to the Windows start menu directory
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 3568 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ClickShare-Extension-Pack-01.01.02.0007.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 1632 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 1408 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E6B16BCC263E80D188A4984C7B267598 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • taskkill.exe (PID: 4148 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 5740 cmdline: C:\Windows\System32\MsiExec.exe -Embedding F4B6C0AC556B4BDBCA932BA88603FA42 MD5: E5DA170027542E25EDE42FC54C929077)
    • MirrorOpSetup64.exe (PID: 3356 cmdline: "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe" install MD5: 28B07DC516BFC41A35A93DC1643E143F)
    • clicksharelauncher.exe (PID: 2072 cmdline: "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe" MD5: 5EB03B6FF6643353FE82B59F8242F1BE)
  • drvinst.exe (PID: 6616 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\MirrorOpDisplay.inf" "9" "4208fae43" "0000000000000154" "WinSta0\Default" "000000000000016C" "208" "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • drvinst.exe (PID: 4824 cmdline: DrvInst.exe "2" "1" "ROOT\DISPLAY\0000" "C:\Windows\System32\DriverStore\FileRepository\mirroropdisplay.inf_amd64_81a2ef4ec907e6ad\mirroropdisplay.inf" "oem4.inf:*:*:1.1.174.61:Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001," "4208fae43" "0000000000000168" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • WUDFRd.sys (PID: 4 cmdline: MD5: 0B7A5464602DA68DA6BEFC2A1B5BE4C5)
  • WUDFHost.exe (PID: 6768 cmdline: "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-35dc3092-997a-462b-8ee0-c4c46c580d41 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-2348cb75-16eb-4e88-aea2-36cde2ec3571 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-8f9a7ac6-e24f-4275-b4e5-c5e16ce5d6a7 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-34c938a5-6219-4a04-8fb5-f0a5c593a835 -LifetimeId:f1058ddd-615d-4a9e-a592-7cb571a1dced -DeviceGroupId:v3DDKIndirectGroup -HostArg:0 MD5: 00E2EF3D2C9309CA4135195A049CC79C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\WUDFRd.sys, NewProcessName: C:\Windows\System32\drivers\WUDFRd.sys, OriginalFileName: C:\Windows\System32\drivers\WUDFRd.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: WUDFRd.sys
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\msiexec.exe, ProcessId: 1632, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\msiexec.exeWindow detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelBarco ClickShare - End-User License Agreement (EULA / Software License)PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT.The Software as supplied by BARCO is licensed not sold to you on a non-exclusive basis for use only under the terms of this license and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation.By installing executing and/or using the Software either as initial version or as an upgrade update patch or enhancement of a prior release this Software License shall supersede any terms and conditions previously agreed upon (whether or not in writing) between Barco and you with respect to the subject matter of this Software License and such previous terms shall from the date hereof cease to have any force or effect; provided however that this Software License shall not be construed as a renunciation discharge or waiver of any right or remedy provided in any terms and conditions previously agreed upon with respect to a failure of either party to perform any of its obligations under any terms and conditions previously agreed upon. Software SpecificationsThe Software contains the following software products: ClickShare Software License Terms1 This Software License is between you and BARCO NV a corporation organized and existing under the laws of Belgium registered under number BE 0473.191.041 Commercial Companies' Register of Kortrijk having its registered office President Kennedypark 35 at B-8500 Kortrijk Belgium ("Barco") for the use of the Software.You hereby undertake to inform all users authorized by you to make use of the computing device on which the Software is loaded/installed ("Authorized Users") of the terms of this Software License and to bind all Authorized Users to accept all such terms of this Software License as applies to them.2 Barco grants you a limited non-exclusive non-assignable non-transferable user license (without the right to grant sublicenses). Unless specifically agreed upon otherwise between you and Barco or unless specifically allowed by the Software (or its DRM management) itself i) the license under this Software License applies to one (1) copy of the Software to be used on one single computing device and ii) installation on a computing device that may be concurrently accessed by more than one user shall not constitute a permitted use and a separate license is required for
Source: C:\Windows\System32\msiexec.exeWindow detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelBarco ClickShare - End-User License Agreement (EULA / Software License)PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT.The Software as supplied by BARCO is licensed not sold to you on a non-exclusive basis for use only under the terms of this license and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation.By installing executing and/or using the Software either as initial version or as an upgrade update patch or enhancement of a prior release this Software License shall supersede any terms and conditions previously agreed upon (whether or not in writing) between Barco and you with respect to the subject matter of this Software License and such previous terms shall from the date hereof cease to have any force or effect; provided however that this Software License shall not be construed as a renunciation discharge or waiver of any right or remedy provided in any terms and conditions previously agreed upon with respect to a failure of either party to perform any of its obligations under any terms and conditions previously agreed upon. Software SpecificationsThe Software contains the following software products: ClickShare Software License Terms1 This Software License is between you and BARCO NV a corporation organized and existing under the laws of Belgium registered under number BE 0473.191.041 Commercial Companies' Register of Kortrijk having its registered office President Kennedypark 35 at B-8500 Kortrijk Belgium ("Barco") for the use of the Software.You hereby undertake to inform all users authorized by you to make use of the computing device on which the Software is loaded/installed ("Authorized Users") of the terms of this Software License and to bind all Authorized Users to accept all such terms of this Software License as applies to them.2 Barco grants you a limited non-exclusive non-assignable non-transferable user license (without the right to grant sublicenses). Unless specifically agreed upon otherwise between you and Barco or unless specifically allowed by the Software (or its DRM management) itself i) the license under this Software License applies to one (1) copy of the Software to be used on one single computing device and ii) installation on a computing device that may be concurrently accessed by more than one user shall not constitute a permitted use and a separate license is required for
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\Public\MirrorOpDisplaySetup.logJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\eula.txtJump to behavior
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\Release\MirrorOpVirtualDisplay1_0.pdb source: MirrorOpVirtualDisplay1_0.dll0.2.dr
Source: Binary string: DIFxApp.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, MSIB79.tmp.2.dr, MSI3067.tmp.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: DIFxApp.pdb@UVWATAUH source: ClickShare-Extension-Pack-01.01.02.0007.msi, MSIB79.tmp.2.dr, MSI3067.tmp.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: DIFxAppA.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\Release\MirrorOpVirtualDisplay1_2.pdb source: MirrorOpVirtualDisplay1_2.dll0.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDK_CUSTOMER_SETUP\Release\MirrorOpSetup32.pdb source: MirrorOpSetup32.exe.2.dr
Source: Binary string: DIFxAppA.pdb@UVWATAUH source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDK_CUSTOMER_SETUP\x64\Release\MirrorOpSetup64.pdb source: MirrorOpSetup64.exe, 00000007.00000000.2075885646.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmp, MirrorOpSetup64.exe, 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmp, MirrorOpSetup64.exe.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\x64\Release\MirrorOpVirtualDisplay1_2.pdb source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, WUDFHost.exe, 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmp, SET15A9.tmp.9.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\x64\Release\MirrorOpVirtualDisplay1_0.pdb source: MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, SET1589.tmp.9.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_0.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\uica.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\wixca.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr, MSI8A8.tmp.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E1F6F0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,7_2_00007FF642E1F6F0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E11650 GetWindowsDirectoryW,GetLastError,PathAppendW,GetLastError,PathAppendW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,PathStripPathW,SetupUninstallOEMInfW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,7_2_00007FF642E11650
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://bugreports.qt.io/
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://bugreports.qt.io/finishedMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://changelogs.ubuntu.com/changelogs/pool/main/p/pixman/pixman_0.10.0-0ubuntu1/libpixman-1-0.copy
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 3f0639.msi.2.drString found in binary or memory: http://dejavu-fonts.org/wiki/License
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://doc.qt.io/qt-5/lgpl.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://freetype.sourceforge.net/FTL.TXT
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://ftp.gnu.org/non-gnu/chinese-fonts-truetype/LICENSE
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://github.com/aFarkas/html5shiv/blob/master/MIT%20and%20GPL2%20licenses.md
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://metadata.ftp-master.debian.org/changelogs//main/libs/libsm/libsm_1.2.2-1_copyright
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://metadata.ftp-master.debian.org/changelogs//main/t/ttf-sazanami/ttf-sazanami_20040629-8_copyri
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 3f0639.msi.2.drString found in binary or memory: http://opensource.org/licenses/BSD-3-Clause
Source: 3f0639.msi.2.drString found in binary or memory: http://opensource.org/licenses/GPL-2.0
Source: 3f0639.msi.2.drString found in binary or memory: http://opensource.org/licenses/ISC
Source: 3f0639.msi.2.drString found in binary or memory: http://opensource.org/licenses/MIT
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://opensource.org/licenses/mit-license.php
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://perldoc.perl.org/perlartistic.html
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://s.symcd.com06
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://s.symcd.com0_
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://srp.stanford.edu/license.txt
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://sw.symcb.com/sw.crl0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://sw.symcd.com0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 3f0639.msi.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://www.cryptopp.com/License.txt
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://www.denx.de/wiki/U-Boot/Licensing
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://www.gnu.org/copyleft/fdl.html
Source: 3f0639.msi.2.drString found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://www.gnu.org/licenses/gpl.txt
Source: 3f0639.msi.2.drString found in binary or memory: http://www.gnu.org/licenses/lgpl.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://www.gnu.org/licenses/old-licenses/gpl-1.0.html
Source: 3f0639.msi.2.drString found in binary or memory: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Source: 3f0639.msi.2.drString found in binary or memory: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://www.libpng.org/pub/png/src/libpng-LICENSE.txt
Source: 3f0639.msi.2.drString found in binary or memory: http://www.openssl.org/source/license.html
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: http://www.php.net/license/3_01.txt
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.phreedom.org/md5)
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.phreedom.org/md5)08:27
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: https://d.symcb.com/cps0%
Source: SET2037.tmp.10.drString found in binary or memory: https://d.symcb.com/rpa0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: https://d.symcb.com/rpa0)
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/EvanHahn/HumanizeDuration.js
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/ablanco/jquery.pwstrength.bootstrap/blob/master/GPL-LICENSE.txt
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/ablanco/jquery.pwstrength.bootstrap/commit/19480555e8c7c2f417d78a78dac63056fa221f
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/certnanny/sscep/blob/master/COPYRIGHT
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/hayageek/jquery-upload-file
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/malsup/form#copyright-and-license
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/moment/moment/
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/nnnick/Chart.js/blob/master/LICENSE.md
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT
Source: 3f0639.msi.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://jquery.org/license/
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://opensource.org/licenses/BSD-3-Clause
Source: 3f0639.msi.2.drString found in binary or memory: https://opensource.org/licenses/MIT
Source: 3f0639.msi.2.drString found in binary or memory: https://osdn.jp/cvs/view/efont/sazanami/README
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://raw.github.com/joyent/node/v0.10.26/LICENSE
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://wiki.gnome.org/FoundationBoard/Resources/LicensingAgreement
Source: 3f0639.msi.2.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drString found in binary or memory: https://www.gnu.org/licenses/gpl.html
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\SET15C9.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\mirroropdisplay.cat (copy)Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\mirroropdisplay.cat (copy)Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\SET1368.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3f0637.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A8.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB49.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB79.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}\icon.icoJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3f0639.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3f0639.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3067.tmpJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Windows\INF\c_display.PNFJump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\mirroropdisplay.inf_amd64_81a2ef4ec907e6adJump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\mirroropdisplay.inf_amd64_81a2ef4ec907e6ad\amd64Jump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmpJump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem4.infJump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\SET2037.tmpJump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\SET2037.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8A8.tmpJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E110207_2_00007FF642E11020
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E135F07_2_00007FF642E135F0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E197E87_2_00007FF642E197E8
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E247F47_2_00007FF642E247F4
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E253AC7_2_00007FF642E253AC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E1535C7_2_00007FF642E1535C
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E1B9F87_2_00007FF642E1B9F8
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E22DBC7_2_00007FF642E22DBC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E229907_2_00007FF642E22990
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E285687_2_00007FF642E28568
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E1D6EC7_2_00007FF642E1D6EC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E1F6F07_2_00007FF642E1F6F0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E19AC87_2_00007FF642E19AC8
Source: C:\Windows\System32\WUDFHost.exeCode function: 13_2_00007FF8B90AC73413_2_00007FF8B90AC734
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess token adjusted: Load DriverJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: String function: 00007FF642E129C0 appears 48 times
Source: MSIB79.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSIB79.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSIB79.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSI3067.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSI3067.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSI3067.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ClickShare-Extension-Pack-01.01.02.0007.msiBinary or memory string: OriginalFilenameuica.dll\ vs ClickShare-Extension-Pack-01.01.02.0007.msi
Source: ClickShare-Extension-Pack-01.01.02.0007.msiBinary or memory string: OriginalFilenameDIFxApp.dll vs ClickShare-Extension-Pack-01.01.02.0007.msi
Source: ClickShare-Extension-Pack-01.01.02.0007.msiBinary or memory string: OriginalFilenameDIFxAppA.dll vs ClickShare-Extension-Pack-01.01.02.0007.msi
Source: ClickShare-Extension-Pack-01.01.02.0007.msiBinary or memory string: OriginalFilenamewixca.dll\ vs ClickShare-Extension-Pack-01.01.02.0007.msi
Source: unknownDriver loaded: C:\Windows\System32\drivers\WUDFRd.sys
Source: classification engineClassification label: clean9.evad.winMSI@16/61@0/0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\BarcoJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\Public\MirrorOpDisplaySetup.logJump to behavior
Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFA1094AAB77BE8A5A.TMPJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "clicksharelauncher.exe")
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: ClickShare-Extension-Pack-01.01.02.0007.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ClickShare-Extension-Pack-01.01.02.0007.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E6B16BCC263E80D188A4984C7B267598
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding F4B6C0AC556B4BDBCA932BA88603FA42
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe" install
Source: unknownProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\MirrorOpDisplay.inf" "9" "4208fae43" "0000000000000154" "WinSta0\Default" "000000000000016C" "208" "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx"
Source: unknownProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "1" "ROOT\DISPLAY\0000" "C:\Windows\System32\DriverStore\FileRepository\mirroropdisplay.inf_amd64_81a2ef4ec907e6ad\mirroropdisplay.inf" "oem4.inf:*:*:1.1.174.61:Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001," "4208fae43" "0000000000000168"
Source: unknownProcess created: C:\Windows\System32\WUDFHost.exe "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-35dc3092-997a-462b-8ee0-c4c46c580d41 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-2348cb75-16eb-4e88-aea2-36cde2ec3571 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-8f9a7ac6-e24f-4275-b4e5-c5e16ce5d6a7 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-34c938a5-6219-4a04-8fb5-f0a5c593a835 -LifetimeId:f1058ddd-615d-4a9e-a592-7cb571a1dced -DeviceGroupId:v3DDKIndirectGroup -HostArg:0
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E6B16BCC263E80D188A4984C7B267598Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding F4B6C0AC556B4BDBCA932BA88603FA42Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe" installJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: newdev.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: devobj.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: drvsetup.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: wudfplatform.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: avrt.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: wpprecorderum.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: wudfx02000.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\WUDFHost.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: mpr.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: sfc.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: avrt.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: wintab32.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: devobj.dllJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeSection loaded: msasn1.dllJump to behavior
Source: ClickShare Launcher.lnk.2.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe
Source: ClickShare Launcher.lnk0.2.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe
Source: C:\Windows\System32\msiexec.exeAutomated click: I accept the terms in the License Agreement
Source: C:\Windows\System32\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\msiexec.exeWindow detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelBarco ClickShare - End-User License Agreement (EULA / Software License)PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT.The Software as supplied by BARCO is licensed not sold to you on a non-exclusive basis for use only under the terms of this license and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation.By installing executing and/or using the Software either as initial version or as an upgrade update patch or enhancement of a prior release this Software License shall supersede any terms and conditions previously agreed upon (whether or not in writing) between Barco and you with respect to the subject matter of this Software License and such previous terms shall from the date hereof cease to have any force or effect; provided however that this Software License shall not be construed as a renunciation discharge or waiver of any right or remedy provided in any terms and conditions previously agreed upon with respect to a failure of either party to perform any of its obligations under any terms and conditions previously agreed upon. Software SpecificationsThe Software contains the following software products: ClickShare Software License Terms1 This Software License is between you and BARCO NV a corporation organized and existing under the laws of Belgium registered under number BE 0473.191.041 Commercial Companies' Register of Kortrijk having its registered office President Kennedypark 35 at B-8500 Kortrijk Belgium ("Barco") for the use of the Software.You hereby undertake to inform all users authorized by you to make use of the computing device on which the Software is loaded/installed ("Authorized Users") of the terms of this Software License and to bind all Authorized Users to accept all such terms of this Software License as applies to them.2 Barco grants you a limited non-exclusive non-assignable non-transferable user license (without the right to grant sublicenses). Unless specifically agreed upon otherwise between you and Barco or unless specifically allowed by the Software (or its DRM management) itself i) the license under this Software License applies to one (1) copy of the Software to be used on one single computing device and ii) installation on a computing device that may be concurrently accessed by more than one user shall not constitute a permitted use and a separate license is required for
Source: C:\Windows\System32\msiexec.exeWindow detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelBarco ClickShare - End-User License Agreement (EULA / Software License)PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT.The Software as supplied by BARCO is licensed not sold to you on a non-exclusive basis for use only under the terms of this license and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation.By installing executing and/or using the Software either as initial version or as an upgrade update patch or enhancement of a prior release this Software License shall supersede any terms and conditions previously agreed upon (whether or not in writing) between Barco and you with respect to the subject matter of this Software License and such previous terms shall from the date hereof cease to have any force or effect; provided however that this Software License shall not be construed as a renunciation discharge or waiver of any right or remedy provided in any terms and conditions previously agreed upon with respect to a failure of either party to perform any of its obligations under any terms and conditions previously agreed upon. Software SpecificationsThe Software contains the following software products: ClickShare Software License Terms1 This Software License is between you and BARCO NV a corporation organized and existing under the laws of Belgium registered under number BE 0473.191.041 Commercial Companies' Register of Kortrijk having its registered office President Kennedypark 35 at B-8500 Kortrijk Belgium ("Barco") for the use of the Software.You hereby undertake to inform all users authorized by you to make use of the computing device on which the Software is loaded/installed ("Authorized Users") of the terms of this Software License and to bind all Authorized Users to accept all such terms of this Software License as applies to them.2 Barco grants you a limited non-exclusive non-assignable non-transferable user license (without the right to grant sublicenses). Unless specifically agreed upon otherwise between you and Barco or unless specifically allowed by the Software (or its DRM management) itself i) the license under this Software License applies to one (1) copy of the Software to be used on one single computing device and ii) installation on a computing device that may be concurrently accessed by more than one user shall not constitute a permitted use and a separate license is required for
Source: ClickShare-Extension-Pack-01.01.02.0007.msiStatic file information: File size 7888896 > 1048576
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\Release\MirrorOpVirtualDisplay1_0.pdb source: MirrorOpVirtualDisplay1_0.dll0.2.dr
Source: Binary string: DIFxApp.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, MSIB79.tmp.2.dr, MSI3067.tmp.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: DIFxApp.pdb@UVWATAUH source: ClickShare-Extension-Pack-01.01.02.0007.msi, MSIB79.tmp.2.dr, MSI3067.tmp.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: DIFxAppA.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\Release\MirrorOpVirtualDisplay1_2.pdb source: MirrorOpVirtualDisplay1_2.dll0.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDK_CUSTOMER_SETUP\Release\MirrorOpSetup32.pdb source: MirrorOpSetup32.exe.2.dr
Source: Binary string: DIFxAppA.pdb@UVWATAUH source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDK_CUSTOMER_SETUP\x64\Release\MirrorOpSetup64.pdb source: MirrorOpSetup64.exe, 00000007.00000000.2075885646.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmp, MirrorOpSetup64.exe, 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmp, MirrorOpSetup64.exe.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\x64\Release\MirrorOpVirtualDisplay1_2.pdb source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, WUDFHost.exe, 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmp, SET15A9.tmp.9.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\x64\Release\MirrorOpVirtualDisplay1_0.pdb source: MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, SET1589.tmp.9.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_0.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\uica.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\wixca.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr, MSI8A8.tmp.2.dr
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB79.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET1338.tmpJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmpJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\MirrorOpVirtualDisplay1_2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\SET2037.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_0.dllJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET11D0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup32.exeJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3067.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB79.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A8.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\MirrorOpVirtualDisplay1_2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\SET2037.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3067.tmpJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeFile created: C:\Users\Public\MirrorOpDisplaySetup.logJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\eula.txtJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ClickShare Launcher.lnkJump to behavior
Source: C:\Windows\System32\drivers\WUDFRd.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd\Parameters\WdfJump to behavior
Source: C:\Windows\System32\drvinst.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRdJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BarcoJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Barco\ClickShare LauncherJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Barco\ClickShare Launcher\ClickShare Launcher.lnkJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ClickShare Launcher.lnkJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WUDFHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WUDFHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WUDFHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WUDFHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E11020 SetupDiCreateDeviceInfoList,GetLastError,SetupDiCreateDeviceInfoW,GetLastError,GetLastError,lstrlenW,SetupDiSetDeviceRegistryPropertyW,GetLastError,SetupDiGetClassDevsW,GetLastError,SetupDiCallClassInstaller,GetLastError,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,7_2_00007FF642E11020
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeWindow / User API: threadDelayed 4906Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeWindow / User API: threadDelayed 5093Jump to behavior
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB79.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8A8.tmpJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET1338.tmpJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmpJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\UMDF\MirrorOpVirtualDisplay1_2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\UMDF\SET2037.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_2.dllJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET11D0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_0.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup32.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3067.tmpJump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_7-9195
Source: C:\Windows\System32\WUDFHost.exeAPI coverage: 8.2 %
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe TID: 3192Thread sleep count: 4906 > 30Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe TID: 3192Thread sleep time: -2453000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe TID: 3192Thread sleep count: 5093 > 30Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe TID: 3192Thread sleep time: -2546500s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E1F6F0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,7_2_00007FF642E1F6F0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E11650 GetWindowsDirectoryW,GetLastError,PathAppendW,GetLastError,PathAppendW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,PathStripPathW,SetupUninstallOEMInfW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,7_2_00007FF642E11650
Source: setupapi.dev.log.7.drBinary or memory string: set: BIOS Vendor: VMware, Inc.
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b!S
Source: setupapi.dev.log.7.drBinary or memory string: sig: Key = vmci.inf
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a#P
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setupapi.dev.log.7.drBinary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.7.drBinary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.7.drBinary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: setupapi.dev.log.7.drBinary or memory string: set: System Product Name: VMware20,1
Source: setupapi.dev.log.7.drBinary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.00000000012E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.00000000012E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: setupapi.dev.log.7.drBinary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`=Q
Source: setupapi.dev.log.7.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: setupapi.dev.log.7.drBinary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.7.drBinary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.7.drBinary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.7.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2024-04-19T07:47:27:389d_vmware_sata_cd00#4&224f42ef&0
Source: clicksharelauncher.exe, 0000000E.00000003.2168643484.0000000001322000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&00000
Source: setupapi.dev.log.7.drBinary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: setupapi.dev.log.7.drBinary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d5]
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f9_
Source: setupapi.dev.log.7.drBinary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.7.drBinary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.
Source: setupapi.dev.log.7.drBinary or memory string: set: System Manufacturer: VMware, Inc.
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g?^
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e;\
Source: setupapi.dev.log.7.drBinary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.7.drBinary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.7.drBinary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.7.drBinary or memory string: inf: {Add Service: vmci}
Source: clicksharelauncher.exe, 0000000E.00000003.2834299246.000000000132C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setupapi.dev.log.7.drBinary or memory string: inf: Created new service 'vmci'.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O
Source: setupapi.dev.log.7.drBinary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.7.drBinary or memory string: set: PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3F -> Configured [oem2.inf:PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD,vmci.install.x64.NT] and started (ConfigFlags = 0x00000000).
Source: clicksharelauncher.exe, 0000000E.00000003.2162382507.0000000001322000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: setupapi.dev.log.7.drBinary or memory string: set: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 -> Configured [disk.inf:GenDisk,disk_install.NT] and started (ConfigFlags = 0x00000000).
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ddtN
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: setupapi.dev.log.7.drBinary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.7.drBinary or memory string: set: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 -> Configured [cdrom.inf:GenCdRom,cdrom_install] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.7.drBinary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: setupapi.dev.log.7.drBinary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.7.drBinary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: clicksharelauncher.exe, 0000000E.00000003.2162422103.000000000131A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setupapi.dev.log.7.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.000000000133D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setupapi.dev.log.7.drBinary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.7.drBinary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.7.drBinary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8
Source: setupapi.dev.log.7.drBinary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.7.drBinary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.0000000000D1A000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
Source: C:\Windows\System32\drivers\WUDFRd.sysSystem information queried: ModuleInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E183BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF642E183BC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E21CD8 GetProcessHeap,7_2_00007FF642E21CD8
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe"Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E14828 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF642E14828
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E183BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF642E183BC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E150B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF642E150B8
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E1529C SetUnhandledExceptionFilter,7_2_00007FF642E1529C
Source: C:\Windows\System32\WUDFHost.exeCode function: 13_2_00007FF8B90AC570 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00007FF8B90AC570
Source: C:\Windows\System32\WUDFHost.exeCode function: 13_2_00007FF8B90ABF64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00007FF8B90ABF64
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe" installJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exeJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exeJump to behavior
Source: unknownProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\mirroropdisplay.inf" "9" "4208fae43" "0000000000000154" "winsta0\default" "000000000000016c" "208" "c:\program files (x86)\barco\clickshare extension pack\extended desktop driver\iddcx"
Source: unknownProcess created: C:\Windows\System32\WUDFHost.exe "c:\windows\system32\wudfhost.exe" -hostguid:{193a1820-d9ac-4997-8c55-be817523f6aa} -ioeventportname:\umdfcommunicationports\wudf\hostprocess-35dc3092-997a-462b-8ee0-c4c46c580d41 -systemeventportname:\umdfcommunicationports\wudf\hostprocess-2348cb75-16eb-4e88-aea2-36cde2ec3571 -iocanceleventportname:\umdfcommunicationports\wudf\hostprocess-8f9a7ac6-e24f-4275-b4e5-c5e16ce5d6a7 -nonstatechangingeventportname:\umdfcommunicationports\wudf\hostprocess-34c938a5-6219-4a04-8fb5-f0a5c593a835 -lifetimeid:f1058ddd-615d-4a9e-a592-7cb571a1dced -devicegroupid:v3ddkindirectgroup -hostarg:0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E28280 cpuid 7_2_00007FF642E28280
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E11020 SetupDiCreateDeviceInfoList,GetLastError,SetupDiCreateDeviceInfoW,GetLastError,GetLastError,lstrlenW,SetupDiSetDeviceRegistryPropertyW,GetLastError,SetupDiGetClassDevsW,GetLastError,SetupDiCallClassInstaller,GetLastError,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,7_2_00007FF642E11020
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\mirroropdisplay.cat VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exeCode function: 7_2_00007FF642E13F70 GetLocalTime,_invalid_parameter_noinfo_noreturn,7_2_00007FF642E13F70
Source: C:\Windows\System32\drvinst.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Windows Management Instrumentation		2
LSASS Driver		2
LSASS Driver		2
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter		2
Windows Service		2
Windows Service		11
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder		11
Process Injection		1
Software Packing		NTDS36
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
Registry Run Keys / Startup Folder		1
DLL Side-Loading		LSA Secrets1
Query Registry		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials21
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items32
Masquerading		DCSync11
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
Virtualization/Sandbox Evasion		Proc Filesystem1
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadow1
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1427889 Sample: ClickShare-Extension-Pack-0... Startdate: 18/04/2024 Architecture: WINDOWS Score: 9 7 msiexec.exe 97 62 2->7         started        10 drvinst.exe 16 2->10         started        12 drvinst.exe 33 2 2->12         started        14 4 other processes 2->14 file3 37 C:\Windows\Installer\MSIB79.tmp, PE32+ 7->37 dropped 39 C:\Windows\Installer\MSI8A8.tmp, PE32 7->39 dropped 53 8 other files (none is malicious) 7->53 dropped 16 MirrorOpSetup64.exe 1 15 7->16         started        19 msiexec.exe 7->19         started        21 clicksharelauncher.exe 7->21         started        23 msiexec.exe 7->23         started        41 C:\Windows\System32\...\SET15A9.tmp, PE32+ 10->41 dropped 43 C:\Windows\System32\...\SET1589.tmp, PE32+ 10->43 dropped 45 C:\...\MirrorOpVirtualDisplay1_2.dll (copy), PE32+ 10->45 dropped 47 C:\...\MirrorOpVirtualDisplay1_0.dll (copy), PE32+ 10->47 dropped 49 C:\Windows\System32\drivers\...\SET2037.tmp, PE32+ 12->49 dropped 51 C:\...\MirrorOpVirtualDisplay1_2.dll (copy), PE32+ 12->51 dropped process4 file5 29 C:\Users\user\AppData\Local\...\SET1338.tmp, PE32+ 16->29 dropped 31 C:\Users\user\AppData\Local\...\SET11D0.tmp, PE32+ 16->31 dropped 33 C:\...\MirrorOpVirtualDisplay1_2.dll (copy), PE32+ 16->33 dropped 35 C:\...\MirrorOpVirtualDisplay1_0.dll (copy), PE32+ 16->35 dropped 25 taskkill.exe 1 19->25         started        process6 process7 27 conhost.exe 25->27         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ClickShare-Extension-Pack-01.01.02.0007.msi2%ReversingLabs
ClickShare-Extension-Pack-01.01.02.0007.msi0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup32.exe0%ReversingLabs
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup32.exe0%VirustotalBrowse
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe0%ReversingLabs
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe0%VirustotalBrowse
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_0.dll0%ReversingLabs
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_0.dll0%VirustotalBrowse
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_2.dll0%ReversingLabs
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_2.dll0%VirustotalBrowse
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_0.dll0%ReversingLabs
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_0.dll0%VirustotalBrowse
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_2.dll0%ReversingLabs
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_2.dll0%VirustotalBrowse
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe0%ReversingLabs
C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET11D0.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET11D0.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET1338.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET1338.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI3067.tmp0%ReversingLabs
C:\Windows\Installer\MSI3067.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI8A8.tmp0%ReversingLabs
C:\Windows\Installer\MSI8A8.tmp0%VirustotalBrowse
C:\Windows\Installer\MSIB79.tmp0%ReversingLabs
C:\Windows\Installer\MSIB79.tmp0%VirustotalBrowse
C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)0%ReversingLabs
C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)0%VirustotalBrowse
C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)0%ReversingLabs
C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)0%VirustotalBrowse
C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmp0%ReversingLabs
C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmp0%VirustotalBrowse
C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmp0%ReversingLabs
C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://dejavu-fonts.org/wiki/License0%VirustotalBrowse
http://www.phreedom.org/md5)08:271%VirustotalBrowse
http://www.phreedom.org/md5)1%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://doc.qt.io/qt-5/lgpl.htmlClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
    		high
    http://www.phreedom.org/md5)08:27clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpfalseunknown
    https://github.com/certnanny/sscep/blob/master/COPYRIGHTClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
      		high
      http://perldoc.perl.org/perlartistic.htmlClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
        		high
        https://opensource.org/licenses/MIT3f0639.msi.2.drfalse
          		high
          http://www.gnu.org/licenses/old-licenses/gpl-1.0.htmlClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
            		high
            http://www.gnu.org/licenses/old-licenses/gpl-2.0.html3f0639.msi.2.drfalse
              		high
              https://wiki.gnome.org/FoundationBoard/Resources/LicensingAgreementClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                		high
                http://opensource.org/licenses/BSD-3-Clause3f0639.msi.2.drfalse
                  		high
                  https://osdn.jp/cvs/view/efont/sazanami/README3f0639.msi.2.drfalse
                    		high
                    http://ftp.gnu.org/non-gnu/chinese-fonts-truetype/LICENSEClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                      		high
                      https://www.gnu.org/licenses/gpl.htmlClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                        		high
                        http://bugreports.qt.io/clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpfalse
                          		high
                          http://www.openssl.org/support/faq.htmlclicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpfalse
                            		high
                            http://www.openssl.org/source/license.html3f0639.msi.2.drfalse
                              		high
                              https://github.com/ablanco/jquery.pwstrength.bootstrap/commit/19480555e8c7c2f417d78a78dac63056fa221fClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                		high
                                http://dejavu-fonts.org/wiki/License3f0639.msi.2.drfalseunknown
                                https://opensource.org/licenses/BSD-3-ClauseClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                  		high
                                  https://github.com/nnnick/Chart.js/blob/master/LICENSE.mdClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                    		high
                                    http://metadata.ftp-master.debian.org/changelogs//main/t/ttf-sazanami/ttf-sazanami_20040629-8_copyriClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                      		high
                                      https://github.com/EvanHahn/HumanizeDuration.jsClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                        		high
                                        http://www.denx.de/wiki/U-Boot/LicensingClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                          		high
                                          https://github.com/ablanco/jquery.pwstrength.bootstrap/blob/master/GPL-LICENSE.txtClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                            		high
                                            https://github.com/twbs/bootstrap/blob/master/LICENSE3f0639.msi.2.drfalse
                                              		high
                                              http://www.phreedom.org/md5)clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpfalseunknown
                                              https://github.com/hayageek/jquery-upload-fileClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                		high
                                                http://www.apache.org/licenses/LICENSE-2.03f0639.msi.2.drfalse
                                                  		high
                                                  https://raw.github.com/joyent/node/v0.10.26/LICENSEClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                    		high
                                                    http://opensource.org/licenses/mit-license.phpClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                      		high
                                                      https://github.com/scottjehl/Respond/blob/master/LICENSE-MITClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                        		high
                                                        http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html3f0639.msi.2.drfalse
                                                          		high
                                                          http://bugreports.qt.io/finishedMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocketclicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmpfalse
                                                            		high
                                                            https://jquery.org/license/ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                              		high
                                                              http://freetype.sourceforge.net/FTL.TXTClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                		high
                                                                http://www.gnu.org/copyleft/fdl.htmlClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                  		high
                                                                  http://opensource.org/licenses/MIT3f0639.msi.2.drfalse
                                                                    		high
                                                                    http://www.cryptopp.com/License.txtClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                      		high
                                                                      http://creativecommons.org/licenses/by-sa/3.0/ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                        		high
                                                                        http://opensource.org/licenses/GPL-2.03f0639.msi.2.drfalse
                                                                          		high
                                                                          http://www.libpng.org/pub/png/src/libpng-LICENSE.txtClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                            		high
                                                                            http://www.gnu.org/licenses/lgpl.html3f0639.msi.2.drfalse
                                                                              		high
                                                                              http://www.php.net/license/3_01.txtClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                		high
                                                                                http://metadata.ftp-master.debian.org/changelogs//main/libs/libsm/libsm_1.2.2-1_copyrightClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                  		high
                                                                                  http://changelogs.ubuntu.com/changelogs/pool/main/p/pixman/pixman_0.10.0-0ubuntu1/libpixman-1-0.copyClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                    		high
                                                                                    http://www.gnu.org/licenses/gpl.txtClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                      		high
                                                                                      http://opensource.org/licenses/bsd-license.phpClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                        		high
                                                                                        https://github.com/moment/moment/ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                          		high
                                                                                          https://github.com/malsup/form#copyright-and-licenseClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                            		high
                                                                                            http://www.gnu.org/licenses/gpl.html3f0639.msi.2.drfalse
                                                                                              		high
                                                                                              http://opensource.org/licenses/ISC3f0639.msi.2.drfalse
                                                                                                		high
                                                                                                http://srp.stanford.edu/license.txtClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                                  		high
                                                                                                  http://github.com/aFarkas/html5shiv/blob/master/MIT%20and%20GPL2%20licenses.mdClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.drfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    No contacted IP infos

                                                                                                    General Information

                                                                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                                                                    Analysis ID:1427889
                                                                                                    Start date and time:2024-04-18 10:07:32 +02:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 8m 49s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:17
                                                                                                    Number of new started drivers analysed:2
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:ClickShare-Extension-Pack-01.01.02.0007.msi
                                                                                                    Detection:CLEAN
                                                                                                    Classification:clean9.evad.winMSI@16/61@0/0
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 100%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 99%
                                                                                                    • Number of executed functions: 38
                                                                                                    • Number of non-executed functions: 48
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .msi
                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                    Warnings

                                                                                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    10:09:08API Interceptor249701x Sleep call for process: clicksharelauncher.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    No context

                                                                                                    Domains

                                                                                                    No context

                                                                                                    ASNs

                                                                                                    No context

                                                                                                    JA3 Fingerprints

                                                                                                    No context

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Config.Msi\3f0638.rbs

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):11326
                                                                                                    Entropy (8bit):5.630180597742484
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:+FxFO1kzjlO3egiLUnEDcHEZclEruHV8NekiUMIAUM8dWlLqql3kQpneG:+RHgyQUYUTODJ
                                                                                                    MD5:C24FBFCD6D6026360E6D1453A9BFE577
                                                                                                    SHA1:E697846689D052AB626DD7952C98FC251B7F01FF
                                                                                                    SHA-256:6EA00D482233E6C6EB8DD938041FD389AF6F4C85EE62E1D874E4441A9FA33DFA
                                                                                                    SHA-512:675726CF7D49F5CD328DCD460AD6962C5F9EFF1EC3431EFFAD83B1A1A096271A287411DDA89424D36563EF0BE1674A2FBFB2FBA35AB5DC8622E2A4ACEBB99FE7
                                                                                                    Malicious:false
                                                                                                    Reputation:low
                                                                                                    Preview:...@IXOS.@.....@.Q.X.@.....@.....@.....@.....@.....@......&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}..ClickShare Extension Pack+.ClickShare-Extension-Pack-01.01.02.0007.msi.@.....@.....@.....@......icon.ico..&.{A1C10D50-773A-4B79-B97F-11DA2C6B622E}.....@.....@.....@.....@.......@.....@.....@.......@......ClickShare Extension Pack......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{0526A4B8-F391-44DD-88EB-2E6D9F56FDA3}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}.@......&.{80306A65-7D78-4563-8398-CB028C046D04}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}.@......&.{5A65DD96-ED70-4796-BF98-BA86A99928F2}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}.@......&.{D866D5B6-6849-4282-BED2-0CCB2415A363}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}.@......&.{D4556B3B-F988-44E0-8A19-94FA2B77E26B}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}.@......&.{8BD51D2F-A1AD-4517-BF8F-C979B41B943B}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}.@.

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpDisplay.inf

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup32.exe

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):153480
                                                                                                    Entropy (8bit):6.518659412329164
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:wJWNGx3yjQrSJWZv7KePPhUebjfl+Utin46QIx88DTAAhdvH/+CIt:v2CjGS8vGexDbDtF6QIbAuHWCIt
                                                                                                    MD5:B952D622BD6FA6B455307D676707DF81
                                                                                                    SHA1:5827D7D5ABCDE9D8846CCF596B0C208CBF28CF8B
                                                                                                    SHA-256:BF7337E8ADF47FEDE690C5D202B07EE9C35BF3A94FB0F1AE3F6D9510187371A4
                                                                                                    SHA-512:DD8793AFC0D5CF423F4FA2DD17775BC8411E2795CFA001186B520E3F2629DE314E7D3EA3A6641039B42CF439284DA912339F3E22F957C5B51E93B1106F0704CF
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o~X..-X..-X..-=..,R..-=..,..-...,I..-...,I..-...,...-=..,K..-=..,U..-X..-$..-...,^..-...-Y..-...,Y..-RichX..-........PE..L...X;,].................v...........H............@.......................................@.....................................x....P..x............6...!...`......@...p...............................@............................................text....t.......v.................. ..`.rdata..............z..............@..@.data........0......................@....rsrc...x....P......................@..@.reloc.......`......."..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):177544
                                                                                                    Entropy (8bit):6.232862089682279
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:LSfvwBxaIj5xMwcN0Ea9rRuaymHvQT4GqIxd+8A:mfvwHrfMP2EcrMdq8A
                                                                                                    MD5:28B07DC516BFC41A35A93DC1643E143F
                                                                                                    SHA1:E5BA40E5D75A9712CAC3D2B46D68B3596D91D69B
                                                                                                    SHA-256:096868681DBF7F7D9EF025C7B6802773AC336A843E0FD36EB17B00957936F1E1
                                                                                                    SHA-512:7F1B3A7D4EB238D206BB588E50173088220D621122F0A26FA499783F4C622EC9C05DAC629B6DB9A9476C30B2E350CB903F7C1E42C42813BEE0C3DCB0745D7843
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......MmQ\..?...?...?.lj<...?.lj:...?.[d;...?.[d<...?.[d:. .?.lj;...?.lj>...?...>...?..e6...?..e....?..e=...?.Rich..?.........PE..d...`;,]..........".......... .......K.........@.....................................X....`.................................................dm..x.......x.......\........!......P....K..p............................L..................X............................text............................... ..`.rdata..J...........................@..@.data...h............b..............@....pdata..\............n..............@..@.rsrc...x...........................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................................

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_0.dll

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.4451848631475315
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:qzJh4x1rUUSYbNgtob1zb0sYQBsoLGJ9HfXZeAW1CGGX63hrIZJC:q9h4x1YUJxnb1zb0sM9/XZnW1CRXGj
                                                                                                    MD5:63E01C3D6A55C079EB96A21E89486624
                                                                                                    SHA1:97D348E45C8AE32613970571006217CF1303FB93
                                                                                                    SHA-256:3F761DE45AEF3B9A002B5C66E3AB91BD09D1CD61AD8264A99873AD67A3BF96CA
                                                                                                    SHA-512:AB2C2B7A8DCBFB71F48BACB27AC04C41DFD9EB5EB9BCF452FCABB81364768D9BEF571C304AEB9D1369797BD333E953E6556FF3AB67FCAB44EE35C2BE207BFEDB
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P...............................................i.....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_2.dll

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.446052780127672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:q/KS4Jr/6/YTYwpNgtwagzSbKYQBNoLGt9HrYZeAW1ENGXlE3hHdZe:qiS4JrIYTfzPagzSbKL9LYZnW1EEX+C
                                                                                                    MD5:5AD7175FC00F8E1FB330795916061AD4
                                                                                                    SHA1:78531503D1EF24A71D8CF7D4C0B435F2EB2E138F
                                                                                                    SHA-256:48EC375A3C6B5EBC7129CFA7CF1DD624A041BA82DA033AB7CCAAFF5E6C7E622D
                                                                                                    SHA-512:8C6B4B7AE0204ACB926CEE629E9727FA7A22745D0BC6BCC99DEDBF0121729EE158703196DB5D56CE955CD2C7EF9FD0317E733DCCB564130856335D76DE25B131
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P................................................w....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\mirroropdisplay.cat

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):12442
                                                                                                    Entropy (8bit):7.07480875540708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:HT3xKnyJ31fmm++JCR9E7EwWZhYCWK7p1/Z09qnajlVE:z19a9Zh3/p1x09l/E
                                                                                                    MD5:22A18953B86C03F4D625E15350501D15
                                                                                                    SHA1:C0E0C223F79AA9C37C2A77EF1901331E409489FB
                                                                                                    SHA-256:A4808FE0F025BB6DFEA752CF6A28C0D7356909F316C9D44A05B5E47C96354294
                                                                                                    SHA-512:D4E89B87233DABF1F19AE8587A09E367CCCEB88EEB2E8BA78778195D10A1D6EB2A0C989B334338487863F9B8EBF2B62E531D6D1EB4BB5D70CE6124F296003DF4
                                                                                                    Malicious:false
                                                                                                    Preview:0.0...*.H........0.0.0....1.0...`.H.e......0.....+.....7......0...0...+.....7.....i.3A..7E."..J....190614082119Z0...+.....7.....0...0.... Y..6....Q..>...../V.....a.@. 1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(m.i.r.r.o.r.o.p.d.i.s.p.l.a.y...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... Y..6....Q..>...../V.....a.@. 0....g..m.........Z..Q.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0..-. w..ci.rlF...m.........1.>.l.&V.1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... w..ci.rlF...m.........1.>.l.&V.0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0....}J./.n.&.ms.x..ZC.L1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_0.dll

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):81824
                                                                                                    Entropy (8bit):6.804416120850024
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:yK5OMXREoQfdUFaG/FMTQwJtR5QVJlj3hs1ZNG:5QModjG/FMTQwJ1QVaRG
                                                                                                    MD5:102A690E42B89AEC429C04B20C1A47D7
                                                                                                    SHA1:55C95BCC2B152440973A672558F473CA4E65820B
                                                                                                    SHA-256:04E4F9B8B8ADEA673887696F74E8965BDEC1FB3D24F2525F8F0D9DCE8EA26714
                                                                                                    SHA-512:24B056A9D8DB0AF66385DB63EB5D64FDED80DDFBA13693BA1BF67D7227C00F147AC0B7AEAA05747D64452399AEBC1461F274483DE4526135D41C090156C4A492
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;`.U3.U3.U3..Q2.U3..V2.U3..P2.U3..R2.U3...3..U3..Q2.U3..R2.U3..T2.U3.T3..U3z.P2..U3z.U2.U3z..3.U3z.W2.U3Rich.U3........................PE..L....T.]...........!.........H......@........................................0....../.....@A............................d................................E... ......@...8...........................x...................|............................text............................... ..`.rdata...,..........................@..@.data...L...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_2.dll

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):81824
                                                                                                    Entropy (8bit):6.804651881704946
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:nK5OMXREoQfdUFavAF5Tmw+tR5QVJlqG3hxnLZF:KQModjvAF5Tmw+1QV2onr
                                                                                                    MD5:E6E306E178E2CEC426AA2282D3CECF26
                                                                                                    SHA1:A4264C01DAF22149DD53206F4EB64F83B582D6E6
                                                                                                    SHA-256:2EFF860B3599974FC546DACF4DEB4E33F18480E40219B19FAA65715D6EA52688
                                                                                                    SHA-512:C0307A537E739E2E50D7004AA2C8C06D9ED155740922C824A90BEE4FA63DA979C56AF6D12C145AC0F17AAA6C3D3C8117BA6A03FA4146162C06756158C711E071
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;`.U3.U3.U3..Q2.U3..V2.U3..P2.U3..R2.U3...3..U3..Q2.U3..R2.U3..T2.U3.T3..U3z.P2..U3z.U2.U3z..3.U3z.W2.U3Rich.U3........................PE..L....T.]...........!.........H......@........................................0......M.....@A............................d................................E... ......@...8...........................x...................|............................text............................... ..`.rdata...,..........................@..@.data...d...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4887168
                                                                                                    Entropy (8bit):7.929521013654076
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:98304:QiZVZtpwcIUykw0B0dGiQiKW3bxx32PWSWuH9dZIMlZGF:lZVPWb0B0dGTiKGyxPIMl0F
                                                                                                    MD5:5EB03B6FF6643353FE82B59F8242F1BE
                                                                                                    SHA1:5C7FA78DF7942206C0A3220F6526C6173BEB04FF
                                                                                                    SHA-256:C3C30FB973C24E9697AA0CBAC056A34667576E118A6C2AAC20864E9AB86C8965
                                                                                                    SHA-512:907961E213C3046E840271C5C98607CE7F704BC36F3F67727736A78C5227F59FA8444427C662276FE3B7DB34C02F09D314B605E970D65701FB1B451F554C9752
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......*.2un.\&n.\&n.\&...&C.\&...&.\&...&K.\&.;.&o.\&U._'q.\&U.Y'*.\&U.X'H.\&.d.&f.\&.d.&o.\&..X'i.\&..U'z.\&.d.&I.\&n.]&F.\&..Y'..\&..X'$.\&..Y'^.\&..&o.\&..^'o.\&Richn.\&........PE..L....|.\..................H.......i..n....i.......@..........................P........J...@..................................J..X....................vJ.....LO.. ............................p.......p..\...........................................UPX0......i.............................UPX1......H...i...H.................@....rsrc.................H.............@..............................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                                                                    C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\eula.txt

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (2531), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):37081
                                                                                                    Entropy (8bit):4.545056211936547
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:00FZ14C6yjymNieGprocI8Nbhjf7S1bZJXYsbx+eUuQbN24HSYC:V/1hyGiXWcT7S1bHXYsbx+aQYj
                                                                                                    MD5:8DE264A33E259D341E7788D18B17BFD1
                                                                                                    SHA1:FCEEB916C2AD4F3D452B18E2F447ACEFEB7729A2
                                                                                                    SHA-256:D2498A7E74A677F1D490571DD916EF8C68906C1B30DADDA2C1A8EBDBC13C1A07
                                                                                                    SHA-512:7B37A4F6EE857F061C445EC507D0B3AC8CB3FE5A6D07C29AC8E1BDCD2C8FAE4E872EB6F3FA33F73D3E76CBFD25705A9FFCB2253A93412D2FF8088CC1329C73C4
                                                                                                    Malicious:false
                                                                                                    Preview:.Barco . ClickShare - End-User License Agreement (EULA / Software License)....PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE, OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED, YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT...The Software as supplied by BARCO is licensed, not sold to you, on a non-exclusive basis for use only under the terms of this license, and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided, but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation...By installing, executing and/or using the Software, either as initial version or as an upgrade, update, patch or

                                                                                                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Barco\ClickShare Launcher\ClickShare Launcher.lnk

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Dec 10 13:48:28 2018, mtime=Thu Apr 18 07:08:25 2024, atime=Mon Dec 10 13:48:28 2018, length=4887168, window=hide
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2410
                                                                                                    Entropy (8bit):3.7483846535883076
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:88FSdOHclEUgLLqWq9km2xA8esVskKdsLqWjgdsLqWo5GXkeS6WGXxKlUq:8B2UA+kmyeQTj7o5iW6K
                                                                                                    MD5:BCB67DB8742EC2D1585546D2C6583A48
                                                                                                    SHA1:8C8DB84F819B64D004A4BFDFD2BC1757B47DC371
                                                                                                    SHA-256:A1095BAC0324F61EADB0BC40C76363490C56AED9AE8A93BC1BC8339755865BB5
                                                                                                    SHA-512:0602A69E18B948E2CA85F158EF8B6DC3AC130B2BEC1FC33BD32DA8C31151F4B06DAF0F9DE7C9AEA6223E9EB47F4506433711374901A3A9DA8611492A45FF74FC
                                                                                                    Malicious:false
                                                                                                    Preview:L..................F.@.. .....3i.....2.g.....3i......J.....................g....P.O. .:i.....+00.../C:\.....................1......X.A..PROGRA~2.........O.I.X.A....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....P.1......X.A..Barco.<......X.A.X.A..............................B.a.r.c.o.....|.1......X.A..CLICKS~1..d......X.A.X.A...........................C..C.l.i.c.k.S.h.a.r.e. .E.x.t.e.n.s.i.o.n. .P.a.c.k.....Z.1......X.A..Launcher..B......X.A.X.A..............................L.a.u.n.c.h.e.r.....z.2...J..M.v .CLICKS~1.EXE..^......M.v.X.A....W.........................c.l.i.c.k.s.h.a.r.e.l.a.u.n.c.h.e.r...e.x.e.......................-...................;':......C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe....C.l.i.c.k.S.h.a.r.e. .L.a.u.n.c.h.e.r.h.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.a.r.c.o.\.C.l.i.c.k.S.h.a.r.e. .E.x.t.e.n.s.i.o.

                                                                                                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ClickShare Launcher.lnk

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Dec 10 13:48:28 2018, mtime=Thu Apr 18 07:08:32 2024, atime=Mon Dec 10 13:48:28 2018, length=4887168, window=hide
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2404
                                                                                                    Entropy (8bit):3.7502966302618503
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:8zZFSdOHclEUgLLqWqJm2xA8esVskDdsLqWjgdsLqWo5GXkeS6WGXxKlUq:8k2UAMmyeQgj7o5iW6K
                                                                                                    MD5:07E08FB0C3A8547FBF570F37F2263C30
                                                                                                    SHA1:86E3C65307D553622EAB9A388FEE286B35D38821
                                                                                                    SHA-256:BBDF7A02DDAD45DED7A0071D550DE5719E69B8A5418DA429B62CAF383E1932B7
                                                                                                    SHA-512:6236B00D0548A50C748FD89ACEB41EB80182F5A42737D64BC37CB6E3474A8B443F134B871D9E622E5ABF60EFDAAAF0569FD9B89C9EAD1402D8A7F51334FFB0F7
                                                                                                    Malicious:false
                                                                                                    Preview:L..................F.@.. .....3i.......g.....3i......J.....................g....P.O. .:i.....+00.../C:\.....................1......X.A..PROGRA~2.........O.I.X.A....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....P.1......X.A..Barco.<......X.A.X.A..............................B.a.r.c.o.....|.1......X.A..CLICKS~1..d......X.A.X.A...........................C..C.l.i.c.k.S.h.a.r.e. .E.x.t.e.n.s.i.o.n. .P.a.c.k.....Z.1......X.A..Launcher..B......X.A.X.A..............................L.a.u.n.c.h.e.r.....z.2...J..M.v .CLICKS~1.EXE..^......M.v.X.A....W.........................c.l.i.c.k.s.h.a.r.e.l.a.u.n.c.h.e.r...e.x.e.......................-...................;':......C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe....C.l.i.c.k.S.h.a.r.e. .L.a.u.n.c.h.e.r.e.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.a.r.c.o.\.C.l.i.c.k.S.h.a.r.e. .E.x.t.e.n.s.i.o.n. .P.

                                                                                                    C:\Users\Public\MirrorOpDisplaySetup.log

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1150
                                                                                                    Entropy (8bit):5.16834558827164
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Db4LfI0Zq2jxLpeD+hjpPTzLqTzDqK4skrxRqAfFqarTFqUjFqxYuGa:Da542lpeD8jp7gospAfMaHMIMxj
                                                                                                    MD5:5305A6C146D0856EF1082A954FA170F5
                                                                                                    SHA1:CC72107EA11D7E2AF2BCE5C1667000AB9F983151
                                                                                                    SHA-256:F43735F430D6372A1BB4587660DB24D43736DFE77F3A68AFA13DAD97D89CF188
                                                                                                    SHA-512:74E25EC96029F171511C0F4B4195FF4E6748D8A8E17A50EE08DBAFA42E0DF4FAA56101D8D4756317526E4B622C79E7F8360FFC3DBC86052BC8A0BBDFB88AE58A
                                                                                                    Malicious:false
                                                                                                    Preview:..====================================================..Call: 4/18/2024 10:8:26 Build: Jul 15 2019 16:37:52..DriverSetup _tmain: Installing device and driver.....DriverSetup _tmain: Uninstall previous device and driver first.....IDDSetupActions::Install Begin Install Process.....IDDSetupActions::PrivateInitializeGlobals: .. --MirrorOpDisplay.inf.. --Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001.. --{4D36E968-E325-11CE-BFC1-08002BE10318}.. --Display.. --C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpDisplay.inf..IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfoList success..IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfo success..IDDDeviceInfoSet::CreateDeviceNode SetupDiSetDeviceRegistryProperty success..IDDDeviceInfoSet::PrivateDetectDeviceNode SetupDiGetDeviceRegistryProperty failed -536870389..IDDDeviceInfoSet::CreateDeviceNode SetupDiCallClassInstaller success..IDDSetupActions::Install DeviceInfoSet.CreateDeviceN

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\MirrorOpDisplay.inf (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\SET1368.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):12442
                                                                                                    Entropy (8bit):7.07480875540708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:HT3xKnyJ31fmm++JCR9E7EwWZhYCWK7p1/Z09qnajlVE:z19a9Zh3/p1x09l/E
                                                                                                    MD5:22A18953B86C03F4D625E15350501D15
                                                                                                    SHA1:C0E0C223F79AA9C37C2A77EF1901331E409489FB
                                                                                                    SHA-256:A4808FE0F025BB6DFEA752CF6A28C0D7356909F316C9D44A05B5E47C96354294
                                                                                                    SHA-512:D4E89B87233DABF1F19AE8587A09E367CCCEB88EEB2E8BA78778195D10A1D6EB2A0C989B334338487863F9B8EBF2B62E531D6D1EB4BB5D70CE6124F296003DF4
                                                                                                    Malicious:false
                                                                                                    Preview:0.0...*.H........0.0.0....1.0...`.H.e......0.....+.....7......0...0...+.....7.....i.3A..7E."..J....190614082119Z0...+.....7.....0...0.... Y..6....Q..>...../V.....a.@. 1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(m.i.r.r.o.r.o.p.d.i.s.p.l.a.y...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... Y..6....Q..>...../V.....a.@. 0....g..m.........Z..Q.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0..-. w..ci.rlF...m.........1.>.l.&V.1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... w..ci.rlF...m.........1.>.l.&V.0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0....}J./.n.&.ms.x..ZC.L1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\SET1379.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\SET1389.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.4451848631475315
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:qzJh4x1rUUSYbNgtob1zb0sYQBsoLGJ9HfXZeAW1CGGX63hrIZJC:q9h4x1YUJxnb1zb0sM9/XZnW1CRXGj
                                                                                                    MD5:63E01C3D6A55C079EB96A21E89486624
                                                                                                    SHA1:97D348E45C8AE32613970571006217CF1303FB93
                                                                                                    SHA-256:3F761DE45AEF3B9A002B5C66E3AB91BD09D1CD61AD8264A99873AD67A3BF96CA
                                                                                                    SHA-512:AB2C2B7A8DCBFB71F48BACB27AC04C41DFD9EB5EB9BCF452FCABB81364768D9BEF571C304AEB9D1369797BD333E953E6556FF3AB67FCAB44EE35C2BE207BFEDB
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P...............................................i.....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.446052780127672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:q/KS4Jr/6/YTYwpNgtwagzSbKYQBNoLGt9HrYZeAW1ENGXlE3hHdZe:qiS4JrIYTfzPagzSbKL9LYZnW1EEX+C
                                                                                                    MD5:5AD7175FC00F8E1FB330795916061AD4
                                                                                                    SHA1:78531503D1EF24A71D8CF7D4C0B435F2EB2E138F
                                                                                                    SHA-256:48EC375A3C6B5EBC7129CFA7CF1DD624A041BA82DA033AB7CCAAFF5E6C7E622D
                                                                                                    SHA-512:8C6B4B7AE0204ACB926CEE629E9727FA7A22745D0BC6BCC99DEDBF0121729EE158703196DB5D56CE955CD2C7EF9FD0317E733DCCB564130856335D76DE25B131
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P................................................w....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET11D0.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.4451848631475315
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:qzJh4x1rUUSYbNgtob1zb0sYQBsoLGJ9HfXZeAW1CGGX63hrIZJC:q9h4x1YUJxnb1zb0sM9/XZnW1CRXGj
                                                                                                    MD5:63E01C3D6A55C079EB96A21E89486624
                                                                                                    SHA1:97D348E45C8AE32613970571006217CF1303FB93
                                                                                                    SHA-256:3F761DE45AEF3B9A002B5C66E3AB91BD09D1CD61AD8264A99873AD67A3BF96CA
                                                                                                    SHA-512:AB2C2B7A8DCBFB71F48BACB27AC04C41DFD9EB5EB9BCF452FCABB81364768D9BEF571C304AEB9D1369797BD333E953E6556FF3AB67FCAB44EE35C2BE207BFEDB
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P...............................................i.....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET1338.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.446052780127672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:q/KS4Jr/6/YTYwpNgtwagzSbKYQBNoLGt9HrYZeAW1ENGXlE3hHdZe:qiS4JrIYTfzPagzSbKL9LYZnW1EEX+C
                                                                                                    MD5:5AD7175FC00F8E1FB330795916061AD4
                                                                                                    SHA1:78531503D1EF24A71D8CF7D4C0B435F2EB2E138F
                                                                                                    SHA-256:48EC375A3C6B5EBC7129CFA7CF1DD624A041BA82DA033AB7CCAAFF5E6C7E622D
                                                                                                    SHA-512:8C6B4B7AE0204ACB926CEE629E9727FA7A22745D0BC6BCC99DEDBF0121729EE158703196DB5D56CE955CD2C7EF9FD0317E733DCCB564130856335D76DE25B131
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P................................................w....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\mirroropdisplay.cat (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):12442
                                                                                                    Entropy (8bit):7.07480875540708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:HT3xKnyJ31fmm++JCR9E7EwWZhYCWK7p1/Z09qnajlVE:z19a9Zh3/p1x09l/E
                                                                                                    MD5:22A18953B86C03F4D625E15350501D15
                                                                                                    SHA1:C0E0C223F79AA9C37C2A77EF1901331E409489FB
                                                                                                    SHA-256:A4808FE0F025BB6DFEA752CF6A28C0D7356909F316C9D44A05B5E47C96354294
                                                                                                    SHA-512:D4E89B87233DABF1F19AE8587A09E367CCCEB88EEB2E8BA78778195D10A1D6EB2A0C989B334338487863F9B8EBF2B62E531D6D1EB4BB5D70CE6124F296003DF4
                                                                                                    Malicious:false
                                                                                                    Preview:0.0...*.H........0.0.0....1.0...`.H.e......0.....+.....7......0...0...+.....7.....i.3A..7E."..J....190614082119Z0...+.....7.....0...0.... Y..6....Q..>...../V.....a.@. 1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(m.i.r.r.o.r.o.p.d.i.s.p.l.a.y...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... Y..6....Q..>...../V.....a.@. 0....g..m.........Z..Q.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0..-. w..ci.rlF...m.........1.>.l.&V.1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... w..ci.rlF...m.........1.>.l.&V.0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0....}J./.n.&.ms.x..ZC.L1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.

                                                                                                    C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\mirroropdisplay.inf (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Windows\INF\c_display.PNF

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x15b8 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-GB
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8660
                                                                                                    Entropy (8bit):3.3733007089209863
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:66BcwTdCMNyLNfWdlapY4VfOrtlBARv7Li+XT7+uZt/Y0BnuOTITdE7VGpR2bQjN:67wQMYBfeaOBA9LjXvZ1NnuT6u
                                                                                                    MD5:A35E461187397BC21D7B1FFBC425EB69
                                                                                                    SHA1:1F8AF576F211C42C237324A7C04D5BE9DA89C39C
                                                                                                    SHA-256:0474A97D51D62B4FE7BCBAEFBDE58C25590C088CC25C93735126F98039C2C0D5
                                                                                                    SHA-512:1F37125FBBDB18D5088409AA083840C9EEFF4B9318466E7B6B2F54245FBB6FB24497E31369A7A112BD0B7FF8592E4B0551CF3F30EA7D99F969B2CB135BF13CD4
                                                                                                    Malicious:false
                                                                                                    Preview:..........................x................$...............H...................h................!......C.:.\.W.i.n.d.o.w.s.....e.n.-.G.B...........................................................D...................................................................................................h...........................0...........|...........<...........t.......(.......................$...................................................................................................................................................................p...........P............................... .......................................|...|...........................................................|...........,...............................................................................................................................................$...................p...................@...................................................................................................

                                                                                                    C:\Windows\INF\oem4.inf

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Windows\INF\setupapi.dev.log

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:Generic INItialization configuration [BeginLog]
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60966
                                                                                                    Entropy (8bit):5.229905748890013
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:Own95cdyYloiwTyz25ZSGjaFLq+ueIXAVJ:O+5cdyeoiwGeZSGjaFLq+ueIXAVJ
                                                                                                    MD5:ADA2C2FCB9A93F63E633A095F3222436
                                                                                                    SHA1:7E365A71AA093CAA5C7153D34B8DBD0F6EEDABAB
                                                                                                    SHA-256:9784B4A538A20306DF9A7FDDAA0C242F5DC63EA19BBDE060AB94B3F8E0E747F1
                                                                                                    SHA-512:86127661EDF817B749F004EC96342AB2485D5E0B429826D8C40558F2601711BB2DC8D919525881DEF1DD3940274836AA6F61CE13B4261C3628773CC8D1BF29F1
                                                                                                    Malicious:false
                                                                                                    Preview:[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

                                                                                                    C:\Windows\Installer\3f0637.msi

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ClickShare Extension Pack, Author: Barco N.V., Keywords: Installer, Comments: Windows Installer Package, Template: Intel;1033, Revision Number: {A1C10D50-773A-4B79-B97F-11DA2C6B622E}, Create Time/Date: Mon Jul 15 15:43:38 2019, Last Saved Time/Date: Mon Jul 15 15:43:38 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                    Category:dropped
                                                                                                    Size (bytes):7888896
                                                                                                    Entropy (8bit):7.624749083431013
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:196608:OTjSFFYWNrtEPCSnsP9WYhaVVbm2zGRS3i8ODftvhN0:hFYWYB6vhMhmo3i8e1vhm
                                                                                                    MD5:56D913EBBE38AB3A7F48ABE1A3E9DAA6
                                                                                                    SHA1:FB6518265932A3D810183F3A6E6A0FDE14A2B66E
                                                                                                    SHA-256:26F4DC0F8CCEDC064AEA7FDA31A2A8BEC32CF7B646FA044CBFDD352F559764E0
                                                                                                    SHA-512:BFA5D4AE17E9B68D479F8B026A64AC20AD1BCF876ED6D8EDE1EBD846F6A3552A6753C85E6C5BED80374A4254B2D57E84148224E7B55352CC3E0223B57AE3030E
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Installer\3f0639.msi

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ClickShare Extension Pack, Author: Barco N.V., Keywords: Installer, Comments: Windows Installer Package, Template: Intel;1033, Revision Number: {A1C10D50-773A-4B79-B97F-11DA2C6B622E}, Create Time/Date: Mon Jul 15 15:43:38 2019, Last Saved Time/Date: Mon Jul 15 15:43:38 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                    Category:dropped
                                                                                                    Size (bytes):7888896
                                                                                                    Entropy (8bit):7.624749083431013
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:196608:OTjSFFYWNrtEPCSnsP9WYhaVVbm2zGRS3i8ODftvhN0:hFYWYB6vhMhmo3i8e1vhm
                                                                                                    MD5:56D913EBBE38AB3A7F48ABE1A3E9DAA6
                                                                                                    SHA1:FB6518265932A3D810183F3A6E6A0FDE14A2B66E
                                                                                                    SHA-256:26F4DC0F8CCEDC064AEA7FDA31A2A8BEC32CF7B646FA044CBFDD352F559764E0
                                                                                                    SHA-512:BFA5D4AE17E9B68D479F8B026A64AC20AD1BCF876ED6D8EDE1EBD846F6A3552A6753C85E6C5BED80374A4254B2D57E84148224E7B55352CC3E0223B57AE3030E
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Installer\MSI3067.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:modified
                                                                                                    Size (bytes):153080
                                                                                                    Entropy (8bit):5.668024240883533
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:rfmUZkq40ok1KA+2LSQa/967K4AcIaWHTnYzMgYesp0Ccaw:rfmekqAA+2RTCcZ
                                                                                                    MD5:418322F7BE2B68E88A93A048AC75A757
                                                                                                    SHA1:09739792FF1C30F73DACAFBE503630615922B561
                                                                                                    SHA-256:EA5D4B4C7E7BE1CE24A614AE1E31A58BCAE6F1694DD8BFB735CF47D35A08D59B
                                                                                                    SHA-512:253F62F5CE75DF3E9AC3C62E2F06F30C7C6DE6280FBFC830CDD15BF29CB8EE9ED878212F6DF5D0AC6A5C9BE0E6259F900ECCEE472A890F15DD3FF1F84958AEEF
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|...|...|...u.d.~...|......u.b.k...u.u.o...u.r.G...u.c.}...u.{.m...[...}...u.e.}...u.`.}...Rich|...........PE..d......J.........." .........,......p........................................p......}.....@.............................................o............@..$.... .......0...%...`..X...p...................................................(............................text...o........................... ..`.data...@...........................@....pdata....... ......................@..@.rsrc.... ...@......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Installer\MSI8A8.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):207360
                                                                                                    Entropy (8bit):6.574209364487876
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:r65Z1YCHGiZXOVneG/kdvLdzusAatnw1lflQnB+QDO1Q+cxbVeFT:r657r+0G/kvzoaBcHLnN
                                                                                                    MD5:D773D9BD091E712DF7560F576DA53DE8
                                                                                                    SHA1:165CFBDCE1811883360112441F7237B287CF0691
                                                                                                    SHA-256:E0DB1804CF53ED4819ED70CB35C67680CE1A77573EFDED86E6DAC81010CE55E7
                                                                                                    SHA-512:15A956090F8756A6BFDBE191FDA36739B1107EADA62C6CD3058218BEB417BDBD2EA82BE9B055F7F6EB8017394B330DAFF2E9824DBC9C4F137BEAD8E2AC0574CD
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................!Es....!Eq....!Ep....L......L......L.......................h..1......1......1.}...........1......Rich...........PE..L......Z...........!.........L......?.....................................................@.................................p........P..x....................`..|...P...T...............................@...............<............................text...K........................... ..`.rdata..J...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc..|....`......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Installer\MSIB49.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):123362
                                                                                                    Entropy (8bit):7.787330506251851
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:1VwByHA2QuLaXyTK1A8DI6ek5zcXnFj9ejKn3:1Vzg2RLaJ1JIjSUFBeK
                                                                                                    MD5:5B85527C7602342151F6522B2227A518
                                                                                                    SHA1:72B768A2DF553F48F1565C222C3D3233A522E5CE
                                                                                                    SHA-256:5E93BF8682191E8DC561B39AFBD3C2EF841F82A2706A6A72DEAB2772B75E2322
                                                                                                    SHA-512:9527994943D589B8855D81EF68E4A5AD69D47B9FC3FEAF81843CAEE8AAAC2E60188A0CC5105D86AFBDB1E9F20673AEA37B0366531A249665CAF34214251F0DFF
                                                                                                    Malicious:false
                                                                                                    Preview:...@IXOS.@.....@.Q.X.@.....@.....@.....@.....@.....@......&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}..ClickShare Extension Pack+.ClickShare-Extension-Pack-01.01.02.0007.msi.@.....@.....@.....@......icon.ico..&.{A1C10D50-773A-4B79-B97F-11DA2C6B622E}.....@.....@.....@.....@.......@.....@.....@.......@......ClickShare Extension Pack......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B409F5AC-ACA6-4026-9151-F60B697FEAD4}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}..&.{B409F5AC-ACA6-4026-9151-F60B697FEAD4}...@.....@......&.{0F52C4B8-B1E3-4273-ABC3-0ECE3FF627C8}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}..&.{0F52C4B8-B1E3-4273-ABC3-0ECE3FF627C8}...@.....@......&.{53352481-1087-4393-B099-991BE47AB769}&.{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}..&.{53352481-1087-4393-B099-991BE47AB769}...@.....@......&.{70D78331-94B7-4FCC-960A-993D5BB73A2D}&.{AA1F9CF3-F74D-4EBD-82DA-12D070

                                                                                                    C:\Windows\Installer\MSIB79.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):153080
                                                                                                    Entropy (8bit):5.668024240883533
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:rfmUZkq40ok1KA+2LSQa/967K4AcIaWHTnYzMgYesp0Ccaw:rfmekqAA+2RTCcZ
                                                                                                    MD5:418322F7BE2B68E88A93A048AC75A757
                                                                                                    SHA1:09739792FF1C30F73DACAFBE503630615922B561
                                                                                                    SHA-256:EA5D4B4C7E7BE1CE24A614AE1E31A58BCAE6F1694DD8BFB735CF47D35A08D59B
                                                                                                    SHA-512:253F62F5CE75DF3E9AC3C62E2F06F30C7C6DE6280FBFC830CDD15BF29CB8EE9ED878212F6DF5D0AC6A5C9BE0E6259F900ECCEE472A890F15DD3FF1F84958AEEF
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|...|...|...u.d.~...|......u.b.k...u.u.o...u.r.G...u.c.}...u.{.m...[...}...u.e.}...u.`.}...Rich|...........PE..d......J.........." .........,......p........................................p......}.....@.............................................o............@..$.... .......0...%...`..X...p...................................................(............................text...o........................... ..`.data...@...........................@....pdata....... ......................@..@.rsrc.... ...@......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Installer\SourceHash{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20480
                                                                                                    Entropy (8bit):1.1808961097521928
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:JSbX72FjQliAGiLIlHVRpGh/7777777777777777777777777vDHFWT7eOhr9l0G:JRQI5+W7eOOF
                                                                                                    MD5:0D404D57418B77997553904D5D3AB137
                                                                                                    SHA1:8129BDAC7D9FAD3D51C53EAB06E50C65329B24BD
                                                                                                    SHA-256:65A497FD6ECAD150E92658498EE79C58ACA400C1D6825AE97F41670544AE5B3A
                                                                                                    SHA-512:73CB96D1BB9259E71218A8BD10420A9DCC7B1DE0477669EB86E96B5AB314B4569A724AE6250C56ECDE993B708FD3B9D9515ADE4C4E0E6DF36A1F2ED8C35433E5
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20480
                                                                                                    Entropy (8bit):1.5282473903519844
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:+8Phj7uRc06WX44FT5TSZqNLVP8hgSoedbgrzStedFmOdOD1LqWD:xhj71IFTFSmLVP8hgDno5
                                                                                                    MD5:021E6DE7D4E2EB5E7AEBC02287943338
                                                                                                    SHA1:0276B02030D55F55191FC84CF808A0B3E5FBD682
                                                                                                    SHA-256:FA2CC40E72A072EF2E9CB70041DD875C017064BA15AFFFC549E9B745F1139CD6
                                                                                                    SHA-512:33677395EA93A4DB37DECB11FA09EDCFC63A302AE7F85D9A7B4911F6D6FA589A4C78A61BB985BC641B844C4ECE65CB064FD6DE34C79366334219A5E9A50B8648
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Installer\{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}\icon.ico

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:MS Windows icon resource - 12 icons, 32x32, 16 colors, 4 bits/pixel, 24x24, 16 colors, 4 bits/pixel
                                                                                                    Category:dropped
                                                                                                    Size (bytes):115749
                                                                                                    Entropy (8bit):7.799573915161076
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:YwByHA2QuLaXyTK1A8DI6ek5zcXnFj9ejKns:Yzg2RLaJ1JIjSUFBeX
                                                                                                    MD5:D6115A0F637157C4A81A7186E4345A1E
                                                                                                    SHA1:17CEA8436A983AB5704C550E0B04868F117FECD9
                                                                                                    SHA-256:F3BBB3F5FDFF4CA7B273CF42A388DE6C909F233124A146EFC879E7F3C8A08D78
                                                                                                    SHA-512:5C004D188E21E8E854966E112FF2AE7C2776BB65752CF7137827B761FFC93E8298171543A3DB7A551446A3697C71ED9621B1069D3EEDAD09FAF0A295575B40A3
                                                                                                    Malicious:false
                                                                                                    Preview:...... ......................................(.......00.............. ..........f...........................h....$........ ..U..>*..00.... ..%...... .... ............... .....5......... .h.......(... ...@.................................................................................................... A..0.. ....... ...%..@PR.p.!..@....%...P..........pP.@P.RG..!@.........@.0.`...y...9..P.B@...`...sw1.....0..`...xx..s...R@.....s.x...S...p.@..'w........`..$..w.wx......pp...rwwx.....q. ..B....wxx...v..0...gwwxw......`.0..w..xw..x.w......wxwx8xxxww......8xxw.ww..wy...!.xxx8w..www.........xw.w.xsY ..C.h...wwxwwp..@!......xwww.q..........xw.xw.q...A.....wwwwq..p...$..x.xw.w.......0...wwwwaY......4....w40.......$.Pa...5...!@...`.@05.y.......pq..pA..51C.0.......p0a.......0....`..%$4440C...p...4. ........p.................................................................................................................................(.......0.................................................

                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):364484
                                                                                                    Entropy (8bit):5.365493797742408
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaue:zTtbmkExhMJCIpEJ
                                                                                                    MD5:D5DFA092FBEFA60E56A68B5DEBABE331
                                                                                                    SHA1:194D5A9D5FDEC47008198EEC9968D90E2E8ACFAC
                                                                                                    SHA-256:E0E1EAA06ADA454CAC8508A7775159107650D910036345159278E9D2BA4F7209
                                                                                                    SHA-512:510B21054497665FDB8F85348377D6E10672B6F17ACA48097FB12CF0C30320D2DCAB6008A79D7E8222F0425F1DB178C8EDB35CAC1AB3677BA5F31850D11174D5
                                                                                                    Malicious:false
                                                                                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                    C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\MirrorOpDisplay.inf (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\SET15C9.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):12442
                                                                                                    Entropy (8bit):7.07480875540708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:HT3xKnyJ31fmm++JCR9E7EwWZhYCWK7p1/Z09qnajlVE:z19a9Zh3/p1x09l/E
                                                                                                    MD5:22A18953B86C03F4D625E15350501D15
                                                                                                    SHA1:C0E0C223F79AA9C37C2A77EF1901331E409489FB
                                                                                                    SHA-256:A4808FE0F025BB6DFEA752CF6A28C0D7356909F316C9D44A05B5E47C96354294
                                                                                                    SHA-512:D4E89B87233DABF1F19AE8587A09E367CCCEB88EEB2E8BA78778195D10A1D6EB2A0C989B334338487863F9B8EBF2B62E531D6D1EB4BB5D70CE6124F296003DF4
                                                                                                    Malicious:false
                                                                                                    Preview:0.0...*.H........0.0.0....1.0...`.H.e......0.....+.....7......0...0...+.....7.....i.3A..7E."..J....190614082119Z0...+.....7.....0...0.... Y..6....Q..>...../V.....a.@. 1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(m.i.r.r.o.r.o.p.d.i.s.p.l.a.y...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... Y..6....Q..>...../V.....a.@. 0....g..m.........Z..Q.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0..-. w..ci.rlF...m.........1.>.l.&V.1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... w..ci.rlF...m.........1.>.l.&V.0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0....}J./.n.&.ms.x..ZC.L1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.

                                                                                                    C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\SET15DA.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.4451848631475315
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:qzJh4x1rUUSYbNgtob1zb0sYQBsoLGJ9HfXZeAW1CGGX63hrIZJC:q9h4x1YUJxnb1zb0sM9/XZnW1CRXGj
                                                                                                    MD5:63E01C3D6A55C079EB96A21E89486624
                                                                                                    SHA1:97D348E45C8AE32613970571006217CF1303FB93
                                                                                                    SHA-256:3F761DE45AEF3B9A002B5C66E3AB91BD09D1CD61AD8264A99873AD67A3BF96CA
                                                                                                    SHA-512:AB2C2B7A8DCBFB71F48BACB27AC04C41DFD9EB5EB9BCF452FCABB81364768D9BEF571C304AEB9D1369797BD333E953E6556FF3AB67FCAB44EE35C2BE207BFEDB
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P...............................................i.....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.446052780127672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:q/KS4Jr/6/YTYwpNgtwagzSbKYQBNoLGt9HrYZeAW1ENGXlE3hHdZe:qiS4JrIYTfzPagzSbKL9LYZnW1EEX+C
                                                                                                    MD5:5AD7175FC00F8E1FB330795916061AD4
                                                                                                    SHA1:78531503D1EF24A71D8CF7D4C0B435F2EB2E138F
                                                                                                    SHA-256:48EC375A3C6B5EBC7129CFA7CF1DD624A041BA82DA033AB7CCAAFF5E6C7E622D
                                                                                                    SHA-512:8C6B4B7AE0204ACB926CEE629E9727FA7A22745D0BC6BCC99DEDBF0121729EE158703196DB5D56CE955CD2C7EF9FD0317E733DCCB564130856335D76DE25B131
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P................................................w....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.4451848631475315
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:qzJh4x1rUUSYbNgtob1zb0sYQBsoLGJ9HfXZeAW1CGGX63hrIZJC:q9h4x1YUJxnb1zb0sM9/XZnW1CRXGj
                                                                                                    MD5:63E01C3D6A55C079EB96A21E89486624
                                                                                                    SHA1:97D348E45C8AE32613970571006217CF1303FB93
                                                                                                    SHA-256:3F761DE45AEF3B9A002B5C66E3AB91BD09D1CD61AD8264A99873AD67A3BF96CA
                                                                                                    SHA-512:AB2C2B7A8DCBFB71F48BACB27AC04C41DFD9EB5EB9BCF452FCABB81364768D9BEF571C304AEB9D1369797BD333E953E6556FF3AB67FCAB44EE35C2BE207BFEDB
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P...............................................i.....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.446052780127672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:q/KS4Jr/6/YTYwpNgtwagzSbKYQBNoLGt9HrYZeAW1ENGXlE3hHdZe:qiS4JrIYTfzPagzSbKL9LYZnW1EEX+C
                                                                                                    MD5:5AD7175FC00F8E1FB330795916061AD4
                                                                                                    SHA1:78531503D1EF24A71D8CF7D4C0B435F2EB2E138F
                                                                                                    SHA-256:48EC375A3C6B5EBC7129CFA7CF1DD624A041BA82DA033AB7CCAAFF5E6C7E622D
                                                                                                    SHA-512:8C6B4B7AE0204ACB926CEE629E9727FA7A22745D0BC6BCC99DEDBF0121729EE158703196DB5D56CE955CD2C7EF9FD0317E733DCCB564130856335D76DE25B131
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P................................................w....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\mirroropdisplay.cat (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):12442
                                                                                                    Entropy (8bit):7.07480875540708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:HT3xKnyJ31fmm++JCR9E7EwWZhYCWK7p1/Z09qnajlVE:z19a9Zh3/p1x09l/E
                                                                                                    MD5:22A18953B86C03F4D625E15350501D15
                                                                                                    SHA1:C0E0C223F79AA9C37C2A77EF1901331E409489FB
                                                                                                    SHA-256:A4808FE0F025BB6DFEA752CF6A28C0D7356909F316C9D44A05B5E47C96354294
                                                                                                    SHA-512:D4E89B87233DABF1F19AE8587A09E367CCCEB88EEB2E8BA78778195D10A1D6EB2A0C989B334338487863F9B8EBF2B62E531D6D1EB4BB5D70CE6124F296003DF4
                                                                                                    Malicious:false
                                                                                                    Preview:0.0...*.H........0.0.0....1.0...`.H.e......0.....+.....7......0...0...+.....7.....i.3A..7E."..J....190614082119Z0...+.....7.....0...0.... Y..6....Q..>...../V.....a.@. 1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(m.i.r.r.o.r.o.p.d.i.s.p.l.a.y...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... Y..6....Q..>...../V.....a.@. 0....g..m.........Z..Q.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0..-. w..ci.rlF...m.........1.>.l.&V.1...0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... w..ci.rlF...m.........1.>.l.&V.0^..+.....7...1P0N...F.i.l.e.......<m.i.r.r.o.r.o.p.v.i.r.t.u.a.l.d.i.s.p.l.a.y.1._.0...d.l.l...0....}J./.n.&.ms.x..ZC.L1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.

                                                                                                    C:\Windows\System32\catroot2\dberr.txt

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):3475
                                                                                                    Entropy (8bit):5.366043270259199
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3YpgpNM:QO00eO00erMwmkB1kAW
                                                                                                    MD5:B502F057C0DCE81308B11D465B20FB0E
                                                                                                    SHA1:382493BF610585F8B0C88FF5B8D2311BADC63CA8
                                                                                                    SHA-256:71F53FD87B306BA6E618B418F0BC73AE537DFF6154F8D06A50554C02379DD6F8
                                                                                                    SHA-512:66CE513E61897C16F032F6461B999BBEBE0871753C8E7D658F9F0B0256BB644EDCDA48D533995174250A26FBCE2FEBA5C415FA910F1755B4BF13402E200B5A89
                                                                                                    Malicious:false
                                                                                                    Preview:CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

                                                                                                    C:\Windows\System32\drivers\UMDF\MirrorOpVirtualDisplay1_2.dll (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.446052780127672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:q/KS4Jr/6/YTYwpNgtwagzSbKYQBNoLGt9HrYZeAW1ENGXlE3hHdZe:qiS4JrIYTfzPagzSbKL9LYZnW1EEX+C
                                                                                                    MD5:5AD7175FC00F8E1FB330795916061AD4
                                                                                                    SHA1:78531503D1EF24A71D8CF7D4C0B435F2EB2E138F
                                                                                                    SHA-256:48EC375A3C6B5EBC7129CFA7CF1DD624A041BA82DA033AB7CCAAFF5E6C7E622D
                                                                                                    SHA-512:8C6B4B7AE0204ACB926CEE629E9727FA7A22745D0BC6BCC99DEDBF0121729EE158703196DB5D56CE955CD2C7EF9FD0317E733DCCB564130856335D76DE25B131
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P................................................w....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\System32\drivers\UMDF\SET2037.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\drvinst.exe
                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):103328
                                                                                                    Entropy (8bit):6.446052780127672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:q/KS4Jr/6/YTYwpNgtwagzSbKYQBNoLGt9HrYZeAW1ENGXlE3hHdZe:qiS4JrIYTfzPagzSbKL9LYZnW1EEX+C
                                                                                                    MD5:5AD7175FC00F8E1FB330795916061AD4
                                                                                                    SHA1:78531503D1EF24A71D8CF7D4C0B435F2EB2E138F
                                                                                                    SHA-256:48EC375A3C6B5EBC7129CFA7CF1DD624A041BA82DA033AB7CCAAFF5E6C7E622D
                                                                                                    SHA-512:8C6B4B7AE0204ACB926CEE629E9727FA7A22745D0BC6BCC99DEDBF0121729EE158703196DB5D56CE955CD2C7EF9FD0317E733DCCB564130856335D76DE25B131
                                                                                                    Malicious:false
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..2..Z2..Z2..Z`..[8..Z`..[7..Z`..[...ZW..[3..Z;._Z$..Zi..[0..ZW..[7..Z2..ZV..Z...["..Z...[3..Z..3Z3..Z...[3..ZRich2..Z........PE..d....T.].........." .........j......P................................................w....`A........................................@;..`....;.......p.......`.......N...E......X.......8............................................... ............................text............................... ..`.rdata..vG.......H..................@..@.data........P.......4..............@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..X............L..............@..B................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\OLD1385.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    File Type:Windows setup INFormation
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5109
                                                                                                    Entropy (8bit):5.594073955865938
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:KpHMiiUG3ZfB8hHKiysf/yeEhTUsysf/y4EhTk4y4f/y8ahTAE4kOa7CaZvg+k24:KGiiUGpfB8hHKmPcBQrE4wpvg6fsp
                                                                                                    MD5:242738D2DF9AAE17C1B6EAB1F53A9478
                                                                                                    SHA1:7D4AB52F126E0426DF6D731A78C6DD5A43EFA24C
                                                                                                    SHA-256:5911D736A39416C251B3E2AB3EABCDDD8BE3D72F56D3BC88EFC2E1618A40E820
                                                                                                    SHA-512:6586F59BDB9B4889DFDED009E89C9A76C03551A7FAD9003F4F6B414FB03A5C4D37132D87FFE24A26FB38895C3AAA8BBA92719C117F7DF5E59C2896BB45D28583
                                                                                                    Malicious:false
                                                                                                    Preview:; MirrorOpDisplay.inf..; Copyright . 2019 MirrorOp;..; All rights reserved....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=mirroropdisplay.cat..DriverVer = 06/14/2019,1.1.174.61....[ControlFlags]..ExcludeFromSelect =*....[DestinationDirs]..DefaultDestDir = 11..MirrorOp.DisplayUmd = 12,UMDF .; drivers\UMDF..MirrorOp.DisplayUmd.1.2= 12,UMDF .; drivers\UMDF....[Manufacturer]..%ManufacturerName%=Standard,NTx86,ntamd64,NTx86.10.0...16299,ntamd64.10.0...16299,NTx86.10.0...18277,ntamd64.10.0...18277....[Standard.NTx86]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NtAMD64]..%DeviceName%= v3DDKIndirect_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.NTx86.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Install, Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001..[Standard.ntamd64.10.0...16299]..%DeviceName%= v3DDKIndirect_1.2_Insta

                                                                                                    C:\Windows\Temp\~DF08AF466AEAFFBC07.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):1.2254104673417807
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:tCr7uoO+xFX49T51SZqNLVP8hgSoedbgrzStedFmOdOD1LqWD:kr7ZeTLSmLVP8hgDno5
                                                                                                    MD5:9DB85ED6ABB4DFF4FB5A443A5736167E
                                                                                                    SHA1:2D580DC3BF7E4E97D9AB25DCA7BBD6CACBD0CF1C
                                                                                                    SHA-256:171EEED9E5F13E0515B6C377C84A8DDE675F37FC9BB8F37F9E98ADBE54A36BBA
                                                                                                    SHA-512:CF99EFDF27F8876094CB50D3AABAAE318AB7B14E2F732098AFD89D40B268EDF81F4CD04098AFADC3C3CC62313B5F567E47B432FCFE644F0C42EA93D2524F29F9
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DF21BE1F1C4D225319.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DF26FF837C867FF7CB.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DF36111E347B1C4CFF.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):1.2254104673417807
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:tCr7uoO+xFX49T51SZqNLVP8hgSoedbgrzStedFmOdOD1LqWD:kr7ZeTLSmLVP8hgDno5
                                                                                                    MD5:9DB85ED6ABB4DFF4FB5A443A5736167E
                                                                                                    SHA1:2D580DC3BF7E4E97D9AB25DCA7BBD6CACBD0CF1C
                                                                                                    SHA-256:171EEED9E5F13E0515B6C377C84A8DDE675F37FC9BB8F37F9E98ADBE54A36BBA
                                                                                                    SHA-512:CF99EFDF27F8876094CB50D3AABAAE318AB7B14E2F732098AFD89D40B268EDF81F4CD04098AFADC3C3CC62313B5F567E47B432FCFE644F0C42EA93D2524F29F9
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DF47AF7CDC4C892ABB.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):0.08363744089515172
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOWvLhqYeytLVxkkqVky6l9:2F0i8n0itFzDHFWT7eOhr9
                                                                                                    MD5:302ACB54DB64887B98A15B23DF9F0A44
                                                                                                    SHA1:6D61CDE6034AE8685695256EDEDA0E247E6A7EB0
                                                                                                    SHA-256:0EF239B0FE9E188CB66E194F0DEE2B42830C1700C50182354A5E772CDF52779F
                                                                                                    SHA-512:BE0E598DE7B7962020910E97D17BB6997EB323B83E3F810B3C2AE016B4B1E90B0CB5FFFE2C78A23BD3237383096CFAB4E143690AADBC2F4FC7412F542D8A439E
                                                                                                    Malicious:false
                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DF4C187777D30217DE.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):1.2254104673417807
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:tCr7uoO+xFX49T51SZqNLVP8hgSoedbgrzStedFmOdOD1LqWD:kr7ZeTLSmLVP8hgDno5
                                                                                                    MD5:9DB85ED6ABB4DFF4FB5A443A5736167E
                                                                                                    SHA1:2D580DC3BF7E4E97D9AB25DCA7BBD6CACBD0CF1C
                                                                                                    SHA-256:171EEED9E5F13E0515B6C377C84A8DDE675F37FC9BB8F37F9E98ADBE54A36BBA
                                                                                                    SHA-512:CF99EFDF27F8876094CB50D3AABAAE318AB7B14E2F732098AFD89D40B268EDF81F4CD04098AFADC3C3CC62313B5F567E47B432FCFE644F0C42EA93D2524F29F9
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DF6A4101373F233987.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DFA1094AAB77BE8A5A.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):69632
                                                                                                    Entropy (8bit):0.12880114992744593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:raLqWMmOdODGStedUSoedbgrX7LPMqNLc7:mqoa6n7LP/Lc7
                                                                                                    MD5:F28D4F995976E07C76F70A3DBEB67157
                                                                                                    SHA1:C24594DF92B3FB7025BB51B0B3D56052C5BF16A5
                                                                                                    SHA-256:9F35CF1E712F7873465834698CCE2B5EEFEA16B27100590172829A9BCB44D841
                                                                                                    SHA-512:E6DF2E5BAF830E05C7D43414D17B360A5EA2DB6E6D3DCE0DB6B8CB8DFB90C253E77D051DB47D1F31E78A90C5A017AAD1DD836B37924D1F23C7BFB836ACB0CA3C
                                                                                                    Malicious:false
                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DFB07B93CBC711E9BF.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DFBCDDB9DEE7E8C601.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):512
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3::
                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                    Malicious:false
                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DFD4D8D4C41B47BCFF.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20480
                                                                                                    Entropy (8bit):1.5282473903519844
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:+8Phj7uRc06WX44FT5TSZqNLVP8hgSoedbgrzStedFmOdOD1LqWD:xhj71IFTFSmLVP8hgDno5
                                                                                                    MD5:021E6DE7D4E2EB5E7AEBC02287943338
                                                                                                    SHA1:0276B02030D55F55191FC84CF808A0B3E5FBD682
                                                                                                    SHA-256:FA2CC40E72A072EF2E9CB70041DD875C017064BA15AFFFC549E9B745F1139CD6
                                                                                                    SHA-512:33677395EA93A4DB37DECB11FA09EDCFC63A302AE7F85D9A7B4911F6D6FA589A4C78A61BB985BC641B844C4ECE65CB064FD6DE34C79366334219A5E9A50B8648
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\Temp\~DFDF1B04CD2A8092BB.TMP

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                    Category:dropped
                                                                                                    Size (bytes):20480
                                                                                                    Entropy (8bit):1.5282473903519844
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:+8Phj7uRc06WX44FT5TSZqNLVP8hgSoedbgrzStedFmOdOD1LqWD:xhj71IFTFSmLVP8hgDno5
                                                                                                    MD5:021E6DE7D4E2EB5E7AEBC02287943338
                                                                                                    SHA1:0276B02030D55F55191FC84CF808A0B3E5FBD682
                                                                                                    SHA-256:FA2CC40E72A072EF2E9CB70041DD875C017064BA15AFFFC549E9B745F1139CD6
                                                                                                    SHA-512:33677395EA93A4DB37DECB11FA09EDCFC63A302AE7F85D9A7B4911F6D6FA589A4C78A61BB985BC641B844C4ECE65CB064FD6DE34C79366334219A5E9A50B8648
                                                                                                    Malicious:false
                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ClickShare Extension Pack, Author: Barco N.V., Keywords: Installer, Comments: Windows Installer Package, Template: Intel;1033, Revision Number: {A1C10D50-773A-4B79-B97F-11DA2C6B622E}, Create Time/Date: Mon Jul 15 15:43:38 2019, Last Saved Time/Date: Mon Jul 15 15:43:38 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                    Entropy (8bit):7.624749083431013
                                                                                                    TrID:
                                                                                                    • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                    • ClickyMouse macro set (36024/1) 34.46%
                                                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                    File name:ClickShare-Extension-Pack-01.01.02.0007.msi
                                                                                                    File size:7'888'896 bytes
                                                                                                    MD5:56d913ebbe38ab3a7f48abe1a3e9daa6
                                                                                                    SHA1:fb6518265932a3d810183f3a6e6a0fde14a2b66e
                                                                                                    SHA256:26f4dc0f8ccedc064aea7fda31a2a8bec32cf7b646fa044cbfdd352f559764e0
                                                                                                    SHA512:bfa5d4ae17e9b68d479f8b026a64ac20ad1bcf876ed6d8ede1ebd846f6a3552a6753c85e6c5bed80374a4254b2d57e84148224e7b55352cc3e0223b57ae3030e
                                                                                                    SSDEEP:196608:OTjSFFYWNrtEPCSnsP9WYhaVVbm2zGRS3i8ODftvhN0:hFYWYB6vhMhmo3i8e1vhm
                                                                                                    TLSH:AD86F101FAB44125E1A25A7FE9B6EE64D1357C85573085CF2206BA6A3F774D28232F33
                                                                                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                    File Icon

                                                                                                    Icon Hash:2d2e3797b32b2b99

                                                                                                    Network Behavior

                                                                                                    No network behavior found

                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:10:08:17
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ClickShare-Extension-Pack-01.01.02.0007.msi"
                                                                                                    Imagebase:0x7ff681910000
                                                                                                    File size:69'632 bytes
                                                                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:10:08:17
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                    Imagebase:0x7ff681910000
                                                                                                    File size:69'632 bytes
                                                                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:10:08:24
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E6B16BCC263E80D188A4984C7B267598
                                                                                                    Imagebase:0xe50000
                                                                                                    File size:59'904 bytes
                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:4
                                                                                                    Start time:10:08:25
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exe
                                                                                                    Imagebase:0x750000
                                                                                                    File size:74'240 bytes
                                                                                                    MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:10:08:25
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:10:08:25
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\MsiExec.exe -Embedding F4B6C0AC556B4BDBCA932BA88603FA42
                                                                                                    Imagebase:0x7ff681910000
                                                                                                    File size:69'632 bytes
                                                                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:10:08:26
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe" install
                                                                                                    Imagebase:0x7ff642e10000
                                                                                                    File size:177'544 bytes
                                                                                                    MD5 hash:28B07DC516BFC41A35A93DC1643E143F
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    • Detection: 0%, Virustotal, Browse
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:9
                                                                                                    Start time:10:08:27
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\drvinst.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\MirrorOpDisplay.inf" "9" "4208fae43" "0000000000000154" "WinSta0\Default" "000000000000016C" "208" "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx"
                                                                                                    Imagebase:0x7ff704db0000
                                                                                                    File size:337'920 bytes
                                                                                                    MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:10
                                                                                                    Start time:10:08:30
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\drvinst.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:DrvInst.exe "2" "1" "ROOT\DISPLAY\0000" "C:\Windows\System32\DriverStore\FileRepository\mirroropdisplay.inf_amd64_81a2ef4ec907e6ad\mirroropdisplay.inf" "oem4.inf:*:*:1.1.174.61:Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001," "4208fae43" "0000000000000168"
                                                                                                    Imagebase:0x7ff704db0000
                                                                                                    File size:337'920 bytes
                                                                                                    MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:11
                                                                                                    Start time:10:08:31
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\drivers\WUDFRd.sys
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:
                                                                                                    Imagebase:
                                                                                                    File size:315'392 bytes
                                                                                                    MD5 hash:0B7A5464602DA68DA6BEFC2A1B5BE4C5
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:12
                                                                                                    Start time:10:08:31
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\drivers\IndirectKmd.sys
                                                                                                    Wow64 process (32bit):
                                                                                                    Commandline:
                                                                                                    Imagebase:
                                                                                                    File size:47'104 bytes
                                                                                                    MD5 hash:9B943585EF2A4917E1BC2186045E4B64
                                                                                                    Has elevated privileges:
                                                                                                    Has administrator privileges:
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:13
                                                                                                    Start time:10:08:31
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Windows\System32\WUDFHost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-35dc3092-997a-462b-8ee0-c4c46c580d41 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-2348cb75-16eb-4e88-aea2-36cde2ec3571 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-8f9a7ac6-e24f-4275-b4e5-c5e16ce5d6a7 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-34c938a5-6219-4a04-8fb5-f0a5c593a835 -LifetimeId:f1058ddd-615d-4a9e-a592-7cb571a1dced -DeviceGroupId:v3DDKIndirectGroup -HostArg:0
                                                                                                    Imagebase:0x7ff75df70000
                                                                                                    File size:271'872 bytes
                                                                                                    MD5 hash:00E2EF3D2C9309CA4135195A049CC79C
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:14
                                                                                                    Start time:10:08:34
                                                                                                    Start date:18/04/2024
                                                                                                    Path:C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe"
                                                                                                    Imagebase:0x2b0000
                                                                                                    File size:4'887'168 bytes
                                                                                                    MD5 hash:5EB03B6FF6643353FE82B59F8242F1BE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    • Detection: 0%, Virustotal, Browse
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:10.6%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:11.3%
                                                                                                      Total number of Nodes:1906
                                                                                                      Total number of Limit Nodes:39
                                                                                                      execution_graph 10549 7ff642e2922c 10550 7ff642e2923b 10549->10550 10552 7ff642e29277 10549->10552 10553 7ff642e20b34 LeaveCriticalSection 10550->10553 11075 7ff642e152ac 11076 7ff642e152d7 11075->11076 11077 7ff642e152bb 11075->11077 11077->11076 11078 7ff642e1bef4 FindHandlerForForeignException 34 API calls 11077->11078 11079 7ff642e152e3 11078->11079 11080 7ff642e28eb0 11081 7ff642e28ed0 11080->11081 11082 7ff642e28ec3 11080->11082 11084 7ff642e12950 11082->11084 11085 7ff642e12963 11084->11085 11086 7ff642e1298c 11084->11086 11085->11086 11087 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 11085->11087 11086->11081 11088 7ff642e129b0 11087->11088 10554 7ff642e28f2e 10563 7ff642e16220 10554->10563 10557 7ff642e16220 FindHandlerForForeignException 43 API calls 10558 7ff642e28f5c 10557->10558 10569 7ff642e16ff4 10558->10569 10560 7ff642e28fa1 10561 7ff642e16220 FindHandlerForForeignException 43 API calls 10560->10561 10562 7ff642e28fa6 10561->10562 10594 7ff642e1623c 10563->10594 10566 7ff642e1622e 10566->10557 10567 7ff642e1bf74 FindHandlerForForeignException 34 API calls 10568 7ff642e16238 10567->10568 10570 7ff642e17021 __except_validate_context_record 10569->10570 10571 7ff642e16220 FindHandlerForForeignException 43 API calls 10570->10571 10572 7ff642e17026 10571->10572 10575 7ff642e17084 10572->10575 10576 7ff642e17113 10572->10576 10587 7ff642e170d9 10572->10587 10573 7ff642e17186 10573->10587 10649 7ff642e1681c 10573->10649 10574 7ff642e17100 10634 7ff642e15608 10574->10634 10575->10574 10580 7ff642e170a7 10575->10580 10581 7ff642e170de 10575->10581 10575->10587 10578 7ff642e17132 10576->10578 10643 7ff642e15a48 10576->10643 10578->10573 10578->10587 10646 7ff642e15a5c 10578->10646 10610 7ff642e16424 10580->10610 10581->10574 10584 7ff642e170b6 10581->10584 10586 7ff642e17234 10584->10586 10589 7ff642e170c8 10584->10589 10588 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10586->10588 10587->10560 10590 7ff642e17239 10588->10590 10615 7ff642e17510 10589->10615 10591 7ff642e15c38 __std_exception_copy 31 API calls 10590->10591 10593 7ff642e17268 10591->10593 10593->10560 10595 7ff642e1625b GetLastError 10594->10595 10596 7ff642e16229 10594->10596 10606 7ff642e17c34 10595->10606 10596->10566 10596->10567 10607 7ff642e179cc try_get_function 5 API calls 10606->10607 10608 7ff642e17c5b TlsGetValue 10607->10608 10611 7ff642e16432 10610->10611 10612 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10611->10612 10613 7ff642e16443 10611->10613 10614 7ff642e16489 10612->10614 10613->10584 10616 7ff642e15a48 FindHandlerForForeignException 43 API calls 10615->10616 10617 7ff642e1753f 10616->10617 10699 7ff642e16380 10617->10699 10620 7ff642e16220 FindHandlerForForeignException 43 API calls 10629 7ff642e1755c __FrameHandler3::FrameUnwindToState 10620->10629 10621 7ff642e1765c 10622 7ff642e16220 FindHandlerForForeignException 43 API calls 10621->10622 10624 7ff642e17661 10622->10624 10623 7ff642e17697 10625 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10623->10625 10627 7ff642e1766c 10624->10627 10628 7ff642e16220 FindHandlerForForeignException 43 API calls 10624->10628 10625->10627 10626 7ff642e17679 __FrameHandler3::FrameUnwindToState 10626->10587 10627->10626 10630 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10627->10630 10628->10627 10629->10621 10629->10623 10632 7ff642e15a48 43 API calls FindHandlerForForeignException 10629->10632 10703 7ff642e15a70 10629->10703 10631 7ff642e176a2 10630->10631 10632->10629 10706 7ff642e1566c 10634->10706 10641 7ff642e17510 __FrameHandler3::FrameUnwindToState 43 API calls 10642 7ff642e1565c 10641->10642 10642->10587 10644 7ff642e16220 FindHandlerForForeignException 43 API calls 10643->10644 10645 7ff642e15a51 10644->10645 10645->10578 10647 7ff642e16220 FindHandlerForForeignException 43 API calls 10646->10647 10648 7ff642e15a65 10647->10648 10648->10573 10720 7ff642e176a4 10649->10720 10651 7ff642e16948 10652 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10651->10652 10663 7ff642e16c38 10651->10663 10654 7ff642e16c7c 10652->10654 10653 7ff642e1694d 10655 7ff642e16bf5 10653->10655 10658 7ff642e16980 10653->10658 10655->10651 10656 7ff642e16bf3 10655->10656 10785 7ff642e16c80 10655->10785 10657 7ff642e16220 FindHandlerForForeignException 43 API calls 10656->10657 10657->10651 10661 7ff642e16b12 10658->10661 10748 7ff642e15738 10658->10748 10661->10656 10666 7ff642e15a48 FindHandlerForForeignException 43 API calls 10661->10666 10670 7ff642e16b3f 10661->10670 10662 7ff642e16220 FindHandlerForForeignException 43 API calls 10665 7ff642e168b6 10662->10665 10663->10587 10665->10663 10667 7ff642e16220 FindHandlerForForeignException 43 API calls 10665->10667 10666->10670 10669 7ff642e168c6 10667->10669 10668 7ff642e16b69 10668->10651 10668->10656 10673 7ff642e16b8a 10668->10673 10676 7ff642e15a48 FindHandlerForForeignException 43 API calls 10668->10676 10671 7ff642e16220 FindHandlerForForeignException 43 API calls 10669->10671 10670->10656 10670->10668 10777 7ff642e155dc 10670->10777 10672 7ff642e168cf 10671->10672 10732 7ff642e15a88 10672->10732 10678 7ff642e1773c IsInExceptionSpec 43 API calls 10673->10678 10676->10673 10679 7ff642e16ba1 10678->10679 10679->10656 10683 7ff642e1566c _GetEstablisherFrame 35 API calls 10679->10683 10680 7ff642e15a5c 43 API calls __InternalCxxFrameHandler 10691 7ff642e169a1 10680->10691 10681 7ff642e16220 FindHandlerForForeignException 43 API calls 10682 7ff642e1690f 10681->10682 10682->10653 10685 7ff642e16220 FindHandlerForForeignException 43 API calls 10682->10685 10684 7ff642e16bbb 10683->10684 10782 7ff642e15894 RtlUnwindEx 10684->10782 10687 7ff642e1691b 10685->10687 10689 7ff642e16220 FindHandlerForForeignException 43 API calls 10687->10689 10690 7ff642e16924 10689->10690 10735 7ff642e1773c 10690->10735 10691->10661 10691->10680 10754 7ff642e16eb0 10691->10754 10768 7ff642e1674c 10691->10768 10695 7ff642e16938 10744 7ff642e17814 10695->10744 10697 7ff642e16940 std::bad_alloc::bad_alloc __DestructExceptionObject 10697->10651 10698 7ff642e15cf0 _CxxThrowException 2 API calls 10697->10698 10698->10651 10700 7ff642e16397 10699->10700 10701 7ff642e163a2 10699->10701 10702 7ff642e16424 __InternalCxxFrameHandler 34 API calls 10700->10702 10701->10620 10702->10701 10704 7ff642e16220 FindHandlerForForeignException 43 API calls 10703->10704 10705 7ff642e15a7e 10704->10705 10705->10629 10707 7ff642e1641c _GetEstablisherFrame 34 API calls 10706->10707 10710 7ff642e1569a 10707->10710 10708 7ff642e15627 10711 7ff642e1641c 10708->10711 10709 7ff642e156c3 RtlLookupFunctionEntry 10709->10710 10710->10708 10710->10709 10712 7ff642e16424 10711->10712 10713 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10712->10713 10715 7ff642e15635 10712->10715 10714 7ff642e16489 10713->10714 10716 7ff642e15584 10715->10716 10717 7ff642e1559b 10716->10717 10718 7ff642e155c3 10717->10718 10719 7ff642e16220 FindHandlerForForeignException 43 API calls 10717->10719 10718->10641 10719->10717 10721 7ff642e1641c _GetEstablisherFrame 34 API calls 10720->10721 10722 7ff642e176c9 10721->10722 10723 7ff642e1566c _GetEstablisherFrame 35 API calls 10722->10723 10724 7ff642e176de 10723->10724 10803 7ff642e163a8 10724->10803 10727 7ff642e176f0 __FrameHandler3::FrameUnwindToState 10806 7ff642e163e0 10727->10806 10728 7ff642e17713 10729 7ff642e163a8 __GetUnwindTryBlock 35 API calls 10728->10729 10730 7ff642e1686a 10729->10730 10730->10651 10730->10653 10730->10662 10733 7ff642e16220 FindHandlerForForeignException 43 API calls 10732->10733 10734 7ff642e15a96 10733->10734 10734->10651 10734->10681 10736 7ff642e1780c 10735->10736 10743 7ff642e17767 10735->10743 10738 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10736->10738 10737 7ff642e16934 10737->10653 10737->10695 10739 7ff642e17811 10738->10739 10740 7ff642e15a5c 43 API calls __InternalCxxFrameHandler 10740->10743 10741 7ff642e15a48 FindHandlerForForeignException 43 API calls 10741->10743 10742 7ff642e16eb0 TypeMatchHelper 43 API calls 10742->10743 10743->10737 10743->10740 10743->10741 10743->10742 10745 7ff642e1788a 10744->10745 10747 7ff642e17831 Is_bad_exception_allowed 10744->10747 10745->10697 10746 7ff642e15a48 43 API calls FindHandlerForForeignException 10746->10747 10747->10745 10747->10746 10749 7ff642e1641c _GetEstablisherFrame 34 API calls 10748->10749 10750 7ff642e15776 10749->10750 10751 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10750->10751 10753 7ff642e15782 10750->10753 10752 7ff642e15890 10751->10752 10753->10691 10755 7ff642e16ed9 10754->10755 10757 7ff642e16ee2 10754->10757 10756 7ff642e15a48 FindHandlerForForeignException 43 API calls 10755->10756 10756->10757 10758 7ff642e15a48 FindHandlerForForeignException 43 API calls 10757->10758 10759 7ff642e16f03 10757->10759 10766 7ff642e16f70 10757->10766 10758->10759 10760 7ff642e16f2f 10759->10760 10761 7ff642e15a48 FindHandlerForForeignException 43 API calls 10759->10761 10759->10766 10762 7ff642e15a5c __InternalCxxFrameHandler 43 API calls 10760->10762 10761->10760 10763 7ff642e16f43 10762->10763 10764 7ff642e16f5c 10763->10764 10765 7ff642e15a48 FindHandlerForForeignException 43 API calls 10763->10765 10763->10766 10767 7ff642e15a5c __InternalCxxFrameHandler 43 API calls 10764->10767 10765->10764 10766->10691 10767->10766 10769 7ff642e1566c _GetEstablisherFrame 35 API calls 10768->10769 10770 7ff642e16789 10769->10770 10771 7ff642e167af 10770->10771 10809 7ff642e1668c 10770->10809 10773 7ff642e15a48 FindHandlerForForeignException 43 API calls 10771->10773 10774 7ff642e167b4 10773->10774 10775 7ff642e15894 __FrameHandler3::UnwindNestedFrames 9 API calls 10774->10775 10776 7ff642e16800 10775->10776 10776->10691 10778 7ff642e1641c _GetEstablisherFrame 34 API calls 10777->10778 10779 7ff642e155f0 10778->10779 10780 7ff642e15584 __FrameHandler3::CatchTryBlock 43 API calls 10779->10780 10781 7ff642e155fa 10780->10781 10781->10668 10783 7ff642e147c0 _handle_error 8 API calls 10782->10783 10784 7ff642e159ac 10783->10784 10784->10656 10786 7ff642e16cb9 10785->10786 10787 7ff642e16e8d 10785->10787 10788 7ff642e16220 FindHandlerForForeignException 43 API calls 10786->10788 10787->10656 10789 7ff642e16cbe 10788->10789 10790 7ff642e16d23 10789->10790 10791 7ff642e16cd5 EncodePointer 10789->10791 10790->10787 10793 7ff642e16ea8 10790->10793 10794 7ff642e16d3f 10790->10794 10792 7ff642e16220 FindHandlerForForeignException 43 API calls 10791->10792 10798 7ff642e16ce5 10792->10798 10795 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10793->10795 10796 7ff642e15738 pair 34 API calls 10794->10796 10797 7ff642e16ead 10795->10797 10802 7ff642e16d5f 10796->10802 10798->10790 10811 7ff642e15530 10798->10811 10800 7ff642e1674c FindHandlerForForeignException 46 API calls 10800->10802 10801 7ff642e15a48 43 API calls FindHandlerForForeignException 10801->10802 10802->10787 10802->10800 10802->10801 10804 7ff642e1566c _GetEstablisherFrame 35 API calls 10803->10804 10805 7ff642e163bb 10804->10805 10805->10727 10805->10728 10807 7ff642e1566c _GetEstablisherFrame 35 API calls 10806->10807 10808 7ff642e163fa 10807->10808 10808->10730 10810 7ff642e166b3 BuildCatchObjectHelperInternal 10809->10810 10812 7ff642e16220 FindHandlerForForeignException 43 API calls 10811->10812 10813 7ff642e1555c 10812->10813 10813->10790 11089 7ff642e14bb0 11090 7ff642e15248 __scrt_is_managed_app GetModuleHandleW 11089->11090 11091 7ff642e14bb7 FindHandlerForForeignException 11090->11091 11092 7ff642e15db0 11093 7ff642e15de0 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 11092->11093 11094 7ff642e15ed1 11093->11094 11095 7ff642e15e9c RtlUnwindEx 11093->11095 11095->11093 11096 7ff642e26eb1 11097 7ff642e26eb5 11096->11097 11098 7ff642e26ee5 11097->11098 11101 7ff642e26efd 11097->11101 11099 7ff642e1c7e8 14 API calls 11098->11099 11102 7ff642e26eea 11099->11102 11100 7ff642e26f77 11103 7ff642e1c7e8 14 API calls 11100->11103 11101->11100 11106 7ff642e26f2e 11101->11106 11104 7ff642e1c808 _set_fmode 14 API calls 11102->11104 11105 7ff642e26f7c 11103->11105 11120 7ff642e26ef2 11104->11120 11107 7ff642e1c808 _set_fmode 14 API calls 11105->11107 11130 7ff642e20a4c EnterCriticalSection 11106->11130 11109 7ff642e26f84 11107->11109 11111 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 11109->11111 11109->11120 11111->11120 11143 7ff642e1b0b0 11144 7ff642e1b0c9 11143->11144 11151 7ff642e1b0c5 11143->11151 11153 7ff642e207d0 GetEnvironmentStringsW 11144->11153 11147 7ff642e1b0d6 11150 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11147->11150 11150->11151 11152 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11152->11147 11154 7ff642e1b0ce 11153->11154 11155 7ff642e207f4 11153->11155 11154->11147 11160 7ff642e1b118 11154->11160 11156 7ff642e1d0e8 _onexit 15 API calls 11155->11156 11157 7ff642e2082e memcpy_s 11156->11157 11158 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11157->11158 11159 7ff642e2084e FreeEnvironmentStringsW 11158->11159 11159->11154 11161 7ff642e1b140 11160->11161 11162 7ff642e1f4ec _set_fmode 14 API calls 11161->11162 11172 7ff642e1b17b 11162->11172 11163 7ff642e1b1f0 11164 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11163->11164 11165 7ff642e1b0e3 11164->11165 11165->11152 11166 7ff642e1f4ec _set_fmode 14 API calls 11166->11172 11167 7ff642e1b1e1 11186 7ff642e1b22c 11167->11186 11171 7ff642e1b218 11175 7ff642e18620 _invalid_parameter_noinfo_noreturn 17 API calls 11171->11175 11172->11163 11172->11166 11172->11167 11172->11171 11174 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11172->11174 11177 7ff642e1f484 11172->11177 11173 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11173->11163 11174->11172 11176 7ff642e1b22a 11175->11176 11178 7ff642e1f49b 11177->11178 11179 7ff642e1f491 11177->11179 11180 7ff642e1c808 _set_fmode 14 API calls 11178->11180 11179->11178 11184 7ff642e1f4b7 11179->11184 11181 7ff642e1f4a3 11180->11181 11182 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 11181->11182 11183 7ff642e1f4af 11182->11183 11183->11172 11184->11183 11185 7ff642e1c808 _set_fmode 14 API calls 11184->11185 11185->11181 11187 7ff642e1b1e9 11186->11187 11188 7ff642e1b231 11186->11188 11187->11173 11189 7ff642e1b25a 11188->11189 11191 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11188->11191 11190 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11189->11190 11190->11187 11191->11188 10814 7ff642e17635 10825 7ff642e1755f __FrameHandler3::FrameUnwindToState 10814->10825 10815 7ff642e1765c 10816 7ff642e16220 FindHandlerForForeignException 43 API calls 10815->10816 10818 7ff642e17661 10816->10818 10817 7ff642e17697 10819 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10817->10819 10821 7ff642e1766c 10818->10821 10822 7ff642e16220 FindHandlerForForeignException 43 API calls 10818->10822 10819->10821 10820 7ff642e17679 __FrameHandler3::FrameUnwindToState 10821->10820 10823 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10821->10823 10822->10821 10824 7ff642e176a2 10823->10824 10825->10815 10825->10817 10826 7ff642e15a48 43 API calls FindHandlerForForeignException 10825->10826 10827 7ff642e15a70 __FrameHandler3::FrameUnwindToState 43 API calls 10825->10827 10826->10825 10827->10825 11192 7ff642e1bdb4 11195 7ff642e1b2a8 11192->11195 11202 7ff642e1b270 11195->11202 11200 7ff642e1b22c 14 API calls 11201 7ff642e1b2d0 11200->11201 11203 7ff642e1b280 11202->11203 11204 7ff642e1b285 11202->11204 11205 7ff642e1b22c 14 API calls 11203->11205 11206 7ff642e1b28c 11204->11206 11205->11204 11207 7ff642e1b29c 11206->11207 11208 7ff642e1b2a1 11206->11208 11209 7ff642e1b22c 14 API calls 11207->11209 11208->11200 11209->11208 11210 7ff642e206b4 GetCommandLineA GetCommandLineW 11211 7ff642e17396 11212 7ff642e16220 FindHandlerForForeignException 43 API calls 11211->11212 11214 7ff642e173a3 __DestructExceptionObject 11212->11214 11213 7ff642e173e7 RaiseException 11215 7ff642e1740e 11213->11215 11214->11213 11216 7ff642e159f4 __CxxCallCatchBlock 43 API calls 11215->11216 11220 7ff642e17416 11216->11220 11217 7ff642e16220 FindHandlerForForeignException 43 API calls 11218 7ff642e17452 11217->11218 11219 7ff642e16220 FindHandlerForForeignException 43 API calls 11218->11219 11221 7ff642e1745b 11219->11221 11222 7ff642e15b98 __CxxCallCatchBlock 43 API calls 11220->11222 11223 7ff642e1743f __DestructExceptionObject 11220->11223 11222->11223 11223->11217 11224 7ff642e1729c 11225 7ff642e16220 FindHandlerForForeignException 43 API calls 11224->11225 11226 7ff642e172d1 11225->11226 11227 7ff642e16220 FindHandlerForForeignException 43 API calls 11226->11227 11228 7ff642e172df __except_validate_context_record 11227->11228 11229 7ff642e16220 FindHandlerForForeignException 43 API calls 11228->11229 11230 7ff642e17323 11229->11230 11231 7ff642e16220 FindHandlerForForeignException 43 API calls 11230->11231 11232 7ff642e1732c 11231->11232 11233 7ff642e16220 FindHandlerForForeignException 43 API calls 11232->11233 11234 7ff642e17335 11233->11234 11247 7ff642e159b8 11234->11247 11237 7ff642e16220 FindHandlerForForeignException 43 API calls 11238 7ff642e17365 __FrameHandler3::FrameUnwindToState 11237->11238 11239 7ff642e159f4 __CxxCallCatchBlock 43 API calls 11238->11239 11244 7ff642e17416 11239->11244 11240 7ff642e1743f __DestructExceptionObject 11241 7ff642e16220 FindHandlerForForeignException 43 API calls 11240->11241 11242 7ff642e17452 11241->11242 11243 7ff642e16220 FindHandlerForForeignException 43 API calls 11242->11243 11245 7ff642e1745b 11243->11245 11244->11240 11246 7ff642e15b98 __CxxCallCatchBlock 43 API calls 11244->11246 11246->11240 11248 7ff642e16220 FindHandlerForForeignException 43 API calls 11247->11248 11249 7ff642e159c9 11248->11249 11250 7ff642e16220 FindHandlerForForeignException 43 API calls 11249->11250 11251 7ff642e159d4 11249->11251 11250->11251 11252 7ff642e16220 FindHandlerForForeignException 43 API calls 11251->11252 11253 7ff642e159e5 11252->11253 11253->11237 11253->11238 10828 7ff642e1ca20 10829 7ff642e1ca25 10828->10829 10833 7ff642e1ca3a 10828->10833 10834 7ff642e1ca40 10829->10834 10835 7ff642e1ca8a 10834->10835 10836 7ff642e1ca82 10834->10836 10838 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10835->10838 10837 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10836->10837 10837->10835 10839 7ff642e1ca97 10838->10839 10840 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10839->10840 10841 7ff642e1caa4 10840->10841 10842 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10841->10842 10843 7ff642e1cab1 10842->10843 10844 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10843->10844 10845 7ff642e1cabe 10844->10845 10846 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10845->10846 10847 7ff642e1cacb 10846->10847 10848 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10847->10848 10849 7ff642e1cad8 10848->10849 10850 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10849->10850 10851 7ff642e1cae5 10850->10851 10852 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10851->10852 10853 7ff642e1caf5 10852->10853 10854 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10853->10854 10855 7ff642e1cb05 10854->10855 10860 7ff642e1c8f0 10855->10860 10874 7ff642e1f414 EnterCriticalSection 10860->10874 10876 7ff642e1e620 10877 7ff642e1e62b __scrt_uninitialize_crt 10876->10877 10885 7ff642e24494 10877->10885 10898 7ff642e1f414 EnterCriticalSection 10885->10898 11254 7ff642e263a0 11257 7ff642e2037c 11254->11257 11258 7ff642e20389 11257->11258 11259 7ff642e203ce 11257->11259 11263 7ff642e1cc74 11258->11263 11264 7ff642e1cc8a 11263->11264 11265 7ff642e1cc85 11263->11265 11267 7ff642e219e4 _set_fmode 6 API calls 11264->11267 11269 7ff642e1cc92 11264->11269 11266 7ff642e2199c _set_fmode 6 API calls 11265->11266 11266->11264 11268 7ff642e1cca9 11267->11268 11268->11269 11270 7ff642e1f4ec _set_fmode 14 API calls 11268->11270 11271 7ff642e1bf74 FindHandlerForForeignException 34 API calls 11269->11271 11276 7ff642e1cd0c 11269->11276 11273 7ff642e1ccbc 11270->11273 11272 7ff642e1cd1a 11271->11272 11274 7ff642e1ccda 11273->11274 11275 7ff642e1ccca 11273->11275 11277 7ff642e219e4 _set_fmode 6 API calls 11274->11277 11278 7ff642e219e4 _set_fmode 6 API calls 11275->11278 11288 7ff642e20100 11276->11288 11279 7ff642e1cce2 11277->11279 11280 7ff642e1ccd1 11278->11280 11281 7ff642e1cce6 11279->11281 11282 7ff642e1ccf8 11279->11282 11283 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11280->11283 11284 7ff642e219e4 _set_fmode 6 API calls 11281->11284 11285 7ff642e1c950 _set_fmode 14 API calls 11282->11285 11283->11269 11284->11280 11286 7ff642e1cd00 11285->11286 11287 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11286->11287 11287->11269 11306 7ff642e202c4 11288->11306 11293 7ff642e1d0e8 _onexit 15 API calls 11295 7ff642e20154 11293->11295 11294 7ff642e201ef 11296 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11294->11296 11295->11294 11324 7ff642e203f8 11295->11324 11298 7ff642e20143 11296->11298 11298->11259 11300 7ff642e201ea 11301 7ff642e1c808 _set_fmode 14 API calls 11300->11301 11301->11294 11302 7ff642e2024c 11302->11294 11335 7ff642e1fc50 11302->11335 11303 7ff642e2020f 11303->11302 11304 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11303->11304 11304->11302 11307 7ff642e202e7 11306->11307 11310 7ff642e202f1 11307->11310 11350 7ff642e1f414 EnterCriticalSection 11307->11350 11311 7ff642e20129 11310->11311 11312 7ff642e1bf74 FindHandlerForForeignException 34 API calls 11310->11312 11317 7ff642e1fe0c 11311->11317 11314 7ff642e2037b 11312->11314 11318 7ff642e18c68 34 API calls 11317->11318 11319 7ff642e1fe20 11318->11319 11320 7ff642e1fe2c GetOEMCP 11319->11320 11321 7ff642e1fe3e 11319->11321 11322 7ff642e1fe53 11320->11322 11321->11322 11323 7ff642e1fe43 GetACP 11321->11323 11322->11293 11322->11298 11323->11322 11325 7ff642e1fe0c 36 API calls 11324->11325 11326 7ff642e20423 11325->11326 11328 7ff642e20460 IsValidCodePage 11326->11328 11333 7ff642e204a3 __scrt_get_show_window_mode 11326->11333 11327 7ff642e147c0 _handle_error 8 API calls 11329 7ff642e201e3 11327->11329 11330 7ff642e20471 11328->11330 11328->11333 11329->11300 11329->11303 11331 7ff642e204a8 GetCPInfo 11330->11331 11334 7ff642e2047a __scrt_get_show_window_mode 11330->11334 11331->11333 11331->11334 11333->11327 11351 7ff642e1ff1c 11334->11351 11422 7ff642e1f414 EnterCriticalSection 11335->11422 11352 7ff642e1ff59 GetCPInfo 11351->11352 11353 7ff642e20051 11351->11353 11352->11353 11358 7ff642e1ff6c 11352->11358 11354 7ff642e147c0 _handle_error 8 API calls 11353->11354 11356 7ff642e200ea 11354->11356 11356->11333 11362 7ff642e2110c 11358->11362 11361 7ff642e225a4 38 API calls 11361->11353 11363 7ff642e18c68 34 API calls 11362->11363 11364 7ff642e2114e 11363->11364 11365 7ff642e206dc MultiByteToWideChar 11364->11365 11367 7ff642e21184 11365->11367 11366 7ff642e2118b 11369 7ff642e147c0 _handle_error 8 API calls 11366->11369 11367->11366 11368 7ff642e1d0e8 _onexit 15 API calls 11367->11368 11370 7ff642e211b0 __scrt_get_show_window_mode 11367->11370 11368->11370 11372 7ff642e1ffe5 11369->11372 11371 7ff642e21248 11370->11371 11373 7ff642e206dc MultiByteToWideChar 11370->11373 11371->11366 11375 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11371->11375 11377 7ff642e225a4 11372->11377 11374 7ff642e2122a 11373->11374 11374->11371 11376 7ff642e2122e GetStringTypeW 11374->11376 11375->11366 11376->11371 11378 7ff642e18c68 34 API calls 11377->11378 11379 7ff642e225c9 11378->11379 11382 7ff642e2228c 11379->11382 11383 7ff642e222ce 11382->11383 11384 7ff642e206dc MultiByteToWideChar 11383->11384 11387 7ff642e22318 11384->11387 11385 7ff642e22557 11386 7ff642e147c0 _handle_error 8 API calls 11385->11386 11388 7ff642e20018 11386->11388 11387->11385 11389 7ff642e2234b 11387->11389 11390 7ff642e1d0e8 _onexit 15 API calls 11387->11390 11388->11361 11391 7ff642e206dc MultiByteToWideChar 11389->11391 11393 7ff642e2244f 11389->11393 11390->11389 11392 7ff642e223bd 11391->11392 11392->11393 11410 7ff642e21a9c 11392->11410 11393->11385 11395 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11393->11395 11395->11385 11397 7ff642e2240c 11397->11393 11401 7ff642e21a9c 6 API calls 11397->11401 11398 7ff642e2245e 11399 7ff642e22478 11398->11399 11400 7ff642e1d0e8 _onexit 15 API calls 11398->11400 11399->11393 11402 7ff642e21a9c 6 API calls 11399->11402 11400->11399 11401->11393 11404 7ff642e224f9 11402->11404 11403 7ff642e2252e 11403->11393 11405 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11403->11405 11404->11403 11416 7ff642e20738 11404->11416 11405->11393 11411 7ff642e216a8 try_get_function 5 API calls 11410->11411 11412 7ff642e21ada 11411->11412 11413 7ff642e21adf 11412->11413 11419 7ff642e21b78 11412->11419 11413->11393 11413->11397 11413->11398 11415 7ff642e21b3b LCMapStringW 11415->11413 11417 7ff642e20754 WideCharToMultiByte 11416->11417 11420 7ff642e216a8 try_get_function 5 API calls 11419->11420 11421 7ff642e21ba6 __crtDownlevelLocaleNameToLCID 11420->11421 11421->11415 11423 7ff642e149a4 11424 7ff642e149b4 pre_c_initialization 11423->11424 11440 7ff642e1b6f8 11424->11440 11426 7ff642e149c0 pre_c_initialization 11446 7ff642e14d6c 11426->11446 11428 7ff642e150b8 __scrt_fastfail 7 API calls 11430 7ff642e14a5a __scrt_initialize_default_local_stdio_options 11428->11430 11429 7ff642e149d9 _RTC_Initialize 11438 7ff642e14a2e pre_c_initialization 11429->11438 11451 7ff642e14f80 11429->11451 11432 7ff642e149ee pre_c_initialization 11454 7ff642e1af2c 11432->11454 11438->11428 11439 7ff642e14a4a 11438->11439 11441 7ff642e1b709 11440->11441 11442 7ff642e1c808 _set_fmode 14 API calls 11441->11442 11443 7ff642e1b711 11441->11443 11444 7ff642e1b720 11442->11444 11443->11426 11445 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 11444->11445 11445->11443 11447 7ff642e14d81 11446->11447 11450 7ff642e14d8a __scrt_initialize_onexit_tables __scrt_release_startup_lock 11446->11450 11448 7ff642e150b8 __scrt_fastfail 7 API calls 11447->11448 11447->11450 11449 7ff642e14e43 11448->11449 11450->11429 11479 7ff642e14f30 11451->11479 11453 7ff642e14f89 11453->11432 11455 7ff642e149fa 11454->11455 11456 7ff642e1af4c 11454->11456 11455->11438 11478 7ff642e15058 InitializeSListHead 11455->11478 11457 7ff642e1af6a GetModuleFileNameW 11456->11457 11458 7ff642e1af54 11456->11458 11462 7ff642e1af95 pre_c_initialization 11457->11462 11459 7ff642e1c808 _set_fmode 14 API calls 11458->11459 11460 7ff642e1af59 11459->11460 11461 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 11460->11461 11461->11455 11463 7ff642e1aecc pre_c_initialization 14 API calls 11462->11463 11464 7ff642e1afd5 11463->11464 11465 7ff642e1afdd 11464->11465 11469 7ff642e1aff5 pre_c_initialization 11464->11469 11466 7ff642e1c808 _set_fmode 14 API calls 11465->11466 11467 7ff642e1afe2 11466->11467 11470 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11467->11470 11468 7ff642e1b017 11471 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11468->11471 11469->11468 11472 7ff642e1b05c 11469->11472 11473 7ff642e1b043 11469->11473 11470->11455 11471->11455 11476 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11472->11476 11474 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11473->11474 11475 7ff642e1b04c 11474->11475 11477 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11475->11477 11476->11468 11477->11455 11480 7ff642e14f5f 11479->11480 11481 7ff642e14f55 _onexit 11479->11481 11483 7ff642e1bd34 11480->11483 11481->11453 11486 7ff642e1b980 11483->11486 11493 7ff642e1f414 EnterCriticalSection 11486->11493 9163 7ff642e14a88 9184 7ff642e14d20 9163->9184 9166 7ff642e14bd4 9228 7ff642e150b8 IsProcessorFeaturePresent 9166->9228 9167 7ff642e14aa4 9169 7ff642e14bde 9167->9169 9176 7ff642e14ac2 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 9167->9176 9170 7ff642e150b8 __scrt_fastfail 7 API calls 9169->9170 9172 7ff642e14be9 FindHandlerForForeignException 9170->9172 9171 7ff642e14ae7 9173 7ff642e14b6d 9192 7ff642e15204 9173->9192 9175 7ff642e14b72 9195 7ff642e13f70 GetLocalTime 9175->9195 9176->9171 9176->9173 9217 7ff642e1b680 9176->9217 9181 7ff642e14b95 9181->9172 9224 7ff642e14f04 9181->9224 9185 7ff642e14d42 __isa_available_init 9184->9185 9235 7ff642e15fbc 9185->9235 9191 7ff642e14a9c 9191->9166 9191->9167 9315 7ff642e16070 9192->9315 9317 7ff642e129c0 9195->9317 9198 7ff642e129c0 100 API calls 9199 7ff642e14012 9198->9199 9337 7ff642e127e0 9199->9337 9201 7ff642e14069 9202 7ff642e127e0 33 API calls 9201->9202 9215 7ff642e14090 9202->9215 9203 7ff642e14134 9204 7ff642e129c0 100 API calls 9203->9204 9205 7ff642e14232 9204->9205 9206 7ff642e14271 9205->9206 9208 7ff642e1429c 9205->9208 9383 7ff642e12ca0 9206->9383 9397 7ff642e185f0 9208->9397 9209 7ff642e14283 9388 7ff642e147c0 9209->9388 9214 7ff642e129c0 100 API calls 9214->9215 9215->9203 9215->9214 9347 7ff642e13890 9215->9347 9218 7ff642e1b6b6 9217->9218 9219 7ff642e1b6a4 9217->9219 10393 7ff642e1bef4 9218->10393 9219->9173 9222 7ff642e15248 GetModuleHandleW 9223 7ff642e15259 9222->9223 9223->9181 9225 7ff642e14f15 __scrt_uninitialize_crt 9224->9225 9226 7ff642e14bac 9225->9226 9227 7ff642e15ff0 __vcrt_uninitialize 8 API calls 9225->9227 9226->9171 9227->9226 9229 7ff642e150dd __scrt_fastfail __scrt_get_show_window_mode 9228->9229 9230 7ff642e150fc RtlCaptureContext RtlLookupFunctionEntry 9229->9230 9231 7ff642e15161 __scrt_get_show_window_mode 9230->9231 9232 7ff642e15125 RtlVirtualUnwind 9230->9232 9233 7ff642e15193 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9231->9233 9232->9231 9234 7ff642e151e5 __scrt_fastfail 9233->9234 9234->9169 9236 7ff642e15fc5 __vcrt_initialize_winapi_thunks __vcrt_initialize 9235->9236 9255 7ff642e1794c 9236->9255 9239 7ff642e14d47 9239->9191 9243 7ff642e1bea8 9239->9243 9244 7ff642e21d00 9243->9244 9245 7ff642e14d54 9244->9245 9291 7ff642e1e9cc 9244->9291 9245->9191 9247 7ff642e15ff0 9245->9247 9248 7ff642e15ff8 9247->9248 9249 7ff642e16009 9247->9249 9303 7ff642e1635c 9248->9303 9249->9191 9252 7ff642e17994 __vcrt_uninitialize_locks DeleteCriticalSection 9253 7ff642e16002 9252->9253 9307 7ff642e17d64 9253->9307 9256 7ff642e17954 9255->9256 9258 7ff642e17985 9256->9258 9259 7ff642e15fcf 9256->9259 9272 7ff642e17cd0 9256->9272 9260 7ff642e17994 __vcrt_uninitialize_locks DeleteCriticalSection 9258->9260 9259->9239 9261 7ff642e16308 9259->9261 9260->9259 9287 7ff642e17ba4 9261->9287 9277 7ff642e179cc 9272->9277 9275 7ff642e17d1b InitializeCriticalSectionAndSpinCount 9276 7ff642e17d10 9275->9276 9276->9256 9278 7ff642e17a2d 9277->9278 9285 7ff642e17a28 try_get_function 9277->9285 9278->9275 9278->9276 9279 7ff642e17b10 9279->9278 9282 7ff642e17b1e GetProcAddress 9279->9282 9280 7ff642e17a5c LoadLibraryExW 9281 7ff642e17a7d GetLastError 9280->9281 9280->9285 9281->9285 9283 7ff642e17b2f 9282->9283 9283->9278 9284 7ff642e17af5 FreeLibrary 9284->9285 9285->9278 9285->9279 9285->9280 9285->9284 9286 7ff642e17ab7 LoadLibraryExW 9285->9286 9286->9285 9288 7ff642e179cc try_get_function 5 API calls 9287->9288 9289 7ff642e17bc9 TlsAlloc 9288->9289 9302 7ff642e1f414 EnterCriticalSection 9291->9302 9293 7ff642e1e9dc 9294 7ff642e209a4 32 API calls 9293->9294 9295 7ff642e1e9e5 9294->9295 9296 7ff642e1e9f3 9295->9296 9298 7ff642e1e7d0 34 API calls 9295->9298 9297 7ff642e1f468 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9296->9297 9299 7ff642e1e9ff 9297->9299 9300 7ff642e1e9ee 9298->9300 9299->9244 9301 7ff642e1e8c0 GetStdHandle GetFileType 9300->9301 9301->9296 9304 7ff642e15ffd 9303->9304 9305 7ff642e1636b 9303->9305 9304->9252 9311 7ff642e17bec 9305->9311 9308 7ff642e17d68 9307->9308 9310 7ff642e17d9c 9307->9310 9309 7ff642e17d82 FreeLibrary 9308->9309 9308->9310 9309->9308 9310->9249 9312 7ff642e179cc try_get_function 5 API calls 9311->9312 9313 7ff642e17c13 TlsFree 9312->9313 9316 7ff642e1521b GetStartupInfoW 9315->9316 9316->9175 9318 7ff642e129e9 9317->9318 9402 7ff642e1a960 9318->9402 9320 7ff642e12a73 __scrt_initialize_default_local_stdio_options 9433 7ff642e1a834 9320->9433 9321 7ff642e12a44 __scrt_initialize_default_local_stdio_options 9321->9320 9412 7ff642e1a7a8 9321->9412 9327 7ff642e12c29 9328 7ff642e12c62 9327->9328 9331 7ff642e12c86 9327->9331 9330 7ff642e147c0 _handle_error 8 API calls 9328->9330 9332 7ff642e12c76 9330->9332 9333 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 9331->9333 9332->9198 9334 7ff642e12c8b 9333->9334 9335 7ff642e12adf memcpy_s 9336 7ff642e12c11 OutputDebugStringW 9335->9336 9336->9327 9338 7ff642e1282d 9337->9338 9346 7ff642e12801 memcpy_s 9337->9346 9339 7ff642e12889 9338->9339 9341 7ff642e128be 9338->9341 9345 7ff642e128a7 memcpy_s 9338->9345 9340 7ff642e147ec 4 API calls 9339->9340 9340->9345 9343 7ff642e147ec 4 API calls 9341->9343 9341->9345 9342 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 9344 7ff642e12949 9342->9344 9343->9345 9345->9342 9345->9346 9346->9201 9348 7ff642e129c0 100 API calls 9347->9348 9349 7ff642e138d8 __scrt_get_show_window_mode 9348->9349 9350 7ff642e138fc VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 9349->9350 9351 7ff642e13ac6 9350->9351 9352 7ff642e13967 __scrt_get_show_window_mode 9350->9352 9353 7ff642e129c0 100 API calls 9351->9353 9354 7ff642e13978 VerSetConditionMask VerifyVersionInfoW 9352->9354 9355 7ff642e139c8 9353->9355 9356 7ff642e139b7 9354->9356 9357 7ff642e139d0 9354->9357 9360 7ff642e147c0 _handle_error 8 API calls 9355->9360 9358 7ff642e129c0 100 API calls 9356->9358 10327 7ff642e12e60 9357->10327 9358->9355 9362 7ff642e13ae8 9360->9362 9362->9215 9386 7ff642e12cba 9383->9386 9384 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 9385 7ff642e12e54 9384->9385 9386->9384 9387 7ff642e12e2d 9386->9387 9387->9209 9389 7ff642e147ca 9388->9389 9390 7ff642e14291 9389->9390 9391 7ff642e1485c IsProcessorFeaturePresent 9389->9391 9390->9222 9392 7ff642e14873 9391->9392 10388 7ff642e14930 RtlCaptureContext 9392->10388 9398 7ff642e18520 _invalid_parameter_noinfo_noreturn 31 API calls 9397->9398 9399 7ff642e18609 9398->9399 9400 7ff642e18620 _invalid_parameter_noinfo_noreturn 17 API calls 9399->9400 9401 7ff642e1861e 9400->9401 9403 7ff642e1a98b 9402->9403 9404 7ff642e1a97a 9402->9404 9454 7ff642e1a8a4 9403->9454 9473 7ff642e1c808 9404->9473 9410 7ff642e1c808 _set_fmode 14 API calls 9411 7ff642e1a989 9410->9411 9411->9321 9413 7ff642e1a7ce 9412->9413 9414 7ff642e1a7e3 9412->9414 9415 7ff642e1c808 _set_fmode 14 API calls 9413->9415 9414->9413 9416 7ff642e1a7e8 9414->9416 9417 7ff642e1a7d3 9415->9417 9887 7ff642e18668 9416->9887 9419 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9417->9419 9420 7ff642e12a69 9419->9420 9421 7ff642e1aa3c 9420->9421 9422 7ff642e1aa71 9421->9422 9423 7ff642e1aa53 9421->9423 9425 7ff642e1aa63 9422->9425 9895 7ff642e1e67c EnterCriticalSection 9422->9895 9424 7ff642e1c808 _set_fmode 14 API calls 9423->9424 9427 7ff642e1aa58 9424->9427 9425->9320 9429 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9427->9429 9428 7ff642e1aa87 9430 7ff642e1a9b8 63 API calls 9428->9430 9429->9425 9431 7ff642e1aa90 9430->9431 9432 7ff642e1e688 LeaveCriticalSection 9431->9432 9432->9425 9434 7ff642e1a848 9433->9434 9435 7ff642e1a884 9433->9435 9434->9435 9437 7ff642e1a852 9434->9437 9436 7ff642e1c808 _set_fmode 14 API calls 9435->9436 9443 7ff642e1a87c 9436->9443 9896 7ff642e186a8 9437->9896 9440 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9441 7ff642e12abd 9440->9441 9441->9327 9441->9335 9444 7ff642e12600 9441->9444 9442 7ff642e1c808 _set_fmode 14 API calls 9442->9443 9443->9440 9445 7ff642e1262e 9444->9445 9447 7ff642e127ab 9444->9447 9446 7ff642e1269d 9445->9446 9448 7ff642e126d2 9445->9448 10296 7ff642e147ec 9446->10296 9450 7ff642e126bb memcpy_s 9448->9450 9451 7ff642e147ec 4 API calls 9448->9451 9452 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 9450->9452 9453 7ff642e12758 memcpy_s 9450->9453 9451->9450 9452->9447 9453->9335 9455 7ff642e1a8c1 9454->9455 9456 7ff642e1a8e3 9454->9456 9457 7ff642e1c808 _set_fmode 14 API calls 9455->9457 9456->9455 9459 7ff642e1a8ed 9456->9459 9458 7ff642e1a8c6 9457->9458 9460 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9458->9460 9461 7ff642e1a8ff 9459->9461 9462 7ff642e1a8f2 9459->9462 9472 7ff642e1a8d1 9460->9472 9479 7ff642e1ea48 9461->9479 9464 7ff642e1c808 _set_fmode 14 API calls 9462->9464 9464->9472 9466 7ff642e1a920 9486 7ff642e1ee6c 9466->9486 9467 7ff642e1a913 9468 7ff642e1c808 _set_fmode 14 API calls 9467->9468 9468->9472 9470 7ff642e1a934 9491 7ff642e1e688 LeaveCriticalSection 9470->9491 9472->9410 9472->9411 9844 7ff642e1cd1c GetLastError 9473->9844 9475 7ff642e1a97f 9476 7ff642e185d0 9475->9476 9867 7ff642e18520 9476->9867 9492 7ff642e1f414 EnterCriticalSection 9479->9492 9481 7ff642e1ea5f 9482 7ff642e1eabc 17 API calls 9481->9482 9483 7ff642e1ea6a 9482->9483 9484 7ff642e1f468 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9483->9484 9485 7ff642e1a909 9484->9485 9485->9466 9485->9467 9493 7ff642e1eba8 9486->9493 9489 7ff642e1eec6 9489->9470 9494 7ff642e1ebd2 9493->9494 9503 7ff642e1ed85 9494->9503 9508 7ff642e24604 9494->9508 9495 7ff642e1c808 _set_fmode 14 API calls 9496 7ff642e1ee4b 9495->9496 9497 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9496->9497 9498 7ff642e1ed8e 9497->9498 9498->9489 9505 7ff642e24e70 9498->9505 9500 7ff642e1ede6 9501 7ff642e24604 39 API calls 9500->9501 9500->9503 9502 7ff642e1ee07 9501->9502 9502->9503 9504 7ff642e24604 39 API calls 9502->9504 9503->9495 9503->9498 9504->9503 9619 7ff642e24730 9505->9619 9509 7ff642e2463e 9508->9509 9510 7ff642e24611 9508->9510 9522 7ff642e246aa 9509->9522 9525 7ff642e18c68 9509->9525 9510->9509 9511 7ff642e24616 9510->9511 9512 7ff642e1c808 _set_fmode 14 API calls 9511->9512 9513 7ff642e2461b 9512->9513 9515 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9513->9515 9517 7ff642e24626 9515->9517 9517->9500 9518 7ff642e2469a 9519 7ff642e1c808 _set_fmode 14 API calls 9518->9519 9520 7ff642e2469f 9519->9520 9521 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9520->9521 9521->9522 9522->9500 9523 7ff642e1cf3c 39 API calls 9524 7ff642e246ac 9523->9524 9524->9522 9524->9523 9526 7ff642e18c8c 9525->9526 9527 7ff642e18c87 9525->9527 9526->9527 9533 7ff642e1cba0 GetLastError 9526->9533 9527->9518 9527->9524 9534 7ff642e1cbc2 9533->9534 9537 7ff642e1cbc7 9533->9537 9568 7ff642e2199c 9534->9568 9539 7ff642e1cbcf SetLastError 9537->9539 9572 7ff642e219e4 9537->9572 9543 7ff642e1cc6e 9539->9543 9544 7ff642e18ca7 9539->9544 9595 7ff642e1bf74 9543->9595 9560 7ff642e1d684 9544->9560 9546 7ff642e1cc1b 9549 7ff642e219e4 _set_fmode 6 API calls 9546->9549 9547 7ff642e1cc0b 9550 7ff642e219e4 _set_fmode 6 API calls 9547->9550 9551 7ff642e1cc23 9549->9551 9552 7ff642e1cc12 9550->9552 9553 7ff642e1cc27 9551->9553 9554 7ff642e1cc39 9551->9554 9584 7ff642e1d0a8 9552->9584 9556 7ff642e219e4 _set_fmode 6 API calls 9553->9556 9590 7ff642e1c950 9554->9590 9556->9552 9559 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 9559->9539 9561 7ff642e1d699 9560->9561 9562 7ff642e18cca 9560->9562 9561->9562 9604 7ff642e215d0 9561->9604 9564 7ff642e1d6b8 9562->9564 9565 7ff642e1d6cd 9564->9565 9566 7ff642e1d6e0 9564->9566 9565->9566 9616 7ff642e203dc 9565->9616 9566->9527 9569 7ff642e216a8 try_get_function 5 API calls 9568->9569 9571 7ff642e219c3 TlsGetValue 9569->9571 9573 7ff642e216a8 try_get_function 5 API calls 9572->9573 9574 7ff642e21a12 9573->9574 9575 7ff642e1cbea 9574->9575 9576 7ff642e21a24 TlsSetValue 9574->9576 9575->9539 9577 7ff642e1f4ec 9575->9577 9576->9575 9583 7ff642e1f4fd _set_fmode 9577->9583 9578 7ff642e1f54e 9580 7ff642e1c808 _set_fmode 13 API calls 9578->9580 9579 7ff642e1f532 RtlAllocateHeap 9581 7ff642e1cbfd 9579->9581 9579->9583 9580->9581 9581->9546 9581->9547 9582 7ff642e1aaa8 _set_fmode EnterCriticalSection LeaveCriticalSection 9582->9583 9583->9578 9583->9579 9583->9582 9585 7ff642e1d0ad HeapFree 9584->9585 9586 7ff642e1d0dd Concurrency::details::SchedulerProxy::DeleteThis 9584->9586 9585->9586 9587 7ff642e1d0c8 9585->9587 9586->9539 9588 7ff642e1c808 _set_fmode 12 API calls 9587->9588 9589 7ff642e1d0cd GetLastError 9588->9589 9589->9586 9591 7ff642e1c828 _set_fmode EnterCriticalSection LeaveCriticalSection 9590->9591 9592 7ff642e1ca02 9591->9592 9593 7ff642e1c8a8 _set_fmode 14 API calls 9592->9593 9594 7ff642e1ca17 9593->9594 9594->9559 9596 7ff642e21e04 FindHandlerForForeignException EnterCriticalSection LeaveCriticalSection 9595->9596 9597 7ff642e1bf7d 9596->9597 9598 7ff642e1bf8c 9597->9598 9599 7ff642e21e54 FindHandlerForForeignException 33 API calls 9597->9599 9600 7ff642e1bfbf FindHandlerForForeignException 9598->9600 9601 7ff642e1bf95 IsProcessorFeaturePresent 9598->9601 9599->9598 9602 7ff642e1bfa4 9601->9602 9603 7ff642e183bc _invalid_parameter_noinfo_noreturn 14 API calls 9602->9603 9603->9600 9605 7ff642e1cba0 pre_c_initialization 34 API calls 9604->9605 9606 7ff642e215df 9605->9606 9607 7ff642e2162a 9606->9607 9608 7ff642e1f414 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9606->9608 9607->9562 9609 7ff642e21608 9608->9609 9610 7ff642e21640 14 API calls 9609->9610 9611 7ff642e21618 9610->9611 9612 7ff642e1f468 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9611->9612 9613 7ff642e21625 9612->9613 9613->9607 9614 7ff642e1bf74 FindHandlerForForeignException 34 API calls 9613->9614 9615 7ff642e2163d 9614->9615 9617 7ff642e1cba0 pre_c_initialization 34 API calls 9616->9617 9618 7ff642e203e5 9617->9618 9620 7ff642e24747 9619->9620 9622 7ff642e24765 9619->9622 9621 7ff642e1c808 _set_fmode 14 API calls 9620->9621 9623 7ff642e2474c 9621->9623 9622->9620 9624 7ff642e24781 9622->9624 9625 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9623->9625 9630 7ff642e24d58 9624->9630 9628 7ff642e24758 9625->9628 9628->9489 9631 7ff642e18c68 34 API calls 9630->9631 9632 7ff642e24dab 9631->9632 9637 7ff642e24dbb 9632->9637 9707 7ff642e218d0 9632->9707 9636 7ff642e24e13 9639 7ff642e247ac 9636->9639 9640 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 9636->9640 9642 7ff642e1f578 9637->9642 9639->9628 9641 7ff642e20b34 LeaveCriticalSection 9639->9641 9640->9639 9643 7ff642e1f5a1 9642->9643 9644 7ff642e1f5c3 9642->9644 9645 7ff642e1f5af 9643->9645 9648 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 9643->9648 9646 7ff642e1f5c7 9644->9646 9647 7ff642e1f61c 9644->9647 9645->9636 9664 7ff642e24ea4 9645->9664 9646->9645 9650 7ff642e1f5db 9646->9650 9653 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 9646->9653 9717 7ff642e206dc 9647->9717 9648->9645 9710 7ff642e1d0e8 9650->9710 9653->9650 9720 7ff642e24a88 9664->9720 9667 7ff642e24f19 9776 7ff642e1c7e8 9667->9776 9668 7ff642e24f31 9740 7ff642e20b5c 9668->9740 9671 7ff642e24f1e 9677 7ff642e1c808 _set_fmode 14 API calls 9671->9677 9673 7ff642e24f56 CreateFileW 9675 7ff642e2503c GetFileType 9673->9675 9676 7ff642e24fc1 9673->9676 9674 7ff642e24f3d 9678 7ff642e1c7e8 14 API calls 9674->9678 9680 7ff642e25049 GetLastError 9675->9680 9681 7ff642e2509a 9675->9681 9679 7ff642e25009 GetLastError 9676->9679 9683 7ff642e24fcf CreateFileW 9676->9683 9700 7ff642e24f2a 9677->9700 9682 7ff642e24f42 9678->9682 9779 7ff642e1c798 9679->9779 9685 7ff642e1c798 14 API calls 9680->9685 9752 7ff642e20a74 9681->9752 9686 7ff642e1c808 _set_fmode 14 API calls 9682->9686 9683->9675 9683->9679 9687 7ff642e25058 CloseHandle 9685->9687 9686->9671 9687->9671 9689 7ff642e2508a 9687->9689 9690 7ff642e1c808 _set_fmode 14 API calls 9689->9690 9692 7ff642e2508f 9690->9692 9692->9671 9695 7ff642e2510c 9697 7ff642e25113 9695->9697 9799 7ff642e247f4 9695->9799 9784 7ff642e1f020 9697->9784 9698 7ff642e25154 9698->9700 9701 7ff642e251d4 CloseHandle CreateFileW 9698->9701 9700->9636 9702 7ff642e2521b GetLastError 9701->9702 9703 7ff642e25249 9701->9703 9704 7ff642e1c798 14 API calls 9702->9704 9703->9700 9705 7ff642e25228 9704->9705 9825 7ff642e20c9c 9705->9825 9834 7ff642e216a8 9707->9834 9711 7ff642e1d133 9710->9711 9715 7ff642e1d0f7 _set_fmode 9710->9715 9713 7ff642e1c808 _set_fmode 14 API calls 9711->9713 9712 7ff642e1d11a RtlAllocateHeap 9714 7ff642e1d131 9712->9714 9712->9715 9713->9714 9714->9645 9715->9711 9715->9712 9716 7ff642e1aaa8 _set_fmode EnterCriticalSection LeaveCriticalSection 9715->9716 9716->9715 9718 7ff642e206e4 MultiByteToWideChar 9717->9718 9721 7ff642e24ab4 9720->9721 9729 7ff642e24ace 9720->9729 9722 7ff642e1c808 _set_fmode 14 API calls 9721->9722 9721->9729 9723 7ff642e24ac3 9722->9723 9724 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9723->9724 9724->9729 9725 7ff642e24bfe 9725->9667 9725->9668 9726 7ff642e24ba2 9726->9725 9730 7ff642e1b6c8 _get_daylight 31 API calls 9726->9730 9727 7ff642e24b4e 9727->9726 9728 7ff642e1c808 _set_fmode 14 API calls 9727->9728 9732 7ff642e24b97 9728->9732 9729->9727 9733 7ff642e1c808 _set_fmode 14 API calls 9729->9733 9731 7ff642e24bfa 9730->9731 9731->9725 9734 7ff642e24c7c 9731->9734 9735 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9732->9735 9736 7ff642e24b43 9733->9736 9737 7ff642e18620 _invalid_parameter_noinfo_noreturn 17 API calls 9734->9737 9735->9726 9738 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9736->9738 9739 7ff642e24c91 9737->9739 9738->9727 9741 7ff642e1f414 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 9740->9741 9748 7ff642e20b7f 9741->9748 9742 7ff642e20bcb 9744 7ff642e1f468 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 9742->9744 9743 7ff642e20ba8 9745 7ff642e208ac 15 API calls 9743->9745 9746 7ff642e20c7d 9744->9746 9747 7ff642e20bad 9745->9747 9746->9673 9746->9674 9747->9742 9751 7ff642e20a4c EnterCriticalSection 9747->9751 9748->9742 9748->9743 9749 7ff642e20bfe EnterCriticalSection 9748->9749 9749->9742 9750 7ff642e20c0d LeaveCriticalSection 9749->9750 9750->9748 9751->9742 9753 7ff642e20a97 9752->9753 9754 7ff642e20b02 9752->9754 9753->9754 9760 7ff642e20ac3 9753->9760 9755 7ff642e1c808 _set_fmode 14 API calls 9754->9755 9756 7ff642e20b07 9755->9756 9757 7ff642e1c7e8 14 API calls 9756->9757 9758 7ff642e20af5 9757->9758 9758->9695 9761 7ff642e24c94 9758->9761 9759 7ff642e20aec SetStdHandle 9759->9758 9760->9758 9760->9759 9762 7ff642e24ccb 9761->9762 9763 7ff642e24cfb 9761->9763 9762->9763 9764 7ff642e27050 33 API calls 9762->9764 9763->9695 9765 7ff642e24ce0 9764->9765 9766 7ff642e24ce9 9765->9766 9767 7ff642e24cff 9765->9767 9769 7ff642e1c7e8 14 API calls 9766->9769 9768 7ff642e27800 43 API calls 9767->9768 9770 7ff642e24d16 9768->9770 9771 7ff642e24cee 9769->9771 9772 7ff642e24d2c 9770->9772 9775 7ff642e270c0 60 API calls 9770->9775 9771->9763 9774 7ff642e1c808 _set_fmode 14 API calls 9771->9774 9772->9771 9773 7ff642e27050 33 API calls 9772->9773 9773->9771 9774->9763 9775->9772 9777 7ff642e1cd1c _set_fmode 14 API calls 9776->9777 9778 7ff642e1c7f1 9777->9778 9778->9671 9780 7ff642e1cd1c _set_fmode 14 API calls 9779->9780 9781 7ff642e1c7a9 9780->9781 9782 7ff642e1cd1c _set_fmode 14 API calls 9781->9782 9783 7ff642e1c7c2 Concurrency::details::SchedulerProxy::DeleteThis 9782->9783 9783->9671 9785 7ff642e20d58 31 API calls 9784->9785 9786 7ff642e1f034 9785->9786 9787 7ff642e1f03a 9786->9787 9789 7ff642e1f077 9786->9789 9791 7ff642e20d58 31 API calls 9786->9791 9788 7ff642e20c9c 15 API calls 9787->9788 9790 7ff642e1f09f 9788->9790 9789->9787 9792 7ff642e20d58 31 API calls 9789->9792 9793 7ff642e1f0cb 9790->9793 9797 7ff642e1c798 14 API calls 9790->9797 9794 7ff642e1f06a 9791->9794 9795 7ff642e1f083 FindCloseChangeNotification 9792->9795 9793->9700 9798 7ff642e20d58 31 API calls 9794->9798 9795->9787 9796 7ff642e1f090 GetLastError 9795->9796 9796->9787 9797->9793 9798->9789 9800 7ff642e24845 9799->9800 9818 7ff642e2499a 9799->9818 9801 7ff642e1b6c8 _get_daylight 31 API calls 9800->9801 9806 7ff642e24865 9800->9806 9802 7ff642e2485d 9801->9802 9803 7ff642e24a70 9802->9803 9802->9806 9804 7ff642e18620 _invalid_parameter_noinfo_noreturn 17 API calls 9803->9804 9805 7ff642e24a84 9804->9805 9808 7ff642e24914 9806->9808 9809 7ff642e27050 33 API calls 9806->9809 9806->9818 9807 7ff642e27800 43 API calls 9812 7ff642e24941 9807->9812 9808->9807 9810 7ff642e24995 9808->9810 9808->9818 9819 7ff642e24968 9808->9819 9811 7ff642e2497d 9809->9811 9813 7ff642e1c808 _set_fmode 14 API calls 9810->9813 9817 7ff642e27050 33 API calls 9811->9817 9811->9819 9812->9810 9814 7ff642e249b8 9812->9814 9815 7ff642e249c5 9812->9815 9816 7ff642e249e5 9812->9816 9812->9819 9813->9818 9820 7ff642e1c808 _set_fmode 14 API calls 9814->9820 9815->9816 9821 7ff642e249cc 9815->9821 9822 7ff642e27050 33 API calls 9816->9822 9817->9808 9818->9697 9818->9698 9819->9810 9819->9818 9823 7ff642e25c18 60 API calls 9819->9823 9820->9810 9824 7ff642e27050 33 API calls 9821->9824 9822->9819 9823->9819 9824->9819 9826 7ff642e20cb8 9825->9826 9827 7ff642e20d2a 9825->9827 9826->9827 9833 7ff642e20ceb 9826->9833 9828 7ff642e1c808 _set_fmode 14 API calls 9827->9828 9829 7ff642e20d2f 9828->9829 9830 7ff642e1c7e8 14 API calls 9829->9830 9831 7ff642e20d1c 9830->9831 9831->9703 9832 7ff642e20d14 SetStdHandle 9832->9831 9833->9831 9833->9832 9835 7ff642e21709 9834->9835 9842 7ff642e21704 try_get_function 9834->9842 9835->9637 9836 7ff642e217ec 9836->9835 9838 7ff642e217fa GetProcAddress 9836->9838 9837 7ff642e21738 LoadLibraryW 9839 7ff642e21759 GetLastError 9837->9839 9837->9842 9840 7ff642e2180b 9838->9840 9839->9842 9840->9835 9841 7ff642e217d1 FreeLibrary 9841->9842 9842->9835 9842->9836 9842->9837 9842->9841 9843 7ff642e21793 LoadLibraryExW 9842->9843 9843->9842 9845 7ff642e1cd43 9844->9845 9846 7ff642e1cd3e 9844->9846 9848 7ff642e219e4 _set_fmode 6 API calls 9845->9848 9850 7ff642e1cd4b SetLastError 9845->9850 9847 7ff642e2199c _set_fmode 6 API calls 9846->9847 9847->9845 9849 7ff642e1cd66 9848->9849 9849->9850 9852 7ff642e1f4ec _set_fmode 12 API calls 9849->9852 9850->9475 9853 7ff642e1cd79 9852->9853 9854 7ff642e1cd97 9853->9854 9855 7ff642e1cd87 9853->9855 9856 7ff642e219e4 _set_fmode 6 API calls 9854->9856 9857 7ff642e219e4 _set_fmode 6 API calls 9855->9857 9858 7ff642e1cd9f 9856->9858 9859 7ff642e1cd8e 9857->9859 9860 7ff642e1cda3 9858->9860 9861 7ff642e1cdb5 9858->9861 9862 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 9859->9862 9863 7ff642e219e4 _set_fmode 6 API calls 9860->9863 9864 7ff642e1c950 _set_fmode 12 API calls 9861->9864 9862->9850 9863->9859 9865 7ff642e1cdbd 9864->9865 9866 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 9865->9866 9866->9850 9868 7ff642e1cd1c _set_fmode 14 API calls 9867->9868 9869 7ff642e18545 9868->9869 9872 7ff642e18556 9869->9872 9875 7ff642e18620 IsProcessorFeaturePresent 9869->9875 9872->9411 9876 7ff642e18633 9875->9876 9879 7ff642e183bc 9876->9879 9880 7ff642e183f6 __scrt_fastfail __scrt_get_show_window_mode 9879->9880 9881 7ff642e1841e RtlCaptureContext RtlLookupFunctionEntry 9880->9881 9882 7ff642e18458 RtlVirtualUnwind 9881->9882 9883 7ff642e1848e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9881->9883 9882->9883 9884 7ff642e184e0 __scrt_fastfail 9883->9884 9885 7ff642e147c0 _handle_error 8 API calls 9884->9885 9886 7ff642e184ff GetCurrentProcess TerminateProcess 9885->9886 9894 7ff642e1e67c EnterCriticalSection 9887->9894 9889 7ff642e18685 9890 7ff642e18d04 68 API calls 9889->9890 9891 7ff642e1868e 9890->9891 9892 7ff642e1e688 LeaveCriticalSection 9891->9892 9893 7ff642e18698 9892->9893 9893->9420 9897 7ff642e186e7 9896->9897 9898 7ff642e186ff 9896->9898 9899 7ff642e1c808 _set_fmode 14 API calls 9897->9899 9898->9897 9900 7ff642e18709 9898->9900 9902 7ff642e186ec 9899->9902 9901 7ff642e18c68 34 API calls 9900->9901 9904 7ff642e1871a __scrt_get_show_window_mode 9901->9904 9903 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9902->9903 9910 7ff642e186f7 9903->9910 9911 7ff642e19230 9904->9911 9905 7ff642e147c0 _handle_error 8 API calls 9906 7ff642e18847 9905->9906 9906->9441 9906->9442 9908 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 9908->9910 9910->9905 9912 7ff642e19257 9911->9912 9913 7ff642e194a4 9911->9913 9914 7ff642e1925d 9912->9914 9923 7ff642e19274 9912->9923 9915 7ff642e1c808 _set_fmode 14 API calls 9913->9915 9916 7ff642e1c808 _set_fmode 14 API calls 9914->9916 9917 7ff642e194a9 9915->9917 9919 7ff642e19262 9916->9919 9920 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9917->9920 9918 7ff642e187bd 9918->9908 9921 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9919->9921 9920->9918 9921->9918 9923->9913 9923->9918 9926 7ff642e19ac8 9923->9926 9944 7ff642e19650 9923->9944 9968 7ff642e18f14 9923->9968 9927 7ff642e19b71 9926->9927 9937 7ff642e19b0c 9926->9937 9928 7ff642e19b7b 9927->9928 9929 7ff642e19c02 9927->9929 9932 7ff642e19be8 9928->9932 9933 7ff642e19b87 9928->9933 9995 7ff642e19e10 9929->9995 9931 7ff642e19b51 9943 7ff642e19c0b 9931->9943 9976 7ff642e19ff0 9931->9976 9980 7ff642e1a264 9932->9980 9941 7ff642e19b62 9933->9941 9933->9943 9986 7ff642e1a098 9933->9986 9937->9929 9937->9931 9937->9933 9939 7ff642e19b41 9937->9939 9937->9941 9937->9943 9938 7ff642e147c0 _handle_error 8 API calls 9940 7ff642e19d74 9938->9940 9939->9929 9939->9931 9939->9941 9940->9923 9941->9943 10003 7ff642e1a510 9941->10003 9943->9938 9945 7ff642e19677 9944->9945 9946 7ff642e1965e 9944->9946 9947 7ff642e1969d 9945->9947 9949 7ff642e1c808 _set_fmode 14 API calls 9945->9949 9946->9947 9948 7ff642e19b71 9946->9948 9961 7ff642e19b0c 9946->9961 9947->9923 9950 7ff642e19b7b 9948->9950 9951 7ff642e19c02 9948->9951 9952 7ff642e19692 9949->9952 9956 7ff642e19be8 9950->9956 9957 7ff642e19b87 9950->9957 9953 7ff642e19e10 40 API calls 9951->9953 9954 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9952->9954 9965 7ff642e19b62 9953->9965 9954->9947 9955 7ff642e19b51 9958 7ff642e19ff0 35 API calls 9955->9958 9967 7ff642e19c0b 9955->9967 9959 7ff642e1a264 31 API calls 9956->9959 9960 7ff642e1a098 32 API calls 9957->9960 9957->9965 9957->9967 9958->9965 9959->9965 9960->9965 9961->9951 9961->9955 9961->9957 9963 7ff642e19b41 9961->9963 9961->9965 9961->9967 9962 7ff642e147c0 _handle_error 8 API calls 9964 7ff642e19d74 9962->9964 9963->9951 9963->9955 9963->9965 9964->9923 9966 7ff642e1a510 35 API calls 9965->9966 9965->9967 9966->9967 9967->9962 9969 7ff642e18f38 9968->9969 9970 7ff642e18f3d 9968->9970 9971 7ff642e1c808 _set_fmode 14 API calls 9969->9971 10273 7ff642e1d148 9970->10273 9971->9970 9974 7ff642e1c808 _set_fmode 14 API calls 9975 7ff642e18f78 9974->9975 9975->9923 9977 7ff642e1a027 9976->9977 9978 7ff642e1a057 9977->9978 10007 7ff642e1d174 9977->10007 9978->9941 9985 7ff642e1a28c 9980->9985 9981 7ff642e1c808 _set_fmode 14 API calls 9982 7ff642e1a295 9981->9982 9983 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9982->9983 9984 7ff642e1a2a0 9983->9984 9984->9941 9985->9981 9985->9984 9987 7ff642e1a0ca 9986->9987 9988 7ff642e1a144 9987->9988 9989 7ff642e1a105 9987->9989 9994 7ff642e1a115 9988->9994 10035 7ff642e18924 9988->10035 9990 7ff642e1c808 _set_fmode 14 API calls 9989->9990 9992 7ff642e1a10a 9990->9992 9993 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 9992->9993 9993->9994 9994->9941 9996 7ff642e19e34 9995->9996 10045 7ff642e1887c 9996->10045 10002 7ff642e19f6c 10002->9941 10004 7ff642e1a5bb 10003->10004 10005 7ff642e1a533 10003->10005 10004->9943 10005->10004 10006 7ff642e1d174 35 API calls 10005->10006 10006->10005 10008 7ff642e1d19c 10007->10008 10009 7ff642e1d1aa 10007->10009 10008->10009 10010 7ff642e18c68 34 API calls 10008->10010 10009->9978 10011 7ff642e1d1c6 10010->10011 10012 7ff642e1d1f6 10011->10012 10013 7ff642e1d1d4 10011->10013 10012->10009 10026 7ff642e22240 10012->10026 10023 7ff642e2263c 10013->10023 10017 7ff642e1d23a 10019 7ff642e1d26f 10017->10019 10022 7ff642e206dc MultiByteToWideChar 10017->10022 10018 7ff642e1d28c 10020 7ff642e206dc MultiByteToWideChar 10018->10020 10019->10009 10021 7ff642e1c808 _set_fmode 14 API calls 10019->10021 10020->10019 10021->10009 10022->10019 10029 7ff642e265ac 10023->10029 10027 7ff642e18c68 34 API calls 10026->10027 10028 7ff642e1d236 10027->10028 10028->10017 10028->10018 10033 7ff642e26615 10029->10033 10034 7ff642e26609 10029->10034 10030 7ff642e147c0 _handle_error 8 API calls 10032 7ff642e2264f 10030->10032 10031 7ff642e1c808 _set_fmode 14 API calls 10031->10034 10032->10009 10033->10031 10033->10034 10034->10030 10036 7ff642e18959 10035->10036 10037 7ff642e1894a 10035->10037 10039 7ff642e1d0e8 _onexit 15 API calls 10036->10039 10044 7ff642e1894f 10036->10044 10038 7ff642e1c808 _set_fmode 14 API calls 10037->10038 10038->10044 10040 7ff642e18989 10039->10040 10041 7ff642e1899d 10040->10041 10042 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10040->10042 10043 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10041->10043 10042->10041 10043->10044 10044->9994 10046 7ff642e188b1 10045->10046 10047 7ff642e188a2 10045->10047 10049 7ff642e188a7 10046->10049 10050 7ff642e1d0e8 _onexit 15 API calls 10046->10050 10048 7ff642e1c808 _set_fmode 14 API calls 10047->10048 10048->10049 10055 7ff642e1e0c0 10049->10055 10051 7ff642e188de 10050->10051 10052 7ff642e188f2 10051->10052 10053 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10051->10053 10054 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10052->10054 10053->10052 10054->10049 10056 7ff642e1e0e6 10055->10056 10057 7ff642e1e0fe 10055->10057 10058 7ff642e1c808 _set_fmode 14 API calls 10056->10058 10057->10056 10062 7ff642e1e115 10057->10062 10059 7ff642e1e0eb 10058->10059 10060 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10059->10060 10061 7ff642e19f4f 10060->10061 10061->10002 10080 7ff642e18ea4 10061->10080 10064 7ff642e1e15b 10062->10064 10069 7ff642e1e1b8 10062->10069 10063 7ff642e1e2fa 10063->10061 10182 7ff642e1d6ec 10063->10182 10087 7ff642e1df84 10064->10087 10065 7ff642e1e2c1 10175 7ff642e1da5c 10065->10175 10068 7ff642e1e237 10130 7ff642e22dbc 10068->10130 10069->10063 10069->10065 10069->10068 10072 7ff642e1e1fb 10069->10072 10074 7ff642e1e1ed 10069->10074 10120 7ff642e1de50 10072->10120 10074->10065 10077 7ff642e1e1f6 10074->10077 10077->10068 10077->10072 10078 7ff642e1e28e 10078->10061 10172 7ff642e1dd0c 10078->10172 10242 7ff642e1d07c 10080->10242 10082 7ff642e18ebc 10083 7ff642e18ed0 10082->10083 10246 7ff642e1ce48 10082->10246 10085 7ff642e1d07c 39 API calls 10083->10085 10086 7ff642e18ed8 10085->10086 10086->10002 10088 7ff642e1dfb2 10087->10088 10090 7ff642e1dfd0 10087->10090 10089 7ff642e147c0 _handle_error 8 API calls 10088->10089 10091 7ff642e1dfc7 10089->10091 10192 7ff642e1bf14 10090->10192 10091->10061 10094 7ff642e1e0aa 10095 7ff642e18620 _invalid_parameter_noinfo_noreturn 17 API calls 10094->10095 10097 7ff642e1e0bf 10095->10097 10096 7ff642e1e0e6 10098 7ff642e1c808 _set_fmode 14 API calls 10096->10098 10097->10096 10102 7ff642e1e115 10097->10102 10099 7ff642e1e0eb 10098->10099 10100 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10099->10100 10101 7ff642e1e0f7 10100->10101 10101->10061 10104 7ff642e1e15b 10102->10104 10109 7ff642e1e1b8 10102->10109 10103 7ff642e1e2fa 10103->10101 10106 7ff642e1d6ec 35 API calls 10103->10106 10107 7ff642e1df84 35 API calls 10104->10107 10105 7ff642e1e2c1 10110 7ff642e1da5c 35 API calls 10105->10110 10106->10101 10107->10101 10108 7ff642e1e237 10111 7ff642e22dbc 32 API calls 10108->10111 10109->10103 10109->10105 10109->10108 10112 7ff642e1e1fb 10109->10112 10114 7ff642e1e1ed 10109->10114 10110->10101 10113 7ff642e1e261 10111->10113 10115 7ff642e1de50 35 API calls 10112->10115 10116 7ff642e228a8 31 API calls 10113->10116 10114->10105 10117 7ff642e1e1f6 10114->10117 10115->10101 10118 7ff642e1e28e 10116->10118 10117->10108 10117->10112 10118->10101 10119 7ff642e1dd0c 34 API calls 10118->10119 10119->10101 10121 7ff642e22dbc 32 API calls 10120->10121 10122 7ff642e1de94 10121->10122 10123 7ff642e228a8 31 API calls 10122->10123 10124 7ff642e1decd 10123->10124 10125 7ff642e1df2a 10124->10125 10127 7ff642e1deed 10124->10127 10129 7ff642e1ded1 10124->10129 10201 7ff642e1db38 10125->10201 10127->10127 10128 7ff642e1dd0c 34 API calls 10127->10128 10128->10129 10129->10061 10133 7ff642e22e0a fegetenv 10130->10133 10131 7ff642e22e6b 10132 7ff642e1bf14 __std_exception_copy 31 API calls 10131->10132 10134 7ff642e23fc9 10132->10134 10133->10131 10137 7ff642e22eea 10133->10137 10135 7ff642e23fd8 10134->10135 10140 7ff642e23f6a 10134->10140 10136 7ff642e18620 _invalid_parameter_noinfo_noreturn 17 API calls 10135->10136 10138 7ff642e23fec 10136->10138 10214 7ff642e26910 10137->10214 10141 7ff642e147c0 _handle_error 8 API calls 10140->10141 10142 7ff642e1e261 10141->10142 10163 7ff642e228a8 10142->10163 10143 7ff642e2342a memcpy_s __scrt_get_show_window_mode 10148 7ff642e23814 10143->10148 10155 7ff642e1c808 14 API calls _set_fmode 10143->10155 10160 7ff642e185d0 31 API calls _invalid_parameter_noinfo 10143->10160 10144 7ff642e238fe 10232 7ff642e22990 10144->10232 10146 7ff642e22f98 memcpy_s 10146->10143 10157 7ff642e2391a memcpy_s __scrt_get_show_window_mode 10146->10157 10148->10144 10223 7ff642e23ff0 10148->10223 10149 7ff642e22f55 __scrt_get_show_window_mode 10149->10146 10150 7ff642e1c808 _set_fmode 14 API calls 10149->10150 10152 7ff642e2340a 10150->10152 10153 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10152->10153 10153->10146 10154 7ff642e23ff0 memcpy_s 31 API calls 10162 7ff642e23df8 10154->10162 10155->10143 10156 7ff642e1c808 14 API calls _set_fmode 10156->10157 10157->10144 10157->10148 10157->10156 10159 7ff642e185d0 31 API calls _invalid_parameter_noinfo 10157->10159 10158 7ff642e22990 31 API calls 10158->10162 10159->10157 10160->10143 10161 7ff642e23ff0 memcpy_s 31 API calls 10161->10162 10162->10140 10162->10158 10162->10161 10164 7ff642e228bd 10163->10164 10165 7ff642e228d5 10163->10165 10166 7ff642e1c808 _set_fmode 14 API calls 10164->10166 10170 7ff642e228ce memcpy_s 10164->10170 10165->10164 10167 7ff642e228ef 10165->10167 10168 7ff642e228c2 10166->10168 10169 7ff642e1c808 _set_fmode 14 API calls 10167->10169 10171 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10168->10171 10169->10168 10170->10078 10171->10170 10173 7ff642e18c68 34 API calls 10172->10173 10174 7ff642e1dd3c memcpy_s __scrt_get_show_window_mode 10173->10174 10174->10061 10176 7ff642e22dbc 32 API calls 10175->10176 10177 7ff642e1daa6 10176->10177 10178 7ff642e228a8 31 API calls 10177->10178 10179 7ff642e1dadc 10178->10179 10180 7ff642e1dae0 10179->10180 10181 7ff642e1db38 34 API calls 10179->10181 10180->10061 10181->10180 10183 7ff642e18c68 34 API calls 10182->10183 10184 7ff642e1d73a 10183->10184 10185 7ff642e1d75a 10184->10185 10186 7ff642e1d745 10184->10186 10189 7ff642e1da5c 35 API calls 10185->10189 10191 7ff642e1d755 strrchr __scrt_get_show_window_mode 10185->10191 10187 7ff642e1c808 _set_fmode 14 API calls 10186->10187 10188 7ff642e1d74a 10187->10188 10190 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10188->10190 10189->10191 10190->10191 10191->10061 10193 7ff642e1bf2b 10192->10193 10194 7ff642e1bf21 10192->10194 10195 7ff642e1c808 _set_fmode 14 API calls 10193->10195 10194->10193 10196 7ff642e1bf46 10194->10196 10200 7ff642e1bf32 10195->10200 10198 7ff642e1bf3e 10196->10198 10199 7ff642e1c808 _set_fmode 14 API calls 10196->10199 10197 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10197->10198 10198->10088 10198->10094 10199->10200 10200->10197 10202 7ff642e1db9d 10201->10202 10203 7ff642e1db6f 10201->10203 10205 7ff642e18c68 34 API calls 10202->10205 10204 7ff642e1c808 _set_fmode 14 API calls 10203->10204 10206 7ff642e1db74 10204->10206 10209 7ff642e1dbaf memcpy_s 10205->10209 10207 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10206->10207 10208 7ff642e1db80 10207->10208 10208->10129 10210 7ff642e1bf14 __std_exception_copy 31 API calls 10209->10210 10213 7ff642e1dc48 memcpy_s 10210->10213 10211 7ff642e18620 _invalid_parameter_noinfo_noreturn 17 API calls 10212 7ff642e1dd09 10211->10212 10213->10211 10215 7ff642e26c10 10214->10215 10219 7ff642e26927 10214->10219 10216 7ff642e26bc0 10217 7ff642e26bb6 10216->10217 10222 7ff642e282f0 _log10_special 23 API calls 10216->10222 10217->10149 10218 7ff642e26ba2 10221 7ff642e282f0 _log10_special 23 API calls 10218->10221 10219->10216 10219->10218 10220 7ff642e2698f 10219->10220 10220->10149 10221->10217 10222->10217 10227 7ff642e2400d memcpy_s 10223->10227 10228 7ff642e24011 __scrt_get_show_window_mode 10223->10228 10224 7ff642e24016 10225 7ff642e1c808 _set_fmode 14 API calls 10224->10225 10226 7ff642e2401b 10225->10226 10230 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10226->10230 10227->10144 10228->10224 10228->10227 10229 7ff642e24051 10228->10229 10229->10227 10231 7ff642e1c808 _set_fmode 14 API calls 10229->10231 10230->10227 10231->10226 10233 7ff642e229b8 10232->10233 10241 7ff642e229fb 10232->10241 10234 7ff642e229dc 10233->10234 10235 7ff642e22a02 10233->10235 10233->10241 10236 7ff642e23ff0 memcpy_s 31 API calls 10234->10236 10237 7ff642e22a07 10235->10237 10238 7ff642e22a3d 10235->10238 10236->10241 10239 7ff642e23ff0 memcpy_s 31 API calls 10237->10239 10240 7ff642e23ff0 memcpy_s 31 API calls 10238->10240 10239->10241 10240->10241 10241->10154 10241->10162 10243 7ff642e1d089 10242->10243 10244 7ff642e1d090 10242->10244 10252 7ff642e1cf3c 10243->10252 10244->10082 10247 7ff642e1ce5f 10246->10247 10251 7ff642e1ce85 10246->10251 10248 7ff642e18c68 34 API calls 10247->10248 10249 7ff642e1ce6b 10248->10249 10249->10251 10264 7ff642e22130 10249->10264 10251->10082 10253 7ff642e18c68 34 API calls 10252->10253 10254 7ff642e1cf5a 10253->10254 10255 7ff642e1cf62 10254->10255 10256 7ff642e1cf9a 10254->10256 10258 7ff642e1cedc 37 API calls 10255->10258 10257 7ff642e1cfbf 10256->10257 10259 7ff642e22240 34 API calls 10256->10259 10260 7ff642e1c808 _set_fmode 14 API calls 10257->10260 10261 7ff642e1cfc3 10257->10261 10263 7ff642e1cf6d 10258->10263 10259->10257 10260->10261 10262 7ff642e225a4 38 API calls 10261->10262 10262->10263 10263->10244 10265 7ff642e18c68 34 API calls 10264->10265 10266 7ff642e2216a 10265->10266 10267 7ff642e22240 34 API calls 10266->10267 10272 7ff642e22174 10266->10272 10268 7ff642e22196 10267->10268 10271 7ff642e2110c 37 API calls 10268->10271 10269 7ff642e147c0 _handle_error 8 API calls 10270 7ff642e22226 10269->10270 10270->10251 10271->10272 10272->10269 10274 7ff642e1d15b 10273->10274 10277 7ff642e1c000 10274->10277 10278 7ff642e1c027 10277->10278 10279 7ff642e1c03c 10277->10279 10280 7ff642e1c808 _set_fmode 14 API calls 10278->10280 10279->10278 10281 7ff642e1c04a 10279->10281 10283 7ff642e1c02c 10280->10283 10282 7ff642e18c68 34 API calls 10281->10282 10286 7ff642e1c057 10282->10286 10284 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10283->10284 10285 7ff642e18f67 10284->10285 10285->9974 10285->9975 10288 7ff642e1c2d0 10286->10288 10290 7ff642e1c808 _set_fmode 14 API calls 10286->10290 10287 7ff642e1c5a8 10287->10285 10293 7ff642e1c808 _set_fmode 14 API calls 10287->10293 10288->10287 10289 7ff642e1c808 _set_fmode 14 API calls 10288->10289 10291 7ff642e1c59d 10289->10291 10292 7ff642e1c318 10290->10292 10294 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10291->10294 10295 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10292->10295 10293->10285 10294->10287 10295->10288 10299 7ff642e147f7 10296->10299 10297 7ff642e14810 10297->9450 10299->10297 10300 7ff642e14816 10299->10300 10305 7ff642e1aaa8 10299->10305 10301 7ff642e14821 10300->10301 10308 7ff642e14ca4 10300->10308 10312 7ff642e14cc4 10301->10312 10316 7ff642e1aad8 10305->10316 10309 7ff642e14cb2 std::bad_alloc::bad_alloc 10308->10309 10322 7ff642e15cf0 10309->10322 10311 7ff642e14cc3 10313 7ff642e14cd2 std::bad_alloc::bad_alloc 10312->10313 10314 7ff642e15cf0 _CxxThrowException 2 API calls 10313->10314 10315 7ff642e14ce3 10314->10315 10321 7ff642e1f414 EnterCriticalSection 10316->10321 10323 7ff642e15d56 RtlPcToFileHeader 10322->10323 10324 7ff642e15d39 10322->10324 10325 7ff642e15d78 10323->10325 10326 7ff642e15d89 RaiseException 10323->10326 10324->10323 10325->10326 10326->10311 10328 7ff642e127e0 33 API calls 10327->10328 10329 7ff642e12e88 10328->10329 10330 7ff642e127e0 33 API calls 10329->10330 10331 7ff642e12ea9 10330->10331 10332 7ff642e127e0 33 API calls 10331->10332 10333 7ff642e12ed3 memcpy_s 10332->10333 10335 7ff642e14350 GetModuleFileNameW 10333->10335 10336 7ff642e143a2 10335->10336 10337 7ff642e14424 PathRemoveFileSpecW 10335->10337 10340 7ff642e127e0 33 API calls 10336->10340 10338 7ff642e1449c 10337->10338 10339 7ff642e14433 10337->10339 10347 7ff642e127e0 33 API calls 10338->10347 10341 7ff642e127e0 33 API calls 10339->10341 10342 7ff642e143b4 GetLastError 10340->10342 10343 7ff642e14445 GetLastError 10341->10343 10344 7ff642e129c0 100 API calls 10342->10344 10345 7ff642e129c0 100 API calls 10343->10345 10346 7ff642e143ce 10344->10346 10348 7ff642e1445f 10345->10348 10351 7ff642e14406 10346->10351 10367 7ff642e145a8 10346->10367 10349 7ff642e144c8 10347->10349 10348->10351 10368 7ff642e1459c 10348->10368 10369 7ff642e13b00 10349->10369 10353 7ff642e147c0 _handle_error 8 API calls 10351->10353 10355 7ff642e14586 10353->10355 10356 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 10358 7ff642e145ae 10356->10358 10357 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 10360 7ff642e145a2 10357->10360 10384 7ff642e15c38 10358->10384 10359 7ff642e144e8 10363 7ff642e14522 10359->10363 10364 7ff642e14597 10359->10364 10365 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 10360->10365 10362 7ff642e145dc 10363->10351 10363->10360 10366 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 10364->10366 10365->10367 10366->10368 10367->10356 10368->10357 10375 7ff642e13b53 memcpy_s 10369->10375 10370 7ff642e13b7c 10371 7ff642e12600 33 API calls 10370->10371 10372 7ff642e13c1a memcpy_s 10370->10372 10371->10372 10373 7ff642e12340 33 API calls 10372->10373 10374 7ff642e13c63 10373->10374 10379 7ff642e12340 10374->10379 10375->10370 10376 7ff642e13c7e 10375->10376 10377 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 10376->10377 10378 7ff642e13c83 10377->10378 10380 7ff642e12353 10379->10380 10381 7ff642e12600 33 API calls 10380->10381 10383 7ff642e1236d memcpy_s 10380->10383 10382 7ff642e123c1 10381->10382 10382->10359 10383->10359 10385 7ff642e15c8e __vcrt_freefls 10384->10385 10386 7ff642e15c59 10384->10386 10385->10362 10386->10385 10387 7ff642e1bf14 __std_exception_copy 31 API calls 10386->10387 10387->10385 10389 7ff642e1494a RtlLookupFunctionEntry 10388->10389 10390 7ff642e14886 10389->10390 10391 7ff642e14960 RtlVirtualUnwind 10389->10391 10392 7ff642e14828 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10390->10392 10391->10389 10391->10390 10394 7ff642e1cba0 pre_c_initialization 34 API calls 10393->10394 10396 7ff642e1befd 10394->10396 10395 7ff642e1bf74 FindHandlerForForeignException 34 API calls 10397 7ff642e1bf13 10395->10397 10396->10395 10899 7ff642e1ea08 10900 7ff642e1ea14 10899->10900 10902 7ff642e1ea3b 10900->10902 10903 7ff642e20954 10900->10903 10904 7ff642e20959 10903->10904 10905 7ff642e20994 10903->10905 10906 7ff642e2097a DeleteCriticalSection 10904->10906 10907 7ff642e2098c 10904->10907 10905->10900 10906->10906 10906->10907 10908 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10907->10908 10908->10905 11494 7ff642e15b8b 11495 7ff642e1bef4 FindHandlerForForeignException 34 API calls 11494->11495 11496 7ff642e15b90 11495->11496 11497 7ff642e2908a 11498 7ff642e16220 FindHandlerForForeignException 43 API calls 11497->11498 11499 7ff642e29098 11498->11499 11500 7ff642e290a3 11499->11500 11501 7ff642e16220 FindHandlerForForeignException 43 API calls 11499->11501 11501->11500 10909 7ff642e1be0c 10910 7ff642e1be25 10909->10910 10911 7ff642e1be3d 10909->10911 10910->10911 10912 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10910->10912 10912->10911 10913 7ff642e2920b 10914 7ff642e2921a 10913->10914 10916 7ff642e29224 10913->10916 10917 7ff642e1f468 LeaveCriticalSection 10914->10917 10918 7ff642e14610 10919 7ff642e15c38 __std_exception_copy 31 API calls 10918->10919 10920 7ff642e1463c 10919->10920 11502 7ff642e1b894 11505 7ff642e1b818 11502->11505 11512 7ff642e1f414 EnterCriticalSection 11505->11512 10921 7ff642e28ef8 10924 7ff642e1ab14 10921->10924 10925 7ff642e1cd1c _set_fmode 14 API calls 10924->10925 10926 7ff642e1ab32 10925->10926 10927 7ff642e283fc 10928 7ff642e2840d CloseHandle 10927->10928 10929 7ff642e28413 10927->10929 10928->10929 10930 7ff642e28ffc 10939 7ff642e159f4 10930->10939 10932 7ff642e16220 FindHandlerForForeignException 43 API calls 10933 7ff642e29054 10932->10933 10934 7ff642e16220 FindHandlerForForeignException 43 API calls 10933->10934 10936 7ff642e29064 10934->10936 10938 7ff642e29040 __DestructExceptionObject 10938->10932 10940 7ff642e16220 FindHandlerForForeignException 43 API calls 10939->10940 10941 7ff642e15a06 10940->10941 10942 7ff642e15a41 10941->10942 10944 7ff642e16220 FindHandlerForForeignException 43 API calls 10941->10944 10943 7ff642e1bef4 FindHandlerForForeignException 34 API calls 10942->10943 10945 7ff642e15a46 10943->10945 10946 7ff642e15a11 10944->10946 10946->10942 10947 7ff642e15a2a 10946->10947 10948 7ff642e16220 FindHandlerForForeignException 43 API calls 10947->10948 10949 7ff642e15a2f 10948->10949 10949->10938 10950 7ff642e15b98 10949->10950 10951 7ff642e16220 FindHandlerForForeignException 43 API calls 10950->10951 10952 7ff642e15ba6 10951->10952 10952->10938 10953 7ff642e14bfc 10956 7ff642e14f98 10953->10956 10957 7ff642e14fbb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 10956->10957 10958 7ff642e14c05 10956->10958 10957->10958 10959 7ff642e21bfc 10960 7ff642e21c35 10959->10960 10962 7ff642e21c06 10959->10962 10961 7ff642e21c1b FreeLibrary 10961->10962 10962->10960 10962->10961 10963 7ff642e11000 10964 7ff642e11009 SetupDiDestroyDeviceInfoList 10963->10964 10965 7ff642e11010 10963->10965 10964->10965 11513 7ff642e11e80 11514 7ff642e11e91 11513->11514 11517 7ff642e11ec6 11513->11517 11520 7ff642e12290 11514->11520 11518 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 11519 7ff642e11ee6 11518->11519 11521 7ff642e11e9a 11520->11521 11522 7ff642e12295 11520->11522 11521->11517 11521->11518 11522->11521 11523 7ff642e185f0 _invalid_parameter_noinfo_noreturn 31 API calls 11522->11523 11524 7ff642e12318 11523->11524 10398 7ff642e1b4e8 10399 7ff642e1b54f 10398->10399 10400 7ff642e1b505 GetModuleHandleW 10398->10400 10408 7ff642e1b3e0 10399->10408 10400->10399 10406 7ff642e1b512 10400->10406 10403 7ff642e1b591 10405 7ff642e1b5a3 10406->10399 10422 7ff642e1b5f0 GetModuleHandleExW 10406->10422 10428 7ff642e1f414 EnterCriticalSection 10408->10428 10410 7ff642e1b3fc 10411 7ff642e1b418 14 API calls 10410->10411 10412 7ff642e1b405 10411->10412 10413 7ff642e1f468 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 10412->10413 10414 7ff642e1b40d 10413->10414 10414->10403 10415 7ff642e1b5a4 10414->10415 10429 7ff642e20870 10415->10429 10418 7ff642e1b5de 10420 7ff642e1b5f0 3 API calls 10418->10420 10419 7ff642e1b5cd GetCurrentProcess TerminateProcess 10419->10418 10421 7ff642e1b5e5 ExitProcess 10420->10421 10423 7ff642e1b616 GetProcAddress 10422->10423 10424 7ff642e1b635 10422->10424 10423->10424 10427 7ff642e1b62d 10423->10427 10425 7ff642e1b63f FreeLibrary 10424->10425 10426 7ff642e1b645 10424->10426 10425->10426 10426->10399 10427->10424 10430 7ff642e1b5b1 10429->10430 10431 7ff642e2088e 10429->10431 10430->10418 10430->10419 10433 7ff642e21880 10431->10433 10434 7ff642e216a8 try_get_function 5 API calls 10433->10434 10435 7ff642e218a8 10434->10435 10435->10430 10966 7ff642e1cde8 10973 7ff642e2190c 10966->10973 10974 7ff642e216a8 try_get_function 5 API calls 10973->10974 10975 7ff642e21934 TlsAlloc 10974->10975 11525 7ff642e14a6c 11532 7ff642e1529c SetUnhandledExceptionFilter 11525->11532 10977 7ff642e1e4ec 10978 7ff642e1e516 10977->10978 10979 7ff642e1f4ec _set_fmode 14 API calls 10978->10979 10980 7ff642e1e535 10979->10980 10981 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10980->10981 10982 7ff642e1e543 10981->10982 10983 7ff642e1f4ec _set_fmode 14 API calls 10982->10983 10987 7ff642e1e56d 10982->10987 10984 7ff642e1e55f 10983->10984 10986 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 10984->10986 10986->10987 10988 7ff642e1e576 10987->10988 10989 7ff642e21a38 10987->10989 10990 7ff642e216a8 try_get_function 5 API calls 10989->10990 10991 7ff642e21a6e 10990->10991 10992 7ff642e21a78 10991->10992 10993 7ff642e21a83 InitializeCriticalSectionAndSpinCount 10991->10993 10992->10987 10993->10992 10461 7ff642e135f0 10462 7ff642e129c0 100 API calls 10461->10462 10463 7ff642e13638 __scrt_get_show_window_mode 10462->10463 10464 7ff642e1365c VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 10463->10464 10465 7ff642e136c7 __scrt_get_show_window_mode 10464->10465 10466 7ff642e13854 10464->10466 10468 7ff642e136d8 VerSetConditionMask VerifyVersionInfoW 10465->10468 10467 7ff642e129c0 100 API calls 10466->10467 10469 7ff642e13815 10467->10469 10470 7ff642e13717 10468->10470 10471 7ff642e13749 10468->10471 10474 7ff642e147c0 _handle_error 8 API calls 10469->10474 10472 7ff642e129c0 100 API calls 10470->10472 10473 7ff642e12e60 104 API calls 10471->10473 10475 7ff642e13728 MessageBoxW 10472->10475 10476 7ff642e13770 10473->10476 10477 7ff642e13876 10474->10477 10475->10469 10496 7ff642e11020 SetupDiCreateDeviceInfoList 10476->10496 10480 7ff642e137ad 10483 7ff642e129c0 100 API calls 10480->10483 10481 7ff642e129c0 100 API calls 10482 7ff642e137c7 DiInstallDriverW 10481->10482 10486 7ff642e137e7 GetLastError 10482->10486 10487 7ff642e13819 10482->10487 10485 7ff642e13803 10483->10485 10485->10469 10488 7ff642e1380f SetupDiDestroyDeviceInfoList 10485->10488 10486->10480 10489 7ff642e129c0 100 API calls 10487->10489 10488->10469 10490 7ff642e1382a 10489->10490 10534 7ff642e142b0 CM_Locate_DevNodeW 10490->10534 10492 7ff642e1382f 10493 7ff642e129c0 100 API calls 10492->10493 10494 7ff642e13840 10493->10494 10494->10469 10495 7ff642e1384c SetupDiDestroyDeviceInfoList 10494->10495 10495->10469 10497 7ff642e1105f GetLastError 10496->10497 10498 7ff642e11082 10496->10498 10499 7ff642e129c0 100 API calls 10497->10499 10500 7ff642e129c0 100 API calls 10498->10500 10527 7ff642e1107b 10499->10527 10501 7ff642e110a3 SetupDiCreateDeviceInfoW 10500->10501 10502 7ff642e110d9 GetLastError 10501->10502 10503 7ff642e110fc 10501->10503 10504 7ff642e129c0 100 API calls 10502->10504 10505 7ff642e129c0 100 API calls 10503->10505 10504->10527 10508 7ff642e1110d __scrt_get_show_window_mode 10505->10508 10506 7ff642e147c0 _handle_error 8 API calls 10507 7ff642e113c2 10506->10507 10507->10480 10507->10481 10509 7ff642e11168 GetLastError 10508->10509 10510 7ff642e1118b lstrlenW SetupDiSetDeviceRegistryPropertyW 10508->10510 10511 7ff642e129c0 100 API calls 10509->10511 10512 7ff642e111bc GetLastError 10510->10512 10513 7ff642e111df 10510->10513 10511->10527 10514 7ff642e129c0 100 API calls 10512->10514 10515 7ff642e129c0 100 API calls 10513->10515 10514->10527 10516 7ff642e111f8 SetupDiGetClassDevsW 10515->10516 10517 7ff642e11279 SetupDiEnumDeviceInfo 10516->10517 10518 7ff642e11223 GetLastError 10516->10518 10519 7ff642e11367 SetupDiDestroyDeviceInfoList 10517->10519 10532 7ff642e1129c __scrt_get_show_window_mode 10517->10532 10520 7ff642e129c0 100 API calls 10518->10520 10521 7ff642e1123d SetupDiCallClassInstaller 10519->10521 10522 7ff642e11379 10519->10522 10520->10521 10521->10522 10523 7ff642e11256 GetLastError 10521->10523 10526 7ff642e129c0 100 API calls 10522->10526 10524 7ff642e129c0 100 API calls 10523->10524 10524->10527 10525 7ff642e112b5 SetupDiGetDeviceRegistryPropertyW 10528 7ff642e112e8 GetLastError 10525->10528 10525->10532 10526->10527 10527->10506 10529 7ff642e129c0 100 API calls 10528->10529 10529->10532 10530 7ff642e129c0 100 API calls 10530->10532 10531 7ff642e11348 SetupDiEnumDeviceInfo 10531->10532 10533 7ff642e11362 10531->10533 10532->10525 10532->10530 10532->10531 10532->10533 10533->10519 10535 7ff642e142d7 10534->10535 10536 7ff642e142fc CM_Reenumerate_DevNode 10534->10536 10537 7ff642e129c0 100 API calls 10535->10537 10538 7ff642e1430f 10536->10538 10539 7ff642e14334 10536->10539 10541 7ff642e142e8 10537->10541 10542 7ff642e129c0 100 API calls 10538->10542 10540 7ff642e147c0 _handle_error 8 API calls 10539->10540 10543 7ff642e14343 10540->10543 10544 7ff642e147c0 _handle_error 8 API calls 10541->10544 10545 7ff642e14320 10542->10545 10543->10492 10546 7ff642e142f7 10544->10546 10547 7ff642e147c0 _handle_error 8 API calls 10545->10547 10546->10492 10548 7ff642e1432f 10547->10548 10548->10492 10994 7ff642e1f6f0 10995 7ff642e1f72f 10994->10995 11011 7ff642e1f745 10994->11011 10996 7ff642e1c808 _set_fmode 14 API calls 10995->10996 10997 7ff642e1f734 10996->10997 10999 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10997->10999 10998 7ff642e1f93c 11031 7ff642e1aecc 10998->11031 11001 7ff642e1f73e 10999->11001 11003 7ff642e147c0 _handle_error 8 API calls 11001->11003 11002 7ff642e1f9b3 11006 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11002->11006 11005 7ff642e1fa8a 11003->11005 11004 7ff642e1fabc 34 API calls 11004->11011 11008 7ff642e1fa3d 11006->11008 11007 7ff642e1f9ab 11007->11002 11016 7ff642e1faa5 11007->11016 11037 7ff642e182d8 11007->11037 11010 7ff642e1fa70 11008->11010 11013 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11008->11013 11009 7ff642e1f830 FindFirstFileExW 11009->11011 11014 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11010->11014 11011->10998 11011->11004 11011->11008 11011->11009 11015 7ff642e1f8b1 FindNextFileW 11011->11015 11019 7ff642e1f913 FindClose 11011->11019 11020 7ff642e1f8e1 FindClose 11011->11020 11023 7ff642e25fe0 11011->11023 11013->11008 11014->11001 11015->11011 11017 7ff642e18620 _invalid_parameter_noinfo_noreturn 17 API calls 11016->11017 11018 7ff642e1fab9 11017->11018 11019->11011 11020->11011 11024 7ff642e2600d 11023->11024 11025 7ff642e1c808 _set_fmode 14 API calls 11024->11025 11030 7ff642e26022 11024->11030 11026 7ff642e26017 11025->11026 11027 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 11026->11027 11027->11030 11028 7ff642e147c0 _handle_error 8 API calls 11029 7ff642e1f905 FindClose 11028->11029 11029->11011 11030->11028 11030->11030 11032 7ff642e1af1c 11031->11032 11033 7ff642e1aee4 11031->11033 11032->11007 11033->11032 11034 7ff642e1f4ec _set_fmode 14 API calls 11033->11034 11035 7ff642e1af12 11034->11035 11036 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11035->11036 11036->11032 11041 7ff642e182f0 11037->11041 11038 7ff642e182f5 11039 7ff642e1830b 11038->11039 11040 7ff642e1c808 _set_fmode 14 API calls 11038->11040 11039->11007 11042 7ff642e182ff 11040->11042 11041->11038 11041->11039 11044 7ff642e1833c 11041->11044 11043 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 11042->11043 11043->11039 11044->11039 11045 7ff642e1c808 _set_fmode 14 API calls 11044->11045 11045->11042 11533 7ff642e29074 11536 7ff642e15bec 11533->11536 11537 7ff642e15bfb 11536->11537 11538 7ff642e15c0d 11536->11538 11537->11538 11539 7ff642e15c03 11537->11539 11540 7ff642e16220 FindHandlerForForeignException 43 API calls 11538->11540 11542 7ff642e16220 FindHandlerForForeignException 43 API calls 11539->11542 11545 7ff642e15c0b 11539->11545 11541 7ff642e15c12 11540->11541 11543 7ff642e16220 FindHandlerForForeignException 43 API calls 11541->11543 11541->11545 11544 7ff642e15c2c 11542->11544 11543->11545 11546 7ff642e1bef4 FindHandlerForForeignException 34 API calls 11544->11546 11547 7ff642e15c35 11546->11547 11046 7ff642e28fd7 11049 7ff642e17488 11046->11049 11050 7ff642e174aa 11049->11050 11052 7ff642e174f3 11049->11052 11051 7ff642e16220 FindHandlerForForeignException 43 API calls 11050->11051 11050->11052 11051->11052 11053 7ff642e21cd8 GetProcessHeap 11548 7ff642e28d64 11549 7ff642e28d9c __GSHandlerCheckCommon 11548->11549 11550 7ff642e28dc8 11549->11550 11552 7ff642e15aa0 11549->11552 11553 7ff642e16220 FindHandlerForForeignException 43 API calls 11552->11553 11554 7ff642e15ac2 11553->11554 11555 7ff642e16220 FindHandlerForForeignException 43 API calls 11554->11555 11556 7ff642e15acf 11555->11556 11557 7ff642e16220 FindHandlerForForeignException 43 API calls 11556->11557 11558 7ff642e15adc 11557->11558 11559 7ff642e16ff4 __InternalCxxFrameHandler 49 API calls 11558->11559 11560 7ff642e15b0d 11559->11560 11560->11550 11054 7ff642e290c8 11055 7ff642e290d8 11054->11055 11058 7ff642e1e688 LeaveCriticalSection 11055->11058 11059 7ff642e1f3cc 11060 7ff642e1f3d4 11059->11060 11061 7ff642e21a38 6 API calls 11060->11061 11062 7ff642e1f405 11060->11062 11063 7ff642e1f401 11060->11063 11061->11060 11065 7ff642e1f430 11062->11065 11066 7ff642e1f45b 11065->11066 11067 7ff642e1f45f 11066->11067 11068 7ff642e1f43e DeleteCriticalSection 11066->11068 11067->11063 11068->11066 11567 7ff642e1be4c 11568 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11567->11568 11569 7ff642e1be5c 11568->11569 11570 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11569->11570 11571 7ff642e1be70 11570->11571 11572 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11571->11572 11573 7ff642e1be84 11572->11573 11574 7ff642e1d0a8 Concurrency::details::SchedulerProxy::DeleteThis 14 API calls 11573->11574 11575 7ff642e1be98 11574->11575 10436 7ff642e26ebc 10437 7ff642e26efd 10436->10437 10438 7ff642e26ee5 10436->10438 10440 7ff642e26f77 10437->10440 10445 7ff642e26f2e 10437->10445 10439 7ff642e1c7e8 14 API calls 10438->10439 10441 7ff642e26eea 10439->10441 10442 7ff642e1c7e8 14 API calls 10440->10442 10443 7ff642e1c808 _set_fmode 14 API calls 10441->10443 10444 7ff642e26f7c 10442->10444 10453 7ff642e26ef2 10443->10453 10446 7ff642e1c808 _set_fmode 14 API calls 10444->10446 10460 7ff642e20a4c EnterCriticalSection 10445->10460 10448 7ff642e26f84 10446->10448 10450 7ff642e185d0 _invalid_parameter_noinfo 31 API calls 10448->10450 10448->10453 10449 7ff642e26f35 10451 7ff642e26f46 10449->10451 10452 7ff642e26f5b 10449->10452 10450->10453 10454 7ff642e1c808 _set_fmode 14 API calls 10451->10454 10455 7ff642e26fac 33 API calls 10452->10455 10456 7ff642e26f4b 10454->10456 10457 7ff642e26f56 10455->10457 10458 7ff642e1c7e8 14 API calls 10456->10458 10459 7ff642e20b34 LeaveCriticalSection 10457->10459 10458->10457 10459->10453

                                                                                                      Executed Functions

                                                                                                      Function 00007FF642E11020 Relevance: 54.5, APIs: 17, Strings: 14, Instructions: 219COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 7ff642e11020-7ff642e1105d SetupDiCreateDeviceInfoList 1 7ff642e1105f-7ff642e1107d GetLastError call 7ff642e129c0 0->1 2 7ff642e11082-7ff642e110d7 call 7ff642e129c0 SetupDiCreateDeviceInfoW 0->2 7 7ff642e113b2-7ff642e113ce call 7ff642e147c0 1->7 8 7ff642e110d9-7ff642e110f7 GetLastError call 7ff642e129c0 2->8 9 7ff642e110fc-7ff642e1112f call 7ff642e129c0 call 7ff642e16070 2->9 16 7ff642e113a2-7ff642e113aa 8->16 19 7ff642e11134-7ff642e1113e 9->19 16->7 20 7ff642e11157-7ff642e11166 19->20 21 7ff642e11140-7ff642e11148 19->21 23 7ff642e11168-7ff642e11186 GetLastError call 7ff642e129c0 20->23 24 7ff642e1118b-7ff642e111ba lstrlenW SetupDiSetDeviceRegistryPropertyW 20->24 21->20 22 7ff642e1114a-7ff642e11155 21->22 22->19 22->20 23->16 26 7ff642e111bc-7ff642e111da GetLastError call 7ff642e129c0 24->26 27 7ff642e111df-7ff642e11221 call 7ff642e129c0 SetupDiGetClassDevsW 24->27 26->16 33 7ff642e11279-7ff642e11296 SetupDiEnumDeviceInfo 27->33 34 7ff642e11223-7ff642e11238 GetLastError call 7ff642e129c0 27->34 35 7ff642e11367-7ff642e11373 SetupDiDestroyDeviceInfoList 33->35 36 7ff642e1129c 33->36 38 7ff642e1123d-7ff642e11250 SetupDiCallClassInstaller 34->38 35->38 39 7ff642e11379-7ff642e11385 35->39 40 7ff642e112a0-7ff642e112e6 call 7ff642e16070 SetupDiGetDeviceRegistryPropertyW 36->40 41 7ff642e11256-7ff642e11274 GetLastError call 7ff642e129c0 38->41 42 7ff642e11387-7ff642e1138e 38->42 43 7ff642e11393 call 7ff642e129c0 39->43 49 7ff642e112e8-7ff642e112fd GetLastError call 7ff642e129c0 40->49 50 7ff642e11304-7ff642e1132b call 7ff642e129c0 40->50 52 7ff642e1139a 41->52 42->43 51 7ff642e11398 43->51 55 7ff642e11302 49->55 58 7ff642e11330-7ff642e1133a 50->58 51->52 52->16 57 7ff642e11348-7ff642e1135c SetupDiEnumDeviceInfo 55->57 57->40 61 7ff642e11362 57->61 59 7ff642e1133c-7ff642e11342 58->59 60 7ff642e11344-7ff642e11346 58->60 59->58 59->60 60->57 62 7ff642e11364 60->62 61->35 62->35
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfoList success, xrefs: 00007FF642E1108A
                                                                                                      • IDDDeviceInfoSet::PrivateDetectDeviceNode SetupDiGetDeviceRegistryProperty failed %d, xrefs: 00007FF642E112EE
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfoList failed %d, xrefs: 00007FF642E11065
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode StringCchCopy failed %d, xrefs: 00007FF642E1116E
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfo success, xrefs: 00007FF642E110FC
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode SetupDiSetDeviceRegistryProperty success, xrefs: 00007FF642E111DF
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode SetupDiCallClassInstaller success, xrefs: 00007FF642E11387
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode PrivateDetectDeviceNode device detected, xrefs: 00007FF642E11379
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfo failed %d, xrefs: 00007FF642E110DF
                                                                                                      • , xrefs: 00007FF642E1127E
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode SetupDiSetDeviceRegistryProperty failed %d, xrefs: 00007FF642E111C2
                                                                                                      • IDDDeviceInfoSet::PrivateDetectDeviceNode SetupDiGetClassDevs failed %d, xrefs: 00007FF642E11229
                                                                                                      • IDDDeviceInfoSet::PrivateDetectDeviceNode Current HWID = %s, xrefs: 00007FF642E11311
                                                                                                      • IDDDeviceInfoSet::CreateDeviceNode SetupDiCallClassInstaller failed %d, xrefs: 00007FF642E1125C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateDeviceErrorInfoLastSetup$List
                                                                                                      • String ID: $IDDDeviceInfoSet::CreateDeviceNode PrivateDetectDeviceNode device detected$IDDDeviceInfoSet::CreateDeviceNode SetupDiCallClassInstaller failed %d$IDDDeviceInfoSet::CreateDeviceNode SetupDiCallClassInstaller success$IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfo failed %d$IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfo success$IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfoList failed %d$IDDDeviceInfoSet::CreateDeviceNode SetupDiCreateDeviceInfoList success$IDDDeviceInfoSet::CreateDeviceNode SetupDiSetDeviceRegistryProperty failed %d$IDDDeviceInfoSet::CreateDeviceNode SetupDiSetDeviceRegistryProperty success$IDDDeviceInfoSet::CreateDeviceNode StringCchCopy failed %d$IDDDeviceInfoSet::PrivateDetectDeviceNode Current HWID = %s$IDDDeviceInfoSet::PrivateDetectDeviceNode SetupDiGetClassDevs failed %d$IDDDeviceInfoSet::PrivateDetectDeviceNode SetupDiGetDeviceRegistryProperty failed %d
                                                                                                      • API String ID: 3956582768-2283095087
                                                                                                      • Opcode ID: fed52326e30b97d101902100e3bd5036ce6bd3c6a262ac63560ba96fae691d76
                                                                                                      • Instruction ID: e8d25667b107896b55c2c22086413ead0fa569cdcc3b4b041427c4c207899b9c
                                                                                                      • Opcode Fuzzy Hash: fed52326e30b97d101902100e3bd5036ce6bd3c6a262ac63560ba96fae691d76
                                                                                                      • Instruction Fuzzy Hash: FBA1C661B0C68281EB50BB25E8447B96791FF88788F60413DDA4DC7B96EEBFD588C710
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E135F0 Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 151windowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConditionMask$Info$VerifyVersion$DestroyDeviceListMessageSetup
                                                                                                      • String ID: 98$IDDSetupActions::Install Begin Install Process...$IDDSetupActions::Install DeviceInfoSet.CreateDeviceNode failed %d$IDDSetupActions::Install DeviceInfoSet.CreateDeviceNode success$IDDSetupActions::Install DiInstallDriver failed %d$IDDSetupActions::Install DiInstallDriver success$IDDSetupActions::Install Install Process Finished$IDDSetupActions::Install failed! Windows 10 version not supported$IDDSetupActions::Install failed! Windows version not supported.$Install failed!$Windows 10 version not supported
                                                                                                      • API String ID: 2700560119-2907799221
                                                                                                      • Opcode ID: 6418241ce41e410b4eaa1010cb9a566d40ee586d4baca8c64cab1df858a32ca7
                                                                                                      • Instruction ID: 3c499d8c51aca830d7e2c9a5c9bc50faacfe0a9e55aad57ca27b57abfbd11783
                                                                                                      • Opcode Fuzzy Hash: 6418241ce41e410b4eaa1010cb9a566d40ee586d4baca8c64cab1df858a32ca7
                                                                                                      • Instruction Fuzzy Hash: 1571BD71A0CA4282E710FF24E8407B967A1FB45758F604239D69DC76E8DFBEE588C750
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E13F70 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 159timeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LocalTime
                                                                                                      • String ID: ====================================================$16:37:52$Call: %d/%d/%d %d:%d:%d Build: %S %S$DriverSetup _tmain: Removing device and driver...$DriverSetup _tmain: Wrong action arguments "install" or "remove" $Jul 15 2019$remove
                                                                                                      • API String ID: 481472006-1379280510
                                                                                                      • Opcode ID: 1f1c3b3a2c98da29ed7ade547b96e98a51decfd9d55029b0bbaa74a23730cf53
                                                                                                      • Instruction ID: 00e3e98328fd3a1a86ecdeff0a056b02717ae2d5d27cab7beba14d6f4c1160fe
                                                                                                      • Opcode Fuzzy Hash: 1f1c3b3a2c98da29ed7ade547b96e98a51decfd9d55029b0bbaa74a23730cf53
                                                                                                      • Instruction Fuzzy Hash: CB51C862B1C79181EB10BF64E8002B9A761FB95768F600339EAAD93BD5DFBDD184C700
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E13B00 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 119COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                      • String ID: ====================================================$16:37:52$Call: %d/%d/%d %d:%d:%d Build: %S %S$DriverSetup _tmain: Installing device and driver...$DriverSetup _tmain: Setup Success!$DriverSetup _tmain: Uninstall previous device and driver first...$DriverSetup _tmain: Wrong action arguments "install" or "remove" $DriverSetup _tmain:Exit Setup Failed$Jul 15 2019$install$remove
                                                                                                      • API String ID: 3668304517-3626524580
                                                                                                      • Opcode ID: 20efa88e6ce2be25d30c8158642f15d046da5ff4d7f8f5ef6fbe013f143cf46b
                                                                                                      • Instruction ID: e1e53072465819b954772ac9dd197f2df5d3b8181910ef342bcdf8713e1e2a4c
                                                                                                      • Opcode Fuzzy Hash: 20efa88e6ce2be25d30c8158642f15d046da5ff4d7f8f5ef6fbe013f143cf46b
                                                                                                      • Instruction Fuzzy Hash: DC41D226B0C69191EA04BB16D5042BD6B61FB44BECF244239CE6D47BD0DFBDE4D28340
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E24EA4 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 185 7ff642e24ea4-7ff642e24f17 call 7ff642e24a88 188 7ff642e24f19-7ff642e24f22 call 7ff642e1c7e8 185->188 189 7ff642e24f31-7ff642e24f3b call 7ff642e20b5c 185->189 194 7ff642e24f25-7ff642e24f2c call 7ff642e1c808 188->194 195 7ff642e24f56-7ff642e24fbf CreateFileW 189->195 196 7ff642e24f3d-7ff642e24f54 call 7ff642e1c7e8 call 7ff642e1c808 189->196 211 7ff642e2526a-7ff642e2528a 194->211 197 7ff642e2503c-7ff642e25047 GetFileType 195->197 198 7ff642e24fc1-7ff642e24fc7 195->198 196->194 204 7ff642e25049-7ff642e25084 GetLastError call 7ff642e1c798 CloseHandle 197->204 205 7ff642e2509a-7ff642e250a1 197->205 201 7ff642e25009-7ff642e25037 GetLastError call 7ff642e1c798 198->201 202 7ff642e24fc9-7ff642e24fcd 198->202 201->194 202->201 209 7ff642e24fcf-7ff642e25007 CreateFileW 202->209 204->194 220 7ff642e2508a-7ff642e25095 call 7ff642e1c808 204->220 207 7ff642e250a9-7ff642e250ac 205->207 208 7ff642e250a3-7ff642e250a7 205->208 215 7ff642e250b2-7ff642e25103 call 7ff642e20a74 207->215 216 7ff642e250ae 207->216 208->215 209->197 209->201 223 7ff642e25122-7ff642e25152 call 7ff642e247f4 215->223 224 7ff642e25105-7ff642e25107 call 7ff642e24c94 215->224 216->215 220->194 230 7ff642e25115-7ff642e2511d call 7ff642e1f020 223->230 231 7ff642e25154-7ff642e25197 223->231 228 7ff642e2510c-7ff642e25111 224->228 228->223 232 7ff642e25113 228->232 230->211 233 7ff642e251b9-7ff642e251c4 231->233 234 7ff642e25199-7ff642e2519d 231->234 232->230 237 7ff642e25268 233->237 238 7ff642e251ca-7ff642e251ce 233->238 234->233 236 7ff642e2519f-7ff642e251b4 234->236 236->233 237->211 238->237 240 7ff642e251d4-7ff642e25219 CloseHandle CreateFileW 238->240 241 7ff642e2521b-7ff642e25249 GetLastError call 7ff642e1c798 call 7ff642e20c9c 240->241 242 7ff642e2524e-7ff642e25263 240->242 241->242 242->237
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                                                                      • String ID:
                                                                                                      • API String ID: 1330151763-0
                                                                                                      • Opcode ID: ce18df10edfee4b7cca9ab3f4794dfe56517ee6091c7c382c7b3d2b0b3b863f8
                                                                                                      • Instruction ID: 004ce611fec5c24b056a21c2f86b8cc13facdf730c7bbe10bc8245577e4c0832
                                                                                                      • Opcode Fuzzy Hash: ce18df10edfee4b7cca9ab3f4794dfe56517ee6091c7c382c7b3d2b0b3b863f8
                                                                                                      • Instruction Fuzzy Hash: 98C1BF73B28A4285EB14EF69D4906AC3761FB48BA8B201239DA2E877D4CF7AD051C310
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E14A88 Relevance: 13.6, APIs: 9, Instructions: 94COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__isa_available_init__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                      • String ID:
                                                                                                      • API String ID: 1587290953-0
                                                                                                      • Opcode ID: e5c44d8ad92b478862b948c34687c5e22606e722f49d1bf53a1e0d022d216bb8
                                                                                                      • Instruction ID: 21762c6e08f7cbf392765dc09a9aa20da4a8e9e54421dfa37487a503b5f0609a
                                                                                                      • Opcode Fuzzy Hash: e5c44d8ad92b478862b948c34687c5e22606e722f49d1bf53a1e0d022d216bb8
                                                                                                      • Instruction Fuzzy Hash: 89312A65E0C20745FA14BB6195617F91A91BF5178CFA4403CE60ECB7E7DEEEA884C210
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E27800 Relevance: 10.8, APIs: 7, Instructions: 291COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 306 7ff642e27800-7ff642e27826 307 7ff642e27828-7ff642e2783c call 7ff642e1c7e8 call 7ff642e1c808 306->307 308 7ff642e27841-7ff642e27845 306->308 326 7ff642e27c3b 307->326 310 7ff642e2784b-7ff642e27852 308->310 311 7ff642e27c24-7ff642e27c30 call 7ff642e1c7e8 call 7ff642e1c808 308->311 310->311 314 7ff642e27858-7ff642e2788a 310->314 328 7ff642e27c36 call 7ff642e185d0 311->328 314->311 315 7ff642e27890-7ff642e27897 314->315 318 7ff642e27899-7ff642e278ab call 7ff642e1c7e8 call 7ff642e1c808 315->318 319 7ff642e278b0-7ff642e278b3 315->319 318->328 324 7ff642e278b9-7ff642e278bb 319->324 325 7ff642e27c20-7ff642e27c22 319->325 324->325 330 7ff642e278c1-7ff642e278c4 324->330 329 7ff642e27c3e-7ff642e27c55 325->329 326->329 328->326 330->318 333 7ff642e278c6-7ff642e278ec 330->333 335 7ff642e2792b-7ff642e27933 333->335 336 7ff642e278ee-7ff642e278f1 333->336 337 7ff642e278fd-7ff642e27914 call 7ff642e1c7e8 call 7ff642e1c808 call 7ff642e185d0 335->337 338 7ff642e27935-7ff642e2795d call 7ff642e1d0e8 call 7ff642e1d0a8 * 2 335->338 339 7ff642e27919-7ff642e27926 336->339 340 7ff642e278f3-7ff642e278fb 336->340 367 7ff642e27ab4 337->367 369 7ff642e2797a-7ff642e279ab call 7ff642e27050 338->369 370 7ff642e2795f-7ff642e27975 call 7ff642e1c808 call 7ff642e1c7e8 338->370 341 7ff642e279af-7ff642e279c2 339->341 340->337 340->339 344 7ff642e27a3e-7ff642e27a48 call 7ff642e24548 341->344 345 7ff642e279c4-7ff642e279cc 341->345 356 7ff642e27a4e-7ff642e27a63 344->356 357 7ff642e27ad2 344->357 345->344 348 7ff642e279ce-7ff642e279d0 345->348 348->344 354 7ff642e279d2-7ff642e279e9 348->354 354->344 359 7ff642e279eb-7ff642e279f7 354->359 356->357 361 7ff642e27a65-7ff642e27a77 GetConsoleMode 356->361 365 7ff642e27ad7-7ff642e27af7 ReadFile 357->365 359->344 363 7ff642e279f9-7ff642e279fb 359->363 361->357 366 7ff642e27a79-7ff642e27a81 361->366 363->344 368 7ff642e279fd-7ff642e27a15 363->368 371 7ff642e27bea-7ff642e27bf3 GetLastError 365->371 372 7ff642e27afd-7ff642e27b05 365->372 366->365 375 7ff642e27a83-7ff642e27aa5 ReadConsoleW 366->375 378 7ff642e27ab7-7ff642e27ac1 call 7ff642e1d0a8 367->378 368->344 379 7ff642e27a17-7ff642e27a23 368->379 369->341 370->367 376 7ff642e27c10-7ff642e27c13 371->376 377 7ff642e27bf5-7ff642e27c0b call 7ff642e1c808 call 7ff642e1c7e8 371->377 372->371 373 7ff642e27b0b 372->373 381 7ff642e27b12-7ff642e27b27 373->381 383 7ff642e27aa7 GetLastError 375->383 384 7ff642e27ac6-7ff642e27ad0 375->384 388 7ff642e27c19-7ff642e27c1b 376->388 389 7ff642e27aad-7ff642e27aaf call 7ff642e1c798 376->389 377->367 378->329 379->344 387 7ff642e27a25-7ff642e27a27 379->387 381->378 391 7ff642e27b29-7ff642e27b34 381->391 383->389 384->381 387->344 395 7ff642e27a29-7ff642e27a39 387->395 388->378 389->367 398 7ff642e27b36-7ff642e27b4f call 7ff642e27664 391->398 399 7ff642e27b5b-7ff642e27b63 391->399 395->344 406 7ff642e27b54-7ff642e27b56 398->406 402 7ff642e27bd8-7ff642e27be5 call 7ff642e273f8 399->402 403 7ff642e27b65-7ff642e27b77 399->403 402->406 407 7ff642e27b79 403->407 408 7ff642e27bcb-7ff642e27bd3 403->408 406->378 410 7ff642e27b7e-7ff642e27b85 407->410 408->378 411 7ff642e27b87-7ff642e27b8b 410->411 412 7ff642e27bc1-7ff642e27bc5 410->412 413 7ff642e27ba7 411->413 414 7ff642e27b8d-7ff642e27b94 411->414 412->408 416 7ff642e27bad-7ff642e27bbd 413->416 414->413 415 7ff642e27b96-7ff642e27b9a 414->415 415->413 418 7ff642e27b9c-7ff642e27ba5 415->418 416->410 417 7ff642e27bbf 416->417 417->408 418->416
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 36cab3562cd4119044195181c9f11b63ba19f5a678f0cfc55da0a4610a529a7a
                                                                                                      • Instruction ID: 23948702201e3c36c54e0d056bc86573235a7119fbd43f1342a5edb0711d6ee8
                                                                                                      • Opcode Fuzzy Hash: 36cab3562cd4119044195181c9f11b63ba19f5a678f0cfc55da0a4610a529a7a
                                                                                                      • Instruction Fuzzy Hash: F7C1F2A2A0C68741EB20BB2594402FD7B91FF81B98F650179DA4F83795DEFEE495C320
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E25D04 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 419 7ff642e25d04-7ff642e25d27 420 7ff642e25d2d-7ff642e25d30 419->420 421 7ff642e25fc4 419->421 422 7ff642e25d52-7ff642e25d78 420->422 423 7ff642e25d32-7ff642e25d4d call 7ff642e1c7e8 call 7ff642e1c808 call 7ff642e185d0 420->423 424 7ff642e25fc6-7ff642e25fdd 421->424 425 7ff642e25d7a-7ff642e25d81 422->425 426 7ff642e25d83-7ff642e25d89 422->426 423->424 425->423 425->426 429 7ff642e25d99-7ff642e25da9 call 7ff642e24548 426->429 430 7ff642e25d8b-7ff642e25d94 call 7ff642e27050 426->430 437 7ff642e25daf-7ff642e25dbf 429->437 438 7ff642e25eb2-7ff642e25ec2 429->438 430->429 437->438 442 7ff642e25dc5-7ff642e25dd8 call 7ff642e1cba0 437->442 440 7ff642e25f13-7ff642e25f38 WriteFile 438->440 441 7ff642e25ec4-7ff642e25ecb 438->441 443 7ff642e25f3a-7ff642e25f40 GetLastError 440->443 444 7ff642e25f43 440->444 445 7ff642e25ecd-7ff642e25ed0 441->445 446 7ff642e25eff-7ff642e25f0c call 7ff642e25888 441->446 453 7ff642e25dda-7ff642e25dea 442->453 454 7ff642e25df0-7ff642e25e0c GetConsoleMode 442->454 443->444 450 7ff642e25f46 444->450 451 7ff642e25eeb-7ff642e25efd call 7ff642e25aa8 445->451 452 7ff642e25ed2-7ff642e25ed5 445->452 455 7ff642e25f11 446->455 456 7ff642e25f4b 450->456 461 7ff642e25ea6-7ff642e25ead 451->461 457 7ff642e25ed7-7ff642e25ee9 call 7ff642e2598c 452->457 458 7ff642e25f50-7ff642e25f5a 452->458 453->438 453->454 454->438 460 7ff642e25e12-7ff642e25e15 454->460 455->461 456->458 457->461 462 7ff642e25fbd-7ff642e25fc2 458->462 463 7ff642e25f5c-7ff642e25f61 458->463 466 7ff642e25e17-7ff642e25e1e 460->466 467 7ff642e25e94-7ff642e25ea1 call 7ff642e253ac 460->467 461->456 462->424 468 7ff642e25f8d-7ff642e25f9e 463->468 469 7ff642e25f63-7ff642e25f66 463->469 466->458 472 7ff642e25e24-7ff642e25e34 466->472 467->461 473 7ff642e25fa0-7ff642e25fa3 468->473 474 7ff642e25fa5-7ff642e25fb5 call 7ff642e1c808 call 7ff642e1c7e8 468->474 475 7ff642e25f68-7ff642e25f78 call 7ff642e1c808 call 7ff642e1c7e8 469->475 476 7ff642e25f83-7ff642e25f88 call 7ff642e1c798 469->476 478 7ff642e25e36 472->478 479 7ff642e25e8d-7ff642e25e8f 472->479 473->421 473->474 474->462 475->476 476->468 483 7ff642e25e39-7ff642e25e50 call 7ff642e27c58 478->483 479->450 492 7ff642e25e52-7ff642e25e5c 483->492 493 7ff642e25e84-7ff642e25e8a GetLastError 483->493 494 7ff642e25e79-7ff642e25e80 492->494 495 7ff642e25e5e-7ff642e25e70 call 7ff642e27c58 492->495 493->479 494->479 496 7ff642e25e82 494->496 495->493 499 7ff642e25e72-7ff642e25e77 495->499 496->483 499->494
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2210144848-0
                                                                                                      • Opcode ID: 774a35251612d5c2edf0d44ee06614149a02f96cc033c35a951073a6a5548689
                                                                                                      • Instruction ID: 9388233ff90d3697f166a6c6e992d9d1e41edc9be80ef96ee420baf92d28c6eb
                                                                                                      • Opcode Fuzzy Hash: 774a35251612d5c2edf0d44ee06614149a02f96cc033c35a951073a6a5548689
                                                                                                      • Instruction Fuzzy Hash: F38190B2E1C60389F714BB6585802FD26A0FF4479CF640139DA0FD7A95DFBAA485C320
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E129C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 155COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF642E1A960: _invalid_parameter_noinfo.LIBCMT ref: 00007FF642E1A984
                                                                                                      • OutputDebugStringW.KERNEL32 ref: 00007FF642E12C22
                                                                                                        • Part of subcall function 00007FF642E1A7A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF642E1A7D9
                                                                                                        • Part of subcall function 00007FF642E1AA3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF642E1AA5E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo$DebugOutputString
                                                                                                      • String ID: C:\Users\Public\MirrorOpDisplaySetup.log$IDDDriverSetup:
                                                                                                      • API String ID: 2581269838-419058318
                                                                                                      • Opcode ID: 1fdccb3333afe2d85403c7c69e84eb54a89c046a9ce12d80f55bf5ba7a8a31b5
                                                                                                      • Instruction ID: fee686b85fe384079d07a797d77051813a329687a766a8e86bf40806e4c34d7a
                                                                                                      • Opcode Fuzzy Hash: 1fdccb3333afe2d85403c7c69e84eb54a89c046a9ce12d80f55bf5ba7a8a31b5
                                                                                                      • Instruction Fuzzy Hash: 2961827261CB8681EB10FF15E8401BEA761FB84798F604235EA9D83BA9DFBDD585C700
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E142B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • IDDUtilities::ScanForHardwareChanges CM_Reenumerate_DevNode failed, xrefs: 00007FF642E1430F
                                                                                                      • IDDUtilities::ScanForHardwareChanges CM_Locate_DevNode failed, xrefs: 00007FF642E142D7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Node$Locate_Reenumerate_
                                                                                                      • String ID: IDDUtilities::ScanForHardwareChanges CM_Locate_DevNode failed$IDDUtilities::ScanForHardwareChanges CM_Reenumerate_DevNode failed
                                                                                                      • API String ID: 663006516-2655738101
                                                                                                      • Opcode ID: de5a6593056758a1d5df4bd3b6a6829154c8c0efcc4f9c667fd4eb99a4ce45f3
                                                                                                      • Instruction ID: 8d8f1d48942e6f92fbe874405c88a2d43a76511eda2f55dd40a2aaadb132d130
                                                                                                      • Opcode Fuzzy Hash: de5a6593056758a1d5df4bd3b6a6829154c8c0efcc4f9c667fd4eb99a4ce45f3
                                                                                                      • Instruction Fuzzy Hash: B601DD66F0C58241FA10FB20F4522B52790FF8A78DFD01139D94D83766CDADD185DA00
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1B5A4 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                      • String ID:
                                                                                                      • API String ID: 1703294689-0
                                                                                                      • Opcode ID: 0c95c501e3aa58c91eb204de892f5bc9b6e096e42d449aa4c61e527aa3f7e4b6
                                                                                                      • Instruction ID: f8f8e97c24f52b4e4ba8f8acfe9083c3875aba2eaa7f097855a3c95a56900542
                                                                                                      • Opcode Fuzzy Hash: 0c95c501e3aa58c91eb204de892f5bc9b6e096e42d449aa4c61e527aa3f7e4b6
                                                                                                      • Instruction Fuzzy Hash: 91E04FA0B1C31683FA147B3198863B92253BF98755F38453CC80F82396CDBFE8889620
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E12CA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 569 7ff642e12ca0-7ff642e12cb8 570 7ff642e12cba-7ff642e12cd0 569->570 571 7ff642e12cf3-7ff642e12d16 569->571 572 7ff642e12cee call 7ff642e147e4 570->572 573 7ff642e12cd2-7ff642e12ce5 570->573 574 7ff642e12d18-7ff642e12d2b 571->574 575 7ff642e12d4e-7ff642e12d66 571->575 572->571 576 7ff642e12ceb 573->576 577 7ff642e12e4f-7ff642e12e54 call 7ff642e185f0 573->577 579 7ff642e12d49 call 7ff642e147e4 574->579 580 7ff642e12d2d-7ff642e12d40 574->580 581 7ff642e12d68-7ff642e12d7b 575->581 582 7ff642e12d9e-7ff642e12db6 575->582 576->572 579->575 580->577 585 7ff642e12d46 580->585 587 7ff642e12d99 call 7ff642e147e4 581->587 588 7ff642e12d7d-7ff642e12d90 581->588 583 7ff642e12db8-7ff642e12dcb 582->583 584 7ff642e12dea-7ff642e12e02 582->584 592 7ff642e12dcd-7ff642e12de0 583->592 593 7ff642e12de5 call 7ff642e147e4 583->593 594 7ff642e12e04-7ff642e12e16 584->594 595 7ff642e12e35-7ff642e12e4e 584->595 585->579 587->582 588->577 596 7ff642e12d96 588->596 592->577 597 7ff642e12de2 592->597 593->584 599 7ff642e12e18-7ff642e12e2b 594->599 600 7ff642e12e30 call 7ff642e147e4 594->600 596->587 597->593 599->577 601 7ff642e12e2d 599->601 600->595 601->600
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • IDDSetupActions::PrivateInitializeGlobals: --%s --%s --{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02h, xrefs: 00007FF642E1308E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                      • String ID: IDDSetupActions::PrivateInitializeGlobals: --%s --%s --{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02h
                                                                                                      • API String ID: 3668304517-916782376
                                                                                                      • Opcode ID: a894ce2d942afe69fb48e9ad5abdc3fb57e9f5241da4a0890cebf7d63fed4c43
                                                                                                      • Instruction ID: 20a2198607551ad3f1fe71ff6c8a39813432f1555e0b00b376d4a79d99f627ed
                                                                                                      • Opcode Fuzzy Hash: a894ce2d942afe69fb48e9ad5abdc3fb57e9f5241da4a0890cebf7d63fed4c43
                                                                                                      • Instruction Fuzzy Hash: E241FC6271869591EF04AF29D84837C6762FB41FCCF64403ACB4C47A6ADFAAD8C4C344
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E21880 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 603 7ff642e21880-7ff642e218a3 call 7ff642e216a8 605 7ff642e218a8-7ff642e218ab 603->605 606 7ff642e218ad-7ff642e218bc 605->606 607 7ff642e218c3-7ff642e218cd 605->607 606->607
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: try_get_function
                                                                                                      • String ID: AppPolicyGetProcessTerminationMethod
                                                                                                      • API String ID: 2742660187-2031265017
                                                                                                      • Opcode ID: e69678c3cfe61916d7db9ea98564df39a8d9a643ad3256a5b6483599ddd7f16c
                                                                                                      • Instruction ID: 69728f2e98a40728f41d0cdad9e3aae005f09f0c33c638fa1b4e6dd53e69a1e6
                                                                                                      • Opcode Fuzzy Hash: e69678c3cfe61916d7db9ea98564df39a8d9a643ad3256a5b6483599ddd7f16c
                                                                                                      • Instruction Fuzzy Hash: B3E01AD5E0D60791FE18B792A8411E01210BF08778E685339D93E8A3D19EBE99958360
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E18FB8 Relevance: 3.2, APIs: 2, Instructions: 174COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 608 7ff642e18fb8-7ff642e18fd9 609 7ff642e1921b-7ff642e19226 call 7ff642e1c808 call 7ff642e185d0 608->609 610 7ff642e18fdf-7ff642e18fe3 608->610 624 7ff642e1922b-7ff642e1922d 609->624 611 7ff642e18ffc-7ff642e19009 610->611 612 7ff642e18fe5-7ff642e18ff7 call 7ff642e1c808 call 7ff642e185d0 610->612 616 7ff642e1900f-7ff642e19016 611->616 617 7ff642e19205 611->617 619 7ff642e19208-7ff642e1921a 612->619 618 7ff642e1901b-7ff642e19021 616->618 617->619 622 7ff642e191ce-7ff642e191dc 618->622 625 7ff642e19026-7ff642e1902e 622->625 626 7ff642e191e2 622->626 624->619 628 7ff642e191e7-7ff642e191ea 625->628 629 7ff642e19034-7ff642e19045 625->629 626->628 632 7ff642e191ec-7ff642e191f0 628->632 633 7ff642e191f2-7ff642e191ff 628->633 630 7ff642e19047-7ff642e19056 629->630 631 7ff642e19058 629->631 634 7ff642e1905a-7ff642e1906f 630->634 631->634 632->609 632->633 633->617 633->618 634->609 635 7ff642e19075-7ff642e19077 634->635 636 7ff642e1907d-7ff642e19080 635->636 637 7ff642e19183-7ff642e1919b 635->637 638 7ff642e19086-7ff642e19089 636->638 639 7ff642e1916f-7ff642e19181 636->639 640 7ff642e191aa-7ff642e191b1 call 7ff642e1e348 637->640 641 7ff642e1919d-7ff642e191a8 637->641 642 7ff642e1908f-7ff642e19092 638->642 643 7ff642e19131-7ff642e19138 638->643 639->622 651 7ff642e191b6-7ff642e191be 640->651 641->640 644 7ff642e191c0-7ff642e191c3 641->644 649 7ff642e190ff-7ff642e19104 642->649 650 7ff642e19094-7ff642e19097 642->650 646 7ff642e19169-7ff642e1916d 643->646 647 7ff642e1913a-7ff642e1913e 643->647 648 7ff642e191c8 644->648 646->622 652 7ff642e19140-7ff642e19144 647->652 653 7ff642e19164-7ff642e19167 647->653 654 7ff642e191ca-7ff642e191cc 648->654 657 7ff642e19106-7ff642e1910a 649->657 658 7ff642e1910c-7ff642e1911d 649->658 655 7ff642e190f7-7ff642e190fa 650->655 656 7ff642e19099-7ff642e1909c 650->656 651->644 659 7ff642e191c5 651->659 660 7ff642e19146-7ff642e1914a 652->660 661 7ff642e1915e-7ff642e19162 652->661 653->622 654->622 654->624 655->622 662 7ff642e190c6-7ff642e190cb 656->662 663 7ff642e1909e-7ff642e190a1 656->663 664 7ff642e190d1-7ff642e190d9 call 7ff642e18f14 657->664 658->648 665 7ff642e19123-7ff642e1912c 658->665 659->648 666 7ff642e19158-7ff642e1915c 660->666 667 7ff642e1914c-7ff642e19150 660->667 661->622 668 7ff642e190cd 662->668 669 7ff642e190de-7ff642e190f2 662->669 671 7ff642e190b9-7ff642e190c1 call 7ff642e194b8 663->671 672 7ff642e190a3-7ff642e190a6 663->672 664->654 665->648 666->622 667->622 674 7ff642e19152-7ff642e19156 667->674 668->664 669->648 671->654 672->624 676 7ff642e190ac-7ff642e190b4 call 7ff642e197e8 672->676 674->622 676->654
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 82216182e848de2abea6143fb377a1564691df6ac5a930d42d38bf4f79c2048e
                                                                                                      • Instruction ID: 32f0f7f244f7c27f972b2c57eed67f421a74e1b45824754f6c7ffea4f7a7df52
                                                                                                      • Opcode Fuzzy Hash: 82216182e848de2abea6143fb377a1564691df6ac5a930d42d38bf4f79c2048e
                                                                                                      • Instruction Fuzzy Hash: B471767290C21286E768BF29805417D3EA0FB05B1CF75113DDB4A8229CDFBAE8C1C769
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E25888 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 680 7ff642e25888-7ff642e258ee call 7ff642e28ae0 683 7ff642e2595f-7ff642e25989 call 7ff642e147c0 680->683 684 7ff642e258f0 680->684 686 7ff642e258f5-7ff642e258f8 684->686 688 7ff642e258fa-7ff642e25901 686->688 689 7ff642e2591e-7ff642e25943 WriteFile 686->689 690 7ff642e2590c-7ff642e2591c 688->690 691 7ff642e25903-7ff642e25909 688->691 692 7ff642e25957-7ff642e2595d GetLastError 689->692 693 7ff642e25945-7ff642e2594e 689->693 690->686 690->689 691->690 692->683 693->683 694 7ff642e25950-7ff642e25953 693->694 694->684 695 7ff642e25955 694->695 695->683
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 442123175-0
                                                                                                      • Opcode ID: 27d347e4bcd25ef26ffbe790efe73bfa142ff14cf4f6cd0181413b1227ae1f4d
                                                                                                      • Instruction ID: 6cd1c31d7e3e7767f3f859fa7eb95c89a8d8368886c92a7b94081f0fa7d08620
                                                                                                      • Opcode Fuzzy Hash: 27d347e4bcd25ef26ffbe790efe73bfa142ff14cf4f6cd0181413b1227ae1f4d
                                                                                                      • Instruction Fuzzy Hash: 9531E0B2A0CB828ADB10BF14E5402E967A0FB087D8F64403AEB4EC3B14DFB9D555CB10
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1F020 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                                                                      • String ID:
                                                                                                      • API String ID: 1687624791-0
                                                                                                      • Opcode ID: be9002b8416e5295c7f2982e29ec05d96a0427f6fd9441a002e6fec03e55bcf1
                                                                                                      • Instruction ID: 37ab179527cd1b64ba819a772351e8da1e4fc5de1a5c2f9b75a80f738828364f
                                                                                                      • Opcode Fuzzy Hash: be9002b8416e5295c7f2982e29ec05d96a0427f6fd9441a002e6fec03e55bcf1
                                                                                                      • Instruction Fuzzy Hash: CC11A251F0C78341EE90732090902BC1A81BF657ACF34033DDA2EC62D2CEEFA4C54241
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E26FAC Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SetFilePointerEx.KERNELBASE(?,?,?,00007FF642E24CE0,?,?,?,?,?,?,00000000,?,00000000,00007FF642E24EEB), ref: 00007FF642E26FF0
                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF642E24CE0,?,?,?,?,?,?,00000000,?,00000000,00007FF642E24EEB), ref: 00007FF642E26FFA
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                      • String ID:
                                                                                                      • API String ID: 2976181284-0
                                                                                                      • Opcode ID: f8b7599dcf22bb89b8b193dfe863a99efbf54b8ba5e020d3d78d394a76263e3e
                                                                                                      • Instruction ID: c19c898d9b548ee46c0476ac51ada8eccfecd04c5e6a1b51be1eae1a08a67d08
                                                                                                      • Opcode Fuzzy Hash: f8b7599dcf22bb89b8b193dfe863a99efbf54b8ba5e020d3d78d394a76263e3e
                                                                                                      • Instruction Fuzzy Hash: FF01E9A1A1C64381EE10BB26A4400B86650BF44BF4F745339E93F877D4DFBDD0958310
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E25C18 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d7e2edb4a4f1cf0e7c3c5d5c031aecd15cb96ee01b3a1357df52281ece434e74
                                                                                                      • Instruction ID: 450481875c62f297668633b26391b5aac5c3a8a27e99332c6cb7d355ede65d8f
                                                                                                      • Opcode Fuzzy Hash: d7e2edb4a4f1cf0e7c3c5d5c031aecd15cb96ee01b3a1357df52281ece434e74
                                                                                                      • Instruction Fuzzy Hash: BA219C62E1C24246E605BF6699423BD2A50BF407A8F75113CE91ED73D2EFFEE4818721
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E26EB1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 89a336117cc6922ecb649ae1b676eb087051db96fcba9078e30f0755c774c229
                                                                                                      • Instruction ID: b8bd73f612ee51f0de8b80fd70f16535f5734c4a7625211d147f4c6e42665e90
                                                                                                      • Opcode Fuzzy Hash: 89a336117cc6922ecb649ae1b676eb087051db96fcba9078e30f0755c774c229
                                                                                                      • Instruction Fuzzy Hash: 712151A3A1C64685FA41BF6698413BC2A507F407B8F651338D92EC73D2CEFEA4818721
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E24730 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: ed49867dc817cdbed8b5893793f95e782088cc0eca42dc952ae6e14dcc9c0ca3
                                                                                                      • Instruction ID: 65a45c22041ab21c549ef98d36a338f35fc10f3f980229fbf430eb32ca2f7269
                                                                                                      • Opcode Fuzzy Hash: ed49867dc817cdbed8b5893793f95e782088cc0eca42dc952ae6e14dcc9c0ca3
                                                                                                      • Instruction Fuzzy Hash: 7A219572A1CA8686D761BF18D4403B976B0FB85B58F344238EA6EC76D9DF7ED4408B10
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1B4E8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                      • String ID:
                                                                                                      • API String ID: 3947729631-0
                                                                                                      • Opcode ID: b50070ca2cf46ee1590de9f4002844b6b8e494ebe11e889baa32c7a63d0038af
                                                                                                      • Instruction ID: 33fcd0c315b3fed34fdb35a7b1d78a113d4df8f6cbb35f8e19ef1be2e3dbce84
                                                                                                      • Opcode Fuzzy Hash: b50070ca2cf46ee1590de9f4002844b6b8e494ebe11e889baa32c7a63d0038af
                                                                                                      • Instruction Fuzzy Hash: 5C214C32A087428AEB11BF68C4443FC3BA2FB4470CF68453ED60D86A85EFB9D585CB50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1A8A4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 745ef307ceb8c17d98a6b64c954dd548f1c966b4d8a596774f449028c6480956
                                                                                                      • Instruction ID: f57832f40f7ac6d66ed7ea3a367e6cdd3eb6fa4149822580d99b7ac8d68e13af
                                                                                                      • Opcode Fuzzy Hash: 745ef307ceb8c17d98a6b64c954dd548f1c966b4d8a596774f449028c6480956
                                                                                                      • Instruction Fuzzy Hash: 1F114F22A1C64141FB51BB5194403BDAA90BF95B88FA84139EA4C87786DEBEE8C1D740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E209A4 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 2498f85bfee4162a121415b107d629ec5b7f8fca4dabd0d222d8cbc529f7e140
                                                                                                      • Instruction ID: 5b71214c1ddcc557c9d7f3ba1a0729342e98d8108152c55a2c8b89b8c592f151
                                                                                                      • Opcode Fuzzy Hash: 2498f85bfee4162a121415b107d629ec5b7f8fca4dabd0d222d8cbc529f7e140
                                                                                                      • Instruction Fuzzy Hash: 52116DB291C68286F310BB14E4401B967A4FB90748F650039D69ED7AE6DFBEE850C750
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1EF7C Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 39f21e3507edb8f12b6ac4b3c8d9479b54e610ff01785e5bc00f72deff8d0fcf
                                                                                                      • Instruction ID: c298dea0103b4c7e018ae048568371e5dac3c8e0ddf2b416d78eee7025a644e4
                                                                                                      • Opcode Fuzzy Hash: 39f21e3507edb8f12b6ac4b3c8d9479b54e610ff01785e5bc00f72deff8d0fcf
                                                                                                      • Instruction Fuzzy Hash: 47119D7391C68281EA04BB55D0402BC7BA1FF84758FA4423AE64D866E5CFFEE080CB01
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1A9B8 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: db9c21ed129521e5d2efa00b5566bc81da9f3a44f333d9117da0a51689f35792
                                                                                                      • Instruction ID: ea433647d03c1e8003d388980fe51ee6d1a3eeadd30ab89af8963d1eaa4ab41d
                                                                                                      • Opcode Fuzzy Hash: db9c21ed129521e5d2efa00b5566bc81da9f3a44f333d9117da0a51689f35792
                                                                                                      • Instruction Fuzzy Hash: AE017C21E1D20241FE14BB7A95513791951BF847ACF381338E92EC72C2DEAEE4C1D251
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1A7A8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 0437a05a8b2fcdc18462a1ebf0f628809974bffd1a7324de2242080ef4244cf9
                                                                                                      • Instruction ID: 729439213ad56b760658b1b5e25bd9bddeec03368d7c6bbce5a267869c3b11cc
                                                                                                      • Opcode Fuzzy Hash: 0437a05a8b2fcdc18462a1ebf0f628809974bffd1a7324de2242080ef4244cf9
                                                                                                      • Instruction Fuzzy Hash: DE11B672A14F569CEB10EFA0D8404EC3BB8FB1435CB600639EA5D52B58EF74C1A5C390
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1F4EC Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF642E1CD79,?,?,C:\Users\Public\MirrorOpDisplaySetup.log,00007FF642E1C811,?,?,?,?,00007FF642E1A8C6), ref: 00007FF642E1F541
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocateHeap
                                                                                                      • String ID:
                                                                                                      • API String ID: 1279760036-0
                                                                                                      • Opcode ID: 2ef55415c9e227d195b9ddc74ff9287e2cd9f98d43b344d340616750f5254069
                                                                                                      • Instruction ID: 0da552f094c53871882296037796e9765d10c368867ea1e6ccf1f1ffe4a68518
                                                                                                      • Opcode Fuzzy Hash: 2ef55415c9e227d195b9ddc74ff9287e2cd9f98d43b344d340616750f5254069
                                                                                                      • Instruction Fuzzy Hash: F2F04951B1D30242FE687B6659502B81A807F48B88F7C003CC90EC67D1EEEEE8C19260
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1AA3C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 09df2e4c5f0ffa8ab7ce09f2aa3eb155f60663295c9cd0dc27636491b26e3699
                                                                                                      • Instruction ID: 4a3675acbad5117533bd2952d3b6dc1bc763c104c36987b1beea905c17ba7278
                                                                                                      • Opcode Fuzzy Hash: 09df2e4c5f0ffa8ab7ce09f2aa3eb155f60663295c9cd0dc27636491b26e3699
                                                                                                      • Instruction Fuzzy Hash: F8F0BE21E4C20245FE04BBA8A54117D2A80BF45398FB80238F96EC73C3DEAEE4C2D710
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1D0E8 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocateHeap
                                                                                                      • String ID:
                                                                                                      • API String ID: 1279760036-0
                                                                                                      • Opcode ID: 722968801c6b56da2d06f15ee503b3e27699ed8673d5b55e0f3087e4ff32d4cc
                                                                                                      • Instruction ID: 0dc483acfaec8678c5ae46beef9b6bf2c3f0c9dbbb2bbc610d8ee3c6a7f37e54
                                                                                                      • Opcode Fuzzy Hash: 722968801c6b56da2d06f15ee503b3e27699ed8673d5b55e0f3087e4ff32d4cc
                                                                                                      • Instruction Fuzzy Hash: 5BF03411F1C20640FB147B6259412B92A90BF887A8F68023CD92EC53C1DEEEE4C14220
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1A960 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 63cec559c19ee4260ccbb5719ffa72cfb7ad2930d96ea3a12defc76b9ed1ce50
                                                                                                      • Instruction ID: 05c47fee9961a65c633bbc91950dac97636ac4826feec00a4404de79f17af537
                                                                                                      • Opcode Fuzzy Hash: 63cec559c19ee4260ccbb5719ffa72cfb7ad2930d96ea3a12defc76b9ed1ce50
                                                                                                      • Instruction Fuzzy Hash: 95F0BE22A1D70241EA00BB97A0C01782960BF48788F604138EA0C83346EE7DA4E08701
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF642E11650 Relevance: 61.6, APIs: 19, Strings: 16, Instructions: 394COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$AppendDirectoryPathWindows
                                                                                                      • String ID: Class$IDDDeviceInfoSet::RemoveDriverOemInf FindFirstFileW failed %d$IDDDeviceInfoSet::RemoveDriverOemInf GetWindowsDirectory failed %d$IDDDeviceInfoSet::RemoveDriverOemInf PathAppendW1 failed %d$IDDDeviceInfoSet::RemoveDriverOemInf PathAppendW2 failed %d$IDDDeviceInfoSet::RemoveDriverOemInf PrivateValidateDriverOemInfFile %s "%s" and "%s" matched$IDDDeviceInfoSet::RemoveDriverOemInf PrivateValidateDriverOemInfFile %s didn't match$IDDDeviceInfoSet::RemoveDriverOemInf PrivateValidateDriverOemInfFile failed$IDDDeviceInfoSet::RemoveDriverOemInf Removing %s$IDDDeviceInfoSet::RemoveDriverOemInf Removing %s failed$IDDDeviceInfoSet::RemoveDriverOemInf SetupUninstallOEMInf failed %d$INF$MirrorOp$OEM*.INF$Provider$Version
                                                                                                      • API String ID: 4142974495-2044558743
                                                                                                      • Opcode ID: a23dbb0e6d4b7b2b8b5a9e3ff98523dff7d922e63d679815ebf66a74b533c89a
                                                                                                      • Instruction ID: 1ed719d36de1040de5ffcfe3a7c61e946e66da782728da5d2f6831eeb98f2426
                                                                                                      • Opcode Fuzzy Hash: a23dbb0e6d4b7b2b8b5a9e3ff98523dff7d922e63d679815ebf66a74b533c89a
                                                                                                      • Instruction Fuzzy Hash: 2002B562B1CA8285EB10BB64D8843FD2761FB44798F604239DA5D97BDADFBED184C340
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E22DBC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1207COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                      • API String ID: 808467561-2761157908
                                                                                                      • Opcode ID: c088b6929c0f9bc34fe6dfb52d229c3f4b83aefbc7bca1ba8693c723832208dc
                                                                                                      • Instruction ID: 9267dfeee9ff3e3ce06723b19da27fa5c30e4a97e626bf0eeaea09deab57293c
                                                                                                      • Opcode Fuzzy Hash: c088b6929c0f9bc34fe6dfb52d229c3f4b83aefbc7bca1ba8693c723832208dc
                                                                                                      • Instruction Fuzzy Hash: 7AB2F7B2A1C2838AE765EE25D4407F977A1FB4478CF601139DA0B97B84DFBAE5408F11
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1F6F0 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 3215553584-0
                                                                                                      • Opcode ID: 115ced47fba728b64034feec603b799796ce04428ae76f6d02db1c29cd062fd7
                                                                                                      • Instruction ID: 2ba0e06ad5711626d7da124f1922928262628d0dbd1833eaa7ea5dac7d4e68a2
                                                                                                      • Opcode Fuzzy Hash: 115ced47fba728b64034feec603b799796ce04428ae76f6d02db1c29cd062fd7
                                                                                                      • Instruction Fuzzy Hash: A0A1C662B1CB8241EA20FF6294105BA6BA0FB44BD8F604539DE5E87BD4DFFED4858340
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E183BC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                      • String ID:
                                                                                                      • API String ID: 1239891234-0
                                                                                                      • Opcode ID: c218e6428fe59945107506239c80b73fb5df4707f7e3fcad3d969d2b93b23afb
                                                                                                      • Instruction ID: 28c60531996a30caf155b7395d2ff2adef9c37d09d7b95c52638dc8b5616e5d7
                                                                                                      • Opcode Fuzzy Hash: c218e6428fe59945107506239c80b73fb5df4707f7e3fcad3d969d2b93b23afb
                                                                                                      • Instruction Fuzzy Hash: 22316176608B8285E760EF25E8406FE77A0FB88758F640139EA9D83B54DF79C585CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E253AC Relevance: 7.8, APIs: 5, Instructions: 325fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite$Console
                                                                                                      • String ID:
                                                                                                      • API String ID: 786612050-0
                                                                                                      • Opcode ID: 0a16433618475bb2fbb724adfe60251262132465e8a8c9069d17f2d8e41059e0
                                                                                                      • Instruction ID: 5881d87ee3c5ce3ea3c7392c3c33a0be73f27b24a2122d4d7b3f3e41e4d6a512
                                                                                                      • Opcode Fuzzy Hash: 0a16433618475bb2fbb724adfe60251262132465e8a8c9069d17f2d8e41059e0
                                                                                                      • Instruction Fuzzy Hash: F5E1FFB2B0CA828AE715EB64D5401ED7BB1FB447DCB64013ACE4E87B89DE79D15AC310
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1D6EC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: gfffffff
                                                                                                      • API String ID: 3215553584-1523873471
                                                                                                      • Opcode ID: eb9b58d48915d5d3ffdb1694eed1e2520faa93a2238d0f6c1b62b2a1e239f2e1
                                                                                                      • Instruction ID: 66c246c61ea0493ce619da6a0ecd85491c41a888c200906d992583dd415f5d6d
                                                                                                      • Opcode Fuzzy Hash: eb9b58d48915d5d3ffdb1694eed1e2520faa93a2238d0f6c1b62b2a1e239f2e1
                                                                                                      • Instruction Fuzzy Hash: 9C913766B0D78586EF11FB26A0003BD7B94BB55B88F258036CA5DC7395DEBEE542C301
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E22990 Relevance: 4.8, APIs: 3, Instructions: 317COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: memcpy_s
                                                                                                      • String ID:
                                                                                                      • API String ID: 1502251526-0
                                                                                                      • Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                      • Instruction ID: ab2d745c5c4d5bb22cd6170048a7024ec0ae5ce5549b161b53de912b1fa0836f
                                                                                                      • Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                                                                                      • Instruction Fuzzy Hash: 07C1E7B2B1C28787EB24EF19E0446A9B791F794788F548539DB4B83745DE7DE801CB00
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E28568 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionRaise_clrfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 15204871-0
                                                                                                      • Opcode ID: 95f61eeb739547d073861f78051d6f3c476241b31da44aaeb0ef501daefc93bb
                                                                                                      • Instruction ID: d03bfb4528f18afa4eaffbbe9518e55e78c1f51f6652cd3da6f53c23a36630eb
                                                                                                      • Opcode Fuzzy Hash: 95f61eeb739547d073861f78051d6f3c476241b31da44aaeb0ef501daefc93bb
                                                                                                      • Instruction Fuzzy Hash: 29B15DB7604B458BEB19DF29C8423A837A0F744B4CF258925DA5EC77A4CF7AD412C720
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E247F4 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 474895018-0
                                                                                                      • Opcode ID: 2c0e8cf9ecd32d47927021ebdc77bddd88ff9bcbcbc81d18fe1dfc7b5bc233b3
                                                                                                      • Instruction ID: cc06bc9142333f32c0c0fb2e64ec5cbb952074bdf2a5b44662c3dfba19d48b94
                                                                                                      • Opcode Fuzzy Hash: 2c0e8cf9ecd32d47927021ebdc77bddd88ff9bcbcbc81d18fe1dfc7b5bc233b3
                                                                                                      • Instruction Fuzzy Hash: A471E6A2E1C18345FB68BE6994407B962C1BF40368F34463DD66FD66D5DEBEE8408720
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E197E8 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: IDDDriverSetup:
                                                                                                      • API String ID: 3215553584-3399996212
                                                                                                      • Opcode ID: eeecbc9370603bd795ef03539da0dfcad55c3f8d195f77c9a7197fff2f096a54
                                                                                                      • Instruction ID: cd05b06c3591b8e7aeb023942e0fb76a7668ece9f0727e31993ff09a75269fd1
                                                                                                      • Opcode Fuzzy Hash: eeecbc9370603bd795ef03539da0dfcad55c3f8d195f77c9a7197fff2f096a54
                                                                                                      • Instruction Fuzzy Hash: 5981A425A1C24346EB68BB1580406B92AA0FB4474CFA4513DDF4ED72DDDEBFE8C6C609
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E19AC8 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: 0
                                                                                                      • API String ID: 3215553584-4108050209
                                                                                                      • Opcode ID: 649e0a7f1f2a183af6f7ecf5fee3c563b9f904e0040214e62e5041397cd9e972
                                                                                                      • Instruction ID: e997a9cab9d18a30c8db68cf7f785e80526f863f526a8c63011d3349155f05bf
                                                                                                      • Opcode Fuzzy Hash: 649e0a7f1f2a183af6f7ecf5fee3c563b9f904e0040214e62e5041397cd9e972
                                                                                                      • Instruction Fuzzy Hash: C6718825A1C24282EA68BB1980505F92AD1FF4074CFA4513DDF8D9769DCEAFE8C3D60D
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E21CD8 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HeapProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 54951025-0
                                                                                                      • Opcode ID: 8cb911616c0c471bd8f1c4d055677fc15ca31b6172e8a1e6e6f084f6f4521530
                                                                                                      • Instruction ID: 7dd1896884681789066354701945cb61c81914e12105e79637f35ba1e5272f0a
                                                                                                      • Opcode Fuzzy Hash: 8cb911616c0c471bd8f1c4d055677fc15ca31b6172e8a1e6e6f084f6f4521530
                                                                                                      • Instruction Fuzzy Hash: 47B09220E0BA02C2EA083B126C8265422E57F48705FA8807CC10D81720DEAE20A55710
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1B9F8 Relevance: .1, Instructions: 126COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 485612231-0
                                                                                                      • Opcode ID: a6b7901535879102e52d180541d17e935bd36162002a264cb2cab31585bdd6f6
                                                                                                      • Instruction ID: 350f8b351fedf349d8052b9e3920fa0a874eb8c3be6315a5092c3f84fd1baf9e
                                                                                                      • Opcode Fuzzy Hash: a6b7901535879102e52d180541d17e935bd36162002a264cb2cab31585bdd6f6
                                                                                                      • Instruction Fuzzy Hash: 28412662718A5482FF04EF2AD9501B97791BB48FD8B18913ADE0DC7B58DF7DC0868300
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E28280 Relevance: .0, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 773ce178cf9d8c58a0c86e4b7ff20be9513e03678f5b126c918c20272d577166
                                                                                                      • Instruction ID: 593cc1ba588e0c4f10a3e87e3683dd2ba250b8b9cd4f4ee91e5250c13a5c2b3c
                                                                                                      • Opcode Fuzzy Hash: 773ce178cf9d8c58a0c86e4b7ff20be9513e03678f5b126c918c20272d577166
                                                                                                      • Instruction Fuzzy Hash: A1F044717186658BDBA4AF29A44262977D0F708385F50803DD68DC3E14DB7D94518F08
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1529C Relevance: .0, Instructions: 2COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b286ab134bbf7995b5c3fb49a7b69422194a8c5c8628ae7bda57b0ba49535a70
                                                                                                      • Instruction ID: a25d032b3f7d6da4f50d7305c691c010651a07a390589e91bf82830632f40cf4
                                                                                                      • Opcode Fuzzy Hash: b286ab134bbf7995b5c3fb49a7b69422194a8c5c8628ae7bda57b0ba49535a70
                                                                                                      • Instruction Fuzzy Hash: F5A002A290DC13D4E608BB00EC514742734FB50359B64C039D00ED25609FBEE880D360
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E130F0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 287fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$Delete$File$DirectoryHinfInstallSectionSystem
                                                                                                      • String ID: DefaultUninstall 128 $IDDSetupActions::PrivateCleanup Removing file and registry entry$IDDSetupActions::PrivateCleanup SHDeleteKey failed! %d$MirrorOpVirtualDisplay1_0.dll$MirrorOpVirtualDisplay1_2.dll$SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\MirrorOpVirtualDisplay$\drivers\UMDF\
                                                                                                      • API String ID: 3428179359-2394112160
                                                                                                      • Opcode ID: 6449a2557ed0ab4c11eae37c6624858533e72db506172eebe3eadb8f37aa4b5d
                                                                                                      • Instruction ID: e4d5c8d02cec2379b8c59f1986bfc48806fb27e4d2f779cda55bb774f585e9fe
                                                                                                      • Opcode Fuzzy Hash: 6449a2557ed0ab4c11eae37c6624858533e72db506172eebe3eadb8f37aa4b5d
                                                                                                      • Instruction Fuzzy Hash: B4D18462A1C78281FE00BB68D4452BD6721FB857A8F605239DAAD52AE9DFBDD1C4C700
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E113D0 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 148COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode No Device instance found, xrefs: 00007FF642E115E0
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode SetupDiGetDeviceRegistryProperty (4) failed %d, xrefs: 00007FF642E11576
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode Find device instance/s..., xrefs: 00007FF642E1146F
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode SetupDiGetDeviceRegistryProperty (1) failed %d, xrefs: 00007FF642E114FF
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode SetupDiGetClassDevs failed %d, xrefs: 00007FF642E11429
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode Current HWID = %s, xrefs: 00007FF642E11522
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode No more items, xrefs: 00007FF642E115CB
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode Found an instance = %s %d, xrefs: 00007FF642E11594
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode SetupDiGetClassDevs success, xrefs: 00007FF642E1144E
                                                                                                      • IDDDeviceInfoSet::RemoveDeviceNode SetupDiEnumDeviceInfo failed %d, xrefs: 00007FF642E1162E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastSetup$Device$EnumInfo$ClassDevsPropertyRegistry
                                                                                                      • String ID: IDDDeviceInfoSet::RemoveDeviceNode Current HWID = %s$IDDDeviceInfoSet::RemoveDeviceNode Find device instance/s...$IDDDeviceInfoSet::RemoveDeviceNode Found an instance = %s %d$IDDDeviceInfoSet::RemoveDeviceNode No Device instance found$IDDDeviceInfoSet::RemoveDeviceNode No more items$IDDDeviceInfoSet::RemoveDeviceNode SetupDiEnumDeviceInfo failed %d$IDDDeviceInfoSet::RemoveDeviceNode SetupDiGetClassDevs failed %d$IDDDeviceInfoSet::RemoveDeviceNode SetupDiGetClassDevs success$IDDDeviceInfoSet::RemoveDeviceNode SetupDiGetDeviceRegistryProperty (1) failed %d$IDDDeviceInfoSet::RemoveDeviceNode SetupDiGetDeviceRegistryProperty (4) failed %d
                                                                                                      • API String ID: 2622032799-1916981457
                                                                                                      • Opcode ID: eca7a7d3da830926f56062e4d1c70cb1dc498bfe433297cd96fdfde324f8f800
                                                                                                      • Instruction ID: 157ce61836f8913999ea0971d3b2ba4cd072a485b8277f823109dd428f337e29
                                                                                                      • Opcode Fuzzy Hash: eca7a7d3da830926f56062e4d1c70cb1dc498bfe433297cd96fdfde324f8f800
                                                                                                      • Instruction Fuzzy Hash: 2C51B761A0C68282F711BB64E8447F92761FF88799F604139DA4E87796DFBED588C310
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E13890 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 140COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • IDDSetupActions::Uninstall DeviceInfoSet.RemoveDeviceOemInf success, xrefs: 00007FF642E13A83
                                                                                                      • IDDSetupActions::Uninstall Begin Uninstall Process..., xrefs: 00007FF642E138C7
                                                                                                      • IDDSetupActions::Uninstall failed! Windows 10 version not supported, xrefs: 00007FF642E139B7
                                                                                                      • IDDSetupActions::Uninstall DeviceInfoSet.RemoveDeviceNode failed %d, xrefs: 00007FF642E13A26
                                                                                                      • IDDSetupActions::Uninstall DeviceInfoSet.RemoveDeviceNode success, xrefs: 00007FF642E13A2F
                                                                                                      • IDDSetupActions::Uninstall Uninstall Process Finished, xrefs: 00007FF642E13AA1
                                                                                                      • IDDSetupActions::Uninstall failed! Windows version not supported., xrefs: 00007FF642E13AC6
                                                                                                      • 98, xrefs: 00007FF642E13989
                                                                                                      • IDDSetupActions::Uninstall DeviceInfoSet.RemoveDeviceOemInf failed %d, xrefs: 00007FF642E13A59
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConditionMask$Info$VerifyVersion$DestroyDeviceListSetup
                                                                                                      • String ID: 98$IDDSetupActions::Uninstall Begin Uninstall Process...$IDDSetupActions::Uninstall DeviceInfoSet.RemoveDeviceNode failed %d$IDDSetupActions::Uninstall DeviceInfoSet.RemoveDeviceNode success$IDDSetupActions::Uninstall DeviceInfoSet.RemoveDeviceOemInf failed %d$IDDSetupActions::Uninstall DeviceInfoSet.RemoveDeviceOemInf success$IDDSetupActions::Uninstall Uninstall Process Finished$IDDSetupActions::Uninstall failed! Windows 10 version not supported$IDDSetupActions::Uninstall failed! Windows version not supported.
                                                                                                      • API String ID: 2937069726-1076954044
                                                                                                      • Opcode ID: 40adedddcf1ee346f5cea53ffa205ac62cdaa207c9ad8ff41f13a03365b9a47a
                                                                                                      • Instruction ID: c055299bd3beabc5357478b43971592b8c856d71ffd9db6d79d9cc49721a69f1
                                                                                                      • Opcode Fuzzy Hash: 40adedddcf1ee346f5cea53ffa205ac62cdaa207c9ad8ff41f13a03365b9a47a
                                                                                                      • Instruction Fuzzy Hash: BB618C3160CA4286E710FF64E8403B967A1FB45798F604239D6ADC76E9DFBEE588C710
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E11D00 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      • IDDDeviceInfoSet::SetupFindFirstLine SetupOpenInfFile failed %d, xrefs: 00007FF642E11E3B
                                                                                                      • IDDDeviceInfoSet::SetupGetStringField SetupOpenInfFile failed %d, xrefs: 00007FF642E11E2C
                                                                                                      • IDDDeviceInfoSet::PrivateValidateDriverOemInfFile SetupOpenInfFile failed %d, xrefs: 00007FF642E11D51
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Setup$File$CloseErrorFieldFindFirstLastLineOpenString
                                                                                                      • String ID: IDDDeviceInfoSet::PrivateValidateDriverOemInfFile SetupOpenInfFile failed %d$IDDDeviceInfoSet::SetupFindFirstLine SetupOpenInfFile failed %d$IDDDeviceInfoSet::SetupGetStringField SetupOpenInfFile failed %d
                                                                                                      • API String ID: 72482887-258866419
                                                                                                      • Opcode ID: 6effdb1bf031944deee5388926a05c0b64691f1103955cb96cc82631e727b3e2
                                                                                                      • Instruction ID: 2dc5fdf88ac01478fe7c5ff39951fa7753ad52a9124bc53738ce2b48b97ff5bd
                                                                                                      • Opcode Fuzzy Hash: 6effdb1bf031944deee5388926a05c0b64691f1103955cb96cc82631e727b3e2
                                                                                                      • Instruction Fuzzy Hash: 0041C672B0C64385E720BB61E4047B927A1FB89B99F604539D90EC7796EFBED085C710
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E14350 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$ErrorFileLast$ModuleNamePathRemoveSpec__std_exception_copy
                                                                                                      • String ID: IDDUtilities::GetInfFilePath GetFullPathName failed %d
                                                                                                      • API String ID: 1997793096-207959331
                                                                                                      • Opcode ID: 07fa57dc8d8a4c9dd7da9d19e4dfccf55f3e54efb9c370bb08f20c8a6909138d
                                                                                                      • Instruction ID: c37b3c4f3b4671d49fd9c787236a7bca39fab009a4cf82b32be8fad03e15eafe
                                                                                                      • Opcode Fuzzy Hash: 07fa57dc8d8a4c9dd7da9d19e4dfccf55f3e54efb9c370bb08f20c8a6909138d
                                                                                                      • Instruction Fuzzy Hash: 5C6191A2B0C68281EB14BF64E4453BD2762FF45B98FA04139DA5D877D9DFAED584C300
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1DF84 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                      • API String ID: 3215553584-2617248754
                                                                                                      • Opcode ID: 5914814a694583f4a61488e3cdbdbea4ea1b157881318f00679f426ebb2538fd
                                                                                                      • Instruction ID: ce3472c30740b9064d970807e5c4a0bcc234c9c8460a8f34a643d7a1d559112c
                                                                                                      • Opcode Fuzzy Hash: 5914814a694583f4a61488e3cdbdbea4ea1b157881318f00679f426ebb2538fd
                                                                                                      • Instruction Fuzzy Hash: AE41BD72B08B4189E700EF21E8407ED37A9FB18388F644139EA4D87B95EE7ED565C340
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E28418 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                      • String ID: CONOUT$
                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                      • Opcode ID: 7c5524c766db8745df0ae9cd6cacbcd340f84a9c76657e64ac13ab8789daa13e
                                                                                                      • Instruction ID: 1100cb9c5d135987befc0d6bb02c6d1a5f9a6a8f15e53e2a71e7ec3fc7ec602e
                                                                                                      • Opcode Fuzzy Hash: 7c5524c766db8745df0ae9cd6cacbcd340f84a9c76657e64ac13ab8789daa13e
                                                                                                      • Instruction Fuzzy Hash: 43118161A1CA4286E750BB12E84476972A0FB8CBE8F244238DA5EC7BA4CFBDD4458754
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1B5F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                      • Opcode ID: 47eae215630ea0066a852bd67f66c9f372bbf29a6d7780b217db0c198fc88bcc
                                                                                                      • Instruction ID: 687b14f59b390fe837ba70dac8395931e6f7df09af25942a2e86bf5d91e85b07
                                                                                                      • Opcode Fuzzy Hash: 47eae215630ea0066a852bd67f66c9f372bbf29a6d7780b217db0c198fc88bcc
                                                                                                      • Instruction Fuzzy Hash: 0BF05EA1B1DA4781EB447B50E8803B92760BF54B58F68103DD90FC66B0CEAEE588D720
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E28080 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _set_statfp
                                                                                                      • String ID:
                                                                                                      • API String ID: 1156100317-0
                                                                                                      • Opcode ID: d1d10107198c09c3932fa6673c1dcca8ef673135442fdb47985b5f68ba886dfb
                                                                                                      • Instruction ID: 1a36a53fbe437f518f778705435850a7cb403f5dd2307e87dc051f1771bf2c78
                                                                                                      • Opcode Fuzzy Hash: d1d10107198c09c3932fa6673c1dcca8ef673135442fdb47985b5f68ba886dfb
                                                                                                      • Instruction Fuzzy Hash: 5111A3E2E1CA6301F6A4B124E8563F511407F55378F38473CEA6FD62DA9EDEA8834131
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1EBA8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                      • Opcode ID: e0dcfc6a68e5356318c0fcd404b881987b5b91c36ccf0ae3963758e001cf1e56
                                                                                                      • Instruction ID: 448bc5de0b34a4549e17b6e975140ce89dbfc7b0fb9f23da4305d065a9575bfd
                                                                                                      • Opcode Fuzzy Hash: e0dcfc6a68e5356318c0fcd404b881987b5b91c36ccf0ae3963758e001cf1e56
                                                                                                      • Instruction Fuzzy Hash: B3816C72D0C24385F7657B3886542792EA1BF1274CF7D503DEA0EC6695CEAFA881D702
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E17396 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2280078643-1018135373
                                                                                                      • Opcode ID: 3ebccaa0a3721d2e0e78a4e67fbc84bec37a22bf9295ac705805b121bfc1fb08
                                                                                                      • Instruction ID: 9ffe994c05dd84524eff7ff262624dcbed63faab08208a8e8f2f4a881c1d6914
                                                                                                      • Opcode Fuzzy Hash: 3ebccaa0a3721d2e0e78a4e67fbc84bec37a22bf9295ac705805b121bfc1fb08
                                                                                                      • Instruction Fuzzy Hash: D9212B76A0864586E630BB11F04067E7B61F784BA8F100239DE9E43795CF7EE8C2CB01
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E219E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • try_get_function.LIBVCRUNTIME ref: 00007FF642E21A0D
                                                                                                      • TlsSetValue.KERNEL32(?,?,C:\Users\Public\MirrorOpDisplaySetup.log,00007FF642E1CD66,?,?,C:\Users\Public\MirrorOpDisplaySetup.log,00007FF642E1C811,?,?,?,?,00007FF642E1A8C6), ref: 00007FF642E21A24
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Valuetry_get_function
                                                                                                      • String ID: C:\Users\Public\MirrorOpDisplaySetup.log$FlsSetValue
                                                                                                      • API String ID: 738293619-4229585492
                                                                                                      • Opcode ID: 0469a287eda2f5178412d1d50b89cb8822170f4ca3f195091d7258d2e54259c3
                                                                                                      • Instruction ID: a0da7cb01c8153800b880d0d0b01f8641e9f5eed68c625b2a66faa79e1e58314
                                                                                                      • Opcode Fuzzy Hash: 0469a287eda2f5178412d1d50b89cb8822170f4ca3f195091d7258d2e54259c3
                                                                                                      • Instruction Fuzzy Hash: A6E030E5A1C60381EE04BB51E4400F82322BF48B98F785039D51F8B795CEBED694C771
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E24A88 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo$_get_daylight
                                                                                                      • String ID:
                                                                                                      • API String ID: 72036449-0
                                                                                                      • Opcode ID: 99e2753389c6de09961ab763d8692691d7301ab5aa3fed7a21eb5d97f3c91e9e
                                                                                                      • Instruction ID: 8ebc460f52641ad7a6df58ca286bccbd844b0958f8a988725ee1485091767308
                                                                                                      • Opcode Fuzzy Hash: 99e2753389c6de09961ab763d8692691d7301ab5aa3fed7a21eb5d97f3c91e9e
                                                                                                      • Instruction Fuzzy Hash: 1A51B1B6E0C60386F7697A28D5653F96A80FB4071CF39413DCA0BC62D5DEEEE8408661
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1DB38 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                      • String ID: e+000$gfff
                                                                                                      • API String ID: 3215553584-3030954782
                                                                                                      • Opcode ID: 74e56a55970d42afd6bce679688fc2a57d31610b12a62597bc6a378fc0ec2037
                                                                                                      • Instruction ID: f100b6fe8a6ce9d6c411a9df51474be70d20a9d86ac07bfc55ceaffde88b4148
                                                                                                      • Opcode Fuzzy Hash: 74e56a55970d42afd6bce679688fc2a57d31610b12a62597bc6a378fc0ec2037
                                                                                                      • Instruction Fuzzy Hash: 94511662B1C6C246E724AF2998403B97F91FB80B94F589239C79CC7BD5CEAED480C700
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E1AF2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF642E1AF5E
                                                                                                        • Part of subcall function 00007FF642E1D0A8: HeapFree.KERNEL32(?,?,?,00007FF642E20F84,?,?,?,00007FF642E20FC7,?,?,?,00007FF642E214F0,?,?,?,00007FF642E21423), ref: 00007FF642E1D0BE
                                                                                                        • Part of subcall function 00007FF642E1D0A8: GetLastError.KERNEL32(?,?,?,00007FF642E20F84,?,?,?,00007FF642E20FC7,?,?,?,00007FF642E214F0,?,?,?,00007FF642E21423), ref: 00007FF642E1D0D0
                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF642E149FA), ref: 00007FF642E1AF7C
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe, xrefs: 00007FF642E1AF6A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                      • String ID: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe
                                                                                                      • API String ID: 3580290477-3583085434
                                                                                                      • Opcode ID: e237b0c339fbfe9c2aa417fa0f0d7823cdb0a5b28ab6914af6b9d41c11cc57b2
                                                                                                      • Instruction ID: 820ad926282d4a523502890134b84b61b0a2e1fff3ba777bf1d966e31d48a383
                                                                                                      • Opcode Fuzzy Hash: e237b0c339fbfe9c2aa417fa0f0d7823cdb0a5b28ab6914af6b9d41c11cc57b2
                                                                                                      • Instruction Fuzzy Hash: 20413972A0CA1285EB15FF26A4801BD6A95FF44798F64413DEA4EC3B95DFBEE485C300
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E25AA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,?,00007FF642E25EFD), ref: 00007FF642E25BBF
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,00000000,?,00007FF642E25EFD), ref: 00007FF642E25BE1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID: U
                                                                                                      • API String ID: 442123175-4171548499
                                                                                                      • Opcode ID: 0a4a5744d57d7471710afcf482343fbecc98eb0496d10c81e4b9789d81163603
                                                                                                      • Instruction ID: 1daa08de381c59d030c14cb717d49f8d95ced110f36e7360febe139f8d07fe84
                                                                                                      • Opcode Fuzzy Hash: 0a4a5744d57d7471710afcf482343fbecc98eb0496d10c81e4b9789d81163603
                                                                                                      • Instruction Fuzzy Hash: BA41C3A2A1CA8282DB20AF25E4543E967A0FB887D8FA44135EE4EC7798DF7DD441C710
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E21A9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Stringtry_get_function
                                                                                                      • String ID: LCMapStringEx
                                                                                                      • API String ID: 2588686239-3893581201
                                                                                                      • Opcode ID: 7cac5477dbe57fe43c47c71cc1271db3d77883f9a34b8e3e30b53b1ec36ae0a2
                                                                                                      • Instruction ID: 97cd0427e70872a268909e264cb54935a4b94e8edb5a4af45c634e3e12712239
                                                                                                      • Opcode Fuzzy Hash: 7cac5477dbe57fe43c47c71cc1271db3d77883f9a34b8e3e30b53b1ec36ae0a2
                                                                                                      • Instruction Fuzzy Hash: B4115E7660CB8186D760EB46F4402AAB7A4FB89B84F544139EE8E83B19CF3DD1408B40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E21A38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • try_get_function.LIBVCRUNTIME ref: 00007FF642E21A69
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,-00000018,00007FF642E1EB72,?,?,C:\Users\Public\MirrorOpDisplaySetup.log,00007FF642E1EA6A,?,?,00000080,00007FF642E1A909), ref: 00007FF642E21A83
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                      • String ID: InitializeCriticalSectionEx
                                                                                                      • API String ID: 539475747-3084827643
                                                                                                      • Opcode ID: ddae6ecf774d961657188d649599536e05ef873d5f8b9a44976e7cd536bdf1e7
                                                                                                      • Instruction ID: f2d42ee25fb86292c75095745c6e45cafa5e1d149b7833de00e74417ec8526b9
                                                                                                      • Opcode Fuzzy Hash: ddae6ecf774d961657188d649599536e05ef873d5f8b9a44976e7cd536bdf1e7
                                                                                                      • Instruction Fuzzy Hash: 77F0BEE5A0C64782EB04BB92E4000E92220BF88B84F695139E92F47B45CEBED54483A0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E21B78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DownlevelLocaleName__crttry_get_function
                                                                                                      • String ID: LocaleNameToLCID
                                                                                                      • API String ID: 404522899-2050040251
                                                                                                      • Opcode ID: 92a71eb8c403a7bde1df688a4416805be7d7e8ef48885af5f3794540dc293ab6
                                                                                                      • Instruction ID: 87271e2456b913035ab689971e5f00b6e35fe1df780674638c6a1fa554905c25
                                                                                                      • Opcode Fuzzy Hash: 92a71eb8c403a7bde1df688a4416805be7d7e8ef48885af5f3794540dc293ab6
                                                                                                      • Instruction Fuzzy Hash: 33E0E5D5A0C503C1EF04B745E4010F82220BF8474CFB85039D90F8B786CE7EEA408360
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF642E17C7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • try_get_function.LIBVCRUNTIME ref: 00007FF642E17CA5
                                                                                                      • TlsSetValue.KERNEL32(?,?,?,00007FF642E16331,?,?,?,?,00007FF642E15FDC,?,?,?,?,00007FF642E14D47), ref: 00007FF642E17CBC
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000007.00000002.2132065899.00007FF642E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF642E10000, based on PE: true
                                                                                                      • Associated: 00000007.00000002.2132032980.00007FF642E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132131149.00007FF642E38000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                      • Associated: 00000007.00000002.2132158381.00007FF642E3A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_7_2_7ff642e10000_MirrorOpSetup64.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Valuetry_get_function
                                                                                                      • String ID: FlsSetValue
                                                                                                      • API String ID: 738293619-3750699315
                                                                                                      • Opcode ID: e177c66dba838f717c4c7ad0f142cb926c03ac4292b26ab65b9cb07a26fe3ff6
                                                                                                      • Instruction ID: cd1b1356101f280718e3b444ed2c5d8b7046de9903002016ca7d17dd5e37048d
                                                                                                      • Opcode Fuzzy Hash: e177c66dba838f717c4c7ad0f142cb926c03ac4292b26ab65b9cb07a26fe3ff6
                                                                                                      • Instruction Fuzzy Hash: D0E065A1A0C54381FA047B50E8400F83621BF48B98F78403DD51E86394CFBED4859324
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:6.1%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:1481
                                                                                                      Total number of Limit Nodes:9
                                                                                                      execution_graph 5330 7ff8b90af292 5343 7ff8b90a1c84 5330->5343 5332 7ff8b90af2ac 5333 7ff8b90ac908 _CxxThrowException 2 API calls 5332->5333 5334 7ff8b90af2b5 5333->5334 5335 7ff8b90a1c84 free 5334->5335 5336 7ff8b90af2d3 5335->5336 5337 7ff8b90ac908 _CxxThrowException 2 API calls 5336->5337 5338 7ff8b90af2dc 5337->5338 5339 7ff8b90a1c84 free 5338->5339 5340 7ff8b90af2fa 5339->5340 5341 7ff8b90ac908 _CxxThrowException 2 API calls 5340->5341 5342 7ff8b90af303 5341->5342 5344 7ff8b90ab9d0 5343->5344 5344->5332 5345 7ff8b90af229 free 5344->5345 5345->5332 4305 7ff8b90a6a10 4308 7ff8b90a6994 4305->4308 4312 7ff8b90a7038 4308->4312 4310 7ff8b90a69c5 DeleteCriticalSection 4311 7ff8b90a69ec 4310->4311 4313 7ff8b90a706a 4312->4313 4313->4310 5346 7ff8b90af693 5349 7ff8b90aeafc 5346->5349 5350 7ff8b90aeb1e 5349->5350 5352 7ff8b90aeb67 5349->5352 5351 7ff8b90ad890 FindHandler 7 API calls 5350->5351 5350->5352 5351->5352 4118 7ff8b90aa090 4132 7ff8b90a2340 4118->4132 4120 7ff8b90aa0d1 4136 7ff8b90a9de8 memset 4120->4136 4123 7ff8b90aa0df 4158 7ff8b90a23f4 4123->4158 4127 7ff8b90aa101 4128 7ff8b90aa121 RtlInitUnicodeString 4129 7ff8b90aa158 4128->4129 4129->4123 4130 7ff8b90aa193 4129->4130 4131 7ff8b90a2340 2 API calls 4130->4131 4131->4127 4133 7ff8b90a23c1 WppAutoLogTrace 4132->4133 4134 7ff8b90a2398 4132->4134 4133->4120 4134->4133 4135 7ff8b90a23a3 TraceMessage 4134->4135 4135->4133 4137 7ff8b90a9e8a 4136->4137 4138 7ff8b90a9ebc 4137->4138 4139 7ff8b90a23f4 WppAutoLogTrace 4137->4139 4138->4123 4140 7ff8b90a9774 memset 4138->4140 4139->4138 4141 7ff8b90a97e7 4140->4141 4142 7ff8b90a98b3 4141->4142 4145 7ff8b90a9918 4141->4145 4143 7ff8b90a23f4 WppAutoLogTrace 4142->4143 4144 7ff8b90a98dd 4143->4144 4144->4123 4144->4128 4161 7ff8b90a77c8 4145->4161 4154 7ff8b90a9981 4156 7ff8b90a99b0 4154->4156 4157 7ff8b90a2340 2 API calls 4154->4157 4156->4144 4157->4156 4159 7ff8b90a2488 WppAutoLogTrace 4158->4159 4160 7ff8b90a244c 4158->4160 4159->4127 4160->4159 4162 7ff8b90a77ef 4161->4162 4187 7ff8b90a9390 RegOpenKeyExW 4162->4187 4165 7ff8b90a7828 4166 7ff8b90a784f 4165->4166 4167 7ff8b90a9390 7 API calls 4166->4167 4168 7ff8b90a7872 4167->4168 4169 7ff8b90a7888 4168->4169 4170 7ff8b90a78af 4169->4170 4171 7ff8b90a9390 7 API calls 4170->4171 4172 7ff8b90a78d2 4171->4172 4173 7ff8b90ab994 4172->4173 4174 7ff8b90ab9ae malloc 4173->4174 4175 7ff8b90a9962 4174->4175 4176 7ff8b90ab99f 4174->4176 4175->4154 4182 7ff8b90a2b74 4175->4182 4176->4174 4177 7ff8b90ab9be 4176->4177 4178 7ff8b90ab9c9 4177->4178 4209 7ff8b90abf1c 4177->4209 4213 7ff8b90abf3c 4178->4213 4181 7ff8b90ab9cf 4223 7ff8b90a68a0 4182->4223 4184 7ff8b90a2bb2 4226 7ff8b90a16cc 4184->4226 4186 7ff8b90a2bbc 4186->4154 4188 7ff8b90a9402 RegQueryValueExW 4187->4188 4189 7ff8b90a93cc 4187->4189 4191 7ff8b90a9432 4188->4191 4192 7ff8b90a9464 RegCloseKey 4188->4192 4199 7ff8b90a9600 4189->4199 4195 7ff8b90a9466 4191->4195 4196 7ff8b90a943d 4191->4196 4194 7ff8b90a7812 4192->4194 4194->4165 4198 7ff8b90a9600 2 API calls 4195->4198 4204 7ff8b90a94bc 4196->4204 4198->4192 4200 7ff8b90a96ef WppAutoLogTrace 4199->4200 4202 7ff8b90a967a 4199->4202 4200->4194 4202->4200 4202->4202 4203 7ff8b90a96a3 TraceMessage 4202->4203 4203->4200 4205 7ff8b90a9536 4204->4205 4206 7ff8b90a9595 WppAutoLogTrace 4204->4206 4205->4206 4208 7ff8b90a955f TraceMessage 4205->4208 4206->4192 4208->4206 4210 7ff8b90abf2a std::bad_alloc::bad_alloc 4209->4210 4218 7ff8b90ac908 4210->4218 4212 7ff8b90abf3b 4214 7ff8b90abf4a std::bad_alloc::bad_alloc 4213->4214 4215 7ff8b90ac908 _CxxThrowException 2 API calls 4214->4215 4216 7ff8b90abf5b free 4215->4216 4216->4181 4219 7ff8b90ac951 4218->4219 4220 7ff8b90ac96e RtlPcToFileHeader 4218->4220 4219->4220 4221 7ff8b90ac990 4220->4221 4222 7ff8b90ac9a1 RaiseException 4220->4222 4221->4222 4222->4212 4229 7ff8b90a6f5c 4223->4229 4232 7ff8b90a1c0c 4226->4232 4230 7ff8b90ab994 4 API calls 4229->4230 4231 7ff8b90a68de InitializeCriticalSection 4230->4231 4231->4184 4233 7ff8b90ab994 4 API calls 4232->4233 4234 7ff8b90a16f5 InitializeCriticalSection 4233->4234 4234->4186 4314 7ff8b90ae910 4337 7ff8b90ad890 4314->4337 4316 7ff8b90ae945 4317 7ff8b90ad890 FindHandler 7 API calls 4316->4317 4318 7ff8b90ae953 __except_validate_context_record 4317->4318 4319 7ff8b90ad890 FindHandler 7 API calls 4318->4319 4320 7ff8b90ae997 4319->4320 4321 7ff8b90ad890 FindHandler 7 API calls 4320->4321 4322 7ff8b90ae9a0 4321->4322 4323 7ff8b90ad890 FindHandler 7 API calls 4322->4323 4324 7ff8b90ae9a9 4323->4324 4340 7ff8b90ace50 4324->4340 4327 7ff8b90ad890 FindHandler 7 API calls 4328 7ff8b90ae9d9 __FrameHandler3::FrameUnwindToState 4327->4328 4347 7ff8b90ace8c 4328->4347 4330 7ff8b90aeab3 __DestructExceptionObject 4331 7ff8b90ad890 FindHandler 7 API calls 4330->4331 4332 7ff8b90aeac6 4331->4332 4334 7ff8b90ad890 FindHandler 7 API calls 4332->4334 4335 7ff8b90aeacf 4334->4335 4359 7ff8b90ad8ac 4337->4359 4339 7ff8b90ad899 4339->4316 4341 7ff8b90ad890 FindHandler 7 API calls 4340->4341 4342 7ff8b90ace61 4341->4342 4343 7ff8b90ace6c 4342->4343 4344 7ff8b90ad890 FindHandler 7 API calls 4342->4344 4345 7ff8b90ad890 FindHandler 7 API calls 4343->4345 4344->4343 4346 7ff8b90ace7d 4345->4346 4346->4327 4346->4328 4348 7ff8b90ad890 FindHandler 7 API calls 4347->4348 4349 7ff8b90ace9e 4348->4349 4350 7ff8b90aced9 terminate 4349->4350 4351 7ff8b90ad890 FindHandler 7 API calls 4349->4351 4352 7ff8b90acea9 4351->4352 4352->4350 4353 7ff8b90acec2 4352->4353 4354 7ff8b90ad890 FindHandler 7 API calls 4353->4354 4355 7ff8b90acec7 4354->4355 4355->4330 4356 7ff8b90af0f8 4355->4356 4357 7ff8b90ad890 FindHandler 7 API calls 4356->4357 4358 7ff8b90af106 4357->4358 4358->4330 4360 7ff8b90ad8c4 4359->4360 4361 7ff8b90ad8cb GetLastError FlsGetValue 4359->4361 4360->4339 4362 7ff8b90ad960 SetLastError 4361->4362 4363 7ff8b90ad8ea 4361->4363 4362->4360 4364 7ff8b90ad8f4 FlsSetValue 4363->4364 4365 7ff8b90ad8ef 4363->4365 4364->4362 4366 7ff8b90ad904 4364->4366 4365->4362 4367 7ff8b90ad950 FlsSetValue 4366->4367 4368 7ff8b90ad921 FlsSetValue 4366->4368 4371 7ff8b90ad958 free 4367->4371 4369 7ff8b90ad94a 4368->4369 4370 7ff8b90ad92e 4368->4370 4369->4367 4370->4371 4371->4362 4372 7ff8b90ab910 4375 7ff8b90ad70c 4372->4375 4374 7ff8b90ab932 4376 7ff8b90ad723 4375->4376 4377 7ff8b90ad71b free 4375->4377 4376->4374 4377->4376 5353 7ff8b90ab790 5354 7ff8b90ad67c __std_exception_copy 2 API calls 5353->5354 5355 7ff8b90ab7bc 5354->5355 4378 7ff8b90aea0a 4379 7ff8b90ad890 FindHandler 7 API calls 4378->4379 4382 7ff8b90aea17 __DestructExceptionObject 4379->4382 4380 7ff8b90aea5b RaiseException 4381 7ff8b90aea82 4380->4381 4383 7ff8b90ace8c __CxxCallCatchBlock 8 API calls 4381->4383 4382->4380 4387 7ff8b90aea8a 4383->4387 4384 7ff8b90aeab3 __DestructExceptionObject 4385 7ff8b90ad890 FindHandler 7 API calls 4384->4385 4386 7ff8b90aeac6 4385->4386 4388 7ff8b90ad890 FindHandler 7 API calls 4386->4388 4387->4384 4390 7ff8b90af0f8 __CxxCallCatchBlock 7 API calls 4387->4390 4389 7ff8b90aeacf 4388->4389 4390->4384 4391 7ff8b90af602 4392 7ff8b90ad890 FindHandler 7 API calls 4391->4392 4393 7ff8b90af619 4392->4393 4394 7ff8b90ad890 FindHandler 7 API calls 4393->4394 4395 7ff8b90af630 4394->4395 4400 7ff8b90ae668 4395->4400 4397 7ff8b90af675 4398 7ff8b90ad890 FindHandler 7 API calls 4397->4398 4399 7ff8b90af67a 4398->4399 4401 7ff8b90ae695 __except_validate_context_record 4400->4401 4402 7ff8b90ad890 FindHandler 7 API calls 4401->4402 4403 7ff8b90ae69a 4402->4403 4406 7ff8b90ae6f8 4403->4406 4408 7ff8b90ae787 4403->4408 4417 7ff8b90ae74d 4403->4417 4404 7ff8b90ae7fa 4404->4417 4448 7ff8b90ade90 4404->4448 4407 7ff8b90ae774 4406->4407 4412 7ff8b90ae71b __InternalCxxFrameHandler 4406->4412 4406->4417 4435 7ff8b90acaa0 4407->4435 4410 7ff8b90ae7a6 4408->4410 4442 7ff8b90acee0 4408->4442 4410->4404 4410->4417 4445 7ff8b90acef4 4410->4445 4413 7ff8b90ae8a8 terminate 4412->4413 4416 7ff8b90ae73c 4412->4416 4497 7ff8b90ad67c 4413->4497 4420 7ff8b90aeb84 4416->4420 4417->4397 4421 7ff8b90acee0 FindHandler 7 API calls 4420->4421 4422 7ff8b90aebb3 __GetCurrentState 4421->4422 4423 7ff8b90ad890 FindHandler 7 API calls 4422->4423 4432 7ff8b90aebd0 __FrameHandler3::FrameUnwindToState __FrameHandler3::GetHandlerSearchState 4423->4432 4424 7ff8b90aecd0 4425 7ff8b90ad890 FindHandler 7 API calls 4424->4425 4426 7ff8b90aecd5 4425->4426 4428 7ff8b90aece0 4426->4428 4430 7ff8b90ad890 FindHandler 7 API calls 4426->4430 4427 7ff8b90aed0b terminate 4429 7ff8b90aed11 terminate 4427->4429 4428->4429 4431 7ff8b90aeced __FrameHandler3::GetHandlerSearchState 4428->4431 4430->4428 4431->4417 4432->4424 4432->4427 4433 7ff8b90acee0 7 API calls FindHandler 4432->4433 4503 7ff8b90acf08 4432->4503 4433->4432 4506 7ff8b90acb04 4435->4506 4437 7ff8b90acabf __FrameHandler3::ExecutionInCatch 4510 7ff8b90aca1c 4437->4510 4440 7ff8b90aeb84 __FrameHandler3::FrameUnwindToState 9 API calls 4441 7ff8b90acaf4 4440->4441 4441->4417 4443 7ff8b90ad890 FindHandler 7 API calls 4442->4443 4444 7ff8b90acee9 4443->4444 4444->4410 4446 7ff8b90ad890 FindHandler 7 API calls 4445->4446 4447 7ff8b90acefd 4446->4447 4447->4404 4514 7ff8b90aed18 4448->4514 4450 7ff8b90ae2eb terminate 4451 7ff8b90ae269 4451->4450 4453 7ff8b90ae267 4451->4453 4573 7ff8b90ae2f4 4451->4573 4452 7ff8b90adfc1 4452->4451 4454 7ff8b90adff4 4452->4454 4456 7ff8b90ad890 FindHandler 7 API calls 4453->4456 4457 7ff8b90ae186 4454->4457 4539 7ff8b90acbd0 4454->4539 4494 7ff8b90adfbc 4456->4494 4457->4453 4463 7ff8b90acee0 FindHandler 7 API calls 4457->4463 4467 7ff8b90ae1b3 4457->4467 4458 7ff8b90ad890 FindHandler 7 API calls 4462 7ff8b90adf2a 4458->4462 4460 7ff8b90ae2ac 4460->4417 4462->4460 4464 7ff8b90ad890 FindHandler 7 API calls 4462->4464 4463->4467 4466 7ff8b90adf3a 4464->4466 4465 7ff8b90ae1dd 4465->4450 4465->4453 4471 7ff8b90ae1fe 4465->4471 4473 7ff8b90acee0 FindHandler 7 API calls 4465->4473 4468 7ff8b90ad890 FindHandler 7 API calls 4466->4468 4467->4453 4467->4465 4566 7ff8b90aca74 4467->4566 4470 7ff8b90adf43 4468->4470 4525 7ff8b90acf20 4470->4525 4474 7ff8b90aedb0 IsInExceptionSpec 8 API calls 4471->4474 4473->4471 4476 7ff8b90ae215 4474->4476 4476->4453 4480 7ff8b90acb04 _GetEstablisherFrame RtlLookupFunctionEntry 4476->4480 4477 7ff8b90ad890 FindHandler 7 API calls 4479 7ff8b90adf83 4477->4479 4478 7ff8b90acef4 7 API calls FindHandler 4488 7ff8b90ae015 4478->4488 4479->4452 4482 7ff8b90ad890 FindHandler 7 API calls 4479->4482 4481 7ff8b90ae22f 4480->4481 4570 7ff8b90acd2c RtlUnwindEx 4481->4570 4484 7ff8b90adf8f 4482->4484 4486 7ff8b90ad890 FindHandler 7 API calls 4484->4486 4487 7ff8b90adf98 4486->4487 4528 7ff8b90aedb0 4487->4528 4488->4457 4488->4478 4543 7ff8b90ae524 4488->4543 4557 7ff8b90addc0 4488->4557 4492 7ff8b90adfac 4535 7ff8b90aee88 4492->4535 4494->4450 4494->4460 4495 7ff8b90adfb4 std::bad_alloc::bad_alloc __DestructExceptionObject 4495->4494 4496 7ff8b90ac908 _CxxThrowException 2 API calls 4495->4496 4496->4494 4498 7ff8b90ad6e9 4497->4498 4499 7ff8b90ad69d 4497->4499 4498->4397 4499->4498 4500 7ff8b90ad6b2 malloc 4499->4500 4501 7ff8b90ad6c3 4500->4501 4502 7ff8b90ad6df free 4500->4502 4501->4502 4502->4498 4504 7ff8b90ad890 FindHandler 7 API calls 4503->4504 4505 7ff8b90acf16 4504->4505 4505->4432 4507 7ff8b90acb32 __FrameHandler3::ExecutionInCatch 4506->4507 4508 7ff8b90acb5b RtlLookupFunctionEntry 4507->4508 4509 7ff8b90acb9f 4507->4509 4508->4507 4509->4437 4512 7ff8b90aca33 4510->4512 4511 7ff8b90aca5b 4511->4440 4512->4511 4513 7ff8b90ad890 FindHandler 7 API calls 4512->4513 4513->4512 4515 7ff8b90aed3d __FrameHandler3::ExecutionInCatch 4514->4515 4516 7ff8b90acb04 _GetEstablisherFrame RtlLookupFunctionEntry 4515->4516 4517 7ff8b90aed52 4516->4517 4589 7ff8b90ada1c 4517->4589 4520 7ff8b90aed87 4522 7ff8b90ada1c __GetUnwindTryBlock RtlLookupFunctionEntry 4520->4522 4521 7ff8b90aed64 __FrameHandler3::GetHandlerSearchState 4592 7ff8b90ada54 4521->4592 4523 7ff8b90adede 4522->4523 4523->4450 4523->4452 4523->4458 4526 7ff8b90ad890 FindHandler 7 API calls 4525->4526 4527 7ff8b90acf2e 4526->4527 4527->4450 4527->4477 4529 7ff8b90aee80 terminate 4528->4529 4534 7ff8b90aeddb 4528->4534 4530 7ff8b90adfa8 4530->4452 4530->4492 4531 7ff8b90acef4 7 API calls FindHandler 4531->4534 4532 7ff8b90acee0 FindHandler 7 API calls 4532->4534 4533 7ff8b90ae524 TypeMatchHelper 7 API calls 4533->4534 4534->4530 4534->4531 4534->4532 4534->4533 4536 7ff8b90aeefe 4535->4536 4538 7ff8b90aeea5 Is_bad_exception_allowed 4535->4538 4536->4495 4537 7ff8b90acee0 7 API calls FindHandler 4537->4538 4538->4536 4538->4537 4540 7ff8b90acc0e __FrameHandler3::ExecutionInCatch 4539->4540 4541 7ff8b90acd23 terminate 4540->4541 4542 7ff8b90acc1a 4540->4542 4542->4488 4544 7ff8b90ae54d 4543->4544 4547 7ff8b90ae556 4543->4547 4545 7ff8b90acee0 FindHandler 7 API calls 4544->4545 4545->4547 4546 7ff8b90ae5e4 4546->4488 4547->4546 4548 7ff8b90acee0 FindHandler 7 API calls 4547->4548 4549 7ff8b90ae577 4547->4549 4548->4549 4549->4546 4550 7ff8b90ae5a3 4549->4550 4551 7ff8b90acee0 FindHandler 7 API calls 4549->4551 4552 7ff8b90acef4 FindHandler 7 API calls 4550->4552 4551->4550 4553 7ff8b90ae5b7 4552->4553 4553->4546 4554 7ff8b90ae5d0 4553->4554 4555 7ff8b90acee0 FindHandler 7 API calls 4553->4555 4556 7ff8b90acef4 FindHandler 7 API calls 4554->4556 4555->4554 4556->4546 4558 7ff8b90acb04 _GetEstablisherFrame RtlLookupFunctionEntry 4557->4558 4559 7ff8b90addfd 4558->4559 4560 7ff8b90ade23 4559->4560 4595 7ff8b90add00 4559->4595 4561 7ff8b90acee0 FindHandler 7 API calls 4560->4561 4563 7ff8b90ade28 4561->4563 4564 7ff8b90acd2c __FrameHandler3::UnwindNestedFrames 9 API calls 4563->4564 4565 7ff8b90ade74 4564->4565 4565->4488 4567 7ff8b90aca88 __FrameHandler3::ExecutionInCatch 4566->4567 4568 7ff8b90aca1c __FrameHandler3::CatchTryBlock 7 API calls 4567->4568 4569 7ff8b90aca92 4568->4569 4569->4465 4571 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 4570->4571 4572 7ff8b90ace44 4571->4572 4572->4453 4574 7ff8b90ae501 4573->4574 4575 7ff8b90ae32d 4573->4575 4574->4453 4576 7ff8b90ad890 FindHandler 7 API calls 4575->4576 4577 7ff8b90ae332 4576->4577 4578 7ff8b90ae349 EncodePointer 4577->4578 4579 7ff8b90ae397 4577->4579 4580 7ff8b90ad890 FindHandler 7 API calls 4578->4580 4579->4574 4581 7ff8b90ae3b3 4579->4581 4582 7ff8b90ae51c terminate 4579->4582 4584 7ff8b90ae359 4580->4584 4583 7ff8b90acbd0 pair terminate 4581->4583 4586 7ff8b90ae3d3 4583->4586 4584->4579 4597 7ff8b90ac9c8 4584->4597 4586->4574 4587 7ff8b90addc0 FindHandler 18 API calls 4586->4587 4588 7ff8b90acee0 7 API calls FindHandler 4586->4588 4587->4586 4588->4586 4590 7ff8b90acb04 _GetEstablisherFrame RtlLookupFunctionEntry 4589->4590 4591 7ff8b90ada2f 4590->4591 4591->4520 4591->4521 4593 7ff8b90acb04 _GetEstablisherFrame RtlLookupFunctionEntry 4592->4593 4594 7ff8b90ada6e 4593->4594 4594->4523 4596 7ff8b90add27 BuildCatchObjectHelperInternal 4595->4596 4598 7ff8b90ad890 FindHandler 7 API calls 4597->4598 4599 7ff8b90ac9f4 4598->4599 4599->4579 5356 7ff8b90a4780 5357 7ff8b90a2a98 2 API calls 5356->5357 5358 7ff8b90a47c1 5357->5358 5368 7ff8b90a8644 5358->5368 5361 7ff8b90a47f3 5363 7ff8b90a2340 2 API calls 5361->5363 5365 7ff8b90a4814 5363->5365 5364 7ff8b90a482d 5364->5361 5366 7ff8b90a4839 5364->5366 5367 7ff8b90a2340 2 API calls 5366->5367 5367->5365 5369 7ff8b90a8661 5368->5369 5374 7ff8b90a868d 5368->5374 5371 7ff8b90a2340 2 API calls 5369->5371 5370 7ff8b90a47c9 5370->5361 5375 7ff8b90a6a44 EnterCriticalSection 5370->5375 5371->5370 5372 7ff8b90a2340 TraceMessage WppAutoLogTrace 5372->5374 5374->5370 5374->5372 5379 7ff8b90a8a8c 5374->5379 5376 7ff8b90a6ad9 LeaveCriticalSection 5375->5376 5377 7ff8b90a6a6e 5375->5377 5376->5364 5377->5376 5383 7ff8b90a7230 5377->5383 5380 7ff8b90a8b66 WppAutoLogTrace 5379->5380 5381 7ff8b90a8aef 5379->5381 5380->5374 5381->5380 5382 7ff8b90a8afa TraceMessage 5381->5382 5382->5380 5384 7ff8b90a7293 5383->5384 5385 7ff8b90a72f8 WppAutoLogTrace 5383->5385 5384->5385 5386 7ff8b90a729e TraceMessage 5384->5386 5385->5377 5386->5385 4600 7ff8b90a4e30 4601 7ff8b90a2a98 2 API calls 4600->4601 4602 7ff8b90a4e79 4601->4602 4603 7ff8b90a4ea6 4602->4603 4604 7ff8b90a4ecc 4602->4604 4605 7ff8b90a2340 2 API calls 4603->4605 4612 7ff8b90a5450 4604->4612 4607 7ff8b90a4ec5 4605->4607 4609 7ff8b90a4f16 4611 7ff8b90a2340 2 API calls 4609->4611 4610 7ff8b90a2340 2 API calls 4610->4609 4611->4607 4613 7ff8b90a546f 4612->4613 4618 7ff8b90a54ad 4612->4618 4620 7ff8b90a24d0 4613->4620 4615 7ff8b90a4eef 4615->4609 4615->4610 4616 7ff8b90a24d0 TraceMessage WppAutoLogTrace 4616->4618 4617 7ff8b90a23f4 WppAutoLogTrace 4617->4618 4618->4615 4618->4616 4618->4617 4619 7ff8b90a2a98 2 API calls 4618->4619 4619->4618 4621 7ff8b90a2533 4620->4621 4622 7ff8b90a2582 WppAutoLogTrace 4620->4622 4621->4622 4623 7ff8b90a253e TraceMessage 4621->4623 4622->4615 4623->4622 4624 7ff8b90a3e30 4625 7ff8b90a2a98 2 API calls 4624->4625 4626 7ff8b90a3e71 4625->4626 4627 7ff8b90a3e9e 4626->4627 4639 7ff8b90a6afc EnterCriticalSection 4626->4639 4630 7ff8b90a2340 2 API calls 4627->4630 4629 7ff8b90a3ed0 4629->4627 4631 7ff8b90a3edb 4629->4631 4632 7ff8b90a3ebc 4630->4632 4638 7ff8b90a3f32 4631->4638 4642 7ff8b90a6170 4631->4642 4634 7ff8b90a3f64 CloseHandle 4635 7ff8b90a3f6f DeleteCriticalSection 4634->4635 4635->4632 4638->4634 4638->4635 4652 7ff8b90a6de0 4639->4652 4641 7ff8b90a6b31 LeaveCriticalSection 4641->4629 4643 7ff8b90a2a98 2 API calls 4642->4643 4644 7ff8b90a61a9 4643->4644 4654 7ff8b90a5e88 4644->4654 4647 7ff8b90a59f8 4648 7ff8b90a5e88 7 API calls 4647->4648 4649 7ff8b90a5a13 __vcrt_uninitialize 4648->4649 4650 7ff8b90a7cb0 4649->4650 4651 7ff8b90a7ca9 CloseHandle 4649->4651 4651->4650 4653 7ff8b90a6e08 4652->4653 4653->4641 4659 7ff8b90a79e4 4654->4659 4657 7ff8b90a3f1e 4657->4638 4657->4647 4660 7ff8b90a79f1 GetExitCodeThread 4659->4660 4661 7ff8b90a5e9a 4659->4661 4660->4661 4661->4657 4662 7ff8b90a7ddc 4661->4662 4663 7ff8b90a7e17 SetEvent 4662->4663 4664 7ff8b90a7df8 4662->4664 4668 7ff8b90a7b80 EnterCriticalSection LeaveCriticalSection 4663->4668 4665 7ff8b90a2340 2 API calls 4664->4665 4665->4663 4669 7ff8b90a7bb3 WaitForSingleObject 4668->4669 4670 7ff8b90a7bc2 4668->4670 4669->4670 4670->4657 5387 7ff8b90a79b0 5390 7ff8b90a797c DeleteCriticalSection 5387->5390 5389 7ff8b90a79c4 5390->5389 4671 7ff8b90aa230 4672 7ff8b90aa260 GetTraceLoggerHandle GetTraceEnableLevel GetTraceEnableFlags 4671->4672 4673 7ff8b90aa24b 4671->4673 4672->4673 4674 7ff8b90ad430 4675 7ff8b90ad452 4674->4675 4676 7ff8b90ad458 abort 4674->4676 4675->4676 4677 7ff8b90af730 4680 7ff8b90af14c 4677->4680 4681 7ff8b90af15b 4680->4681 4682 7ff8b90af16d 4680->4682 4681->4682 4683 7ff8b90af163 4681->4683 4684 7ff8b90ad890 FindHandler 7 API calls 4682->4684 4685 7ff8b90af16b 4683->4685 4687 7ff8b90ad890 FindHandler 7 API calls 4683->4687 4686 7ff8b90af172 4684->4686 4686->4685 4689 7ff8b90ad890 FindHandler 7 API calls 4686->4689 4688 7ff8b90af18c terminate 4687->4688 4689->4685 5394 7ff8b90af5b4 __scrt_dllmain_exception_filter 5395 7ff8b90af3b4 5400 7ff8b90a45a0 5395->5400 5401 7ff8b90a45b7 _invalid_parameter_noinfo_noreturn 5400->5401 4690 7ff8b90af42b 4691 7ff8b90af445 4690->4691 4692 7ff8b90ac908 _CxxThrowException 2 API calls 4691->4692 4693 7ff8b90af44e 4692->4693 4694 7ff8b90ac908 _CxxThrowException 2 API calls 4693->4694 4695 7ff8b90af475 4694->4695 4696 7ff8b90ac908 _CxxThrowException 2 API calls 4695->4696 4697 7ff8b90af49c 4696->4697 5403 7ff8b90aeca9 5409 7ff8b90aebd3 __FrameHandler3::FrameUnwindToState __FrameHandler3::GetHandlerSearchState 5403->5409 5404 7ff8b90aecd0 5405 7ff8b90ad890 FindHandler 7 API calls 5404->5405 5406 7ff8b90aecd5 5405->5406 5408 7ff8b90aece0 5406->5408 5411 7ff8b90ad890 FindHandler 7 API calls 5406->5411 5407 7ff8b90aed0b terminate 5410 7ff8b90aed11 terminate 5407->5410 5408->5410 5412 7ff8b90aeced __FrameHandler3::GetHandlerSearchState 5408->5412 5409->5404 5409->5407 5413 7ff8b90acee0 7 API calls FindHandler 5409->5413 5414 7ff8b90acf08 __FrameHandler3::FrameUnwindToState 7 API calls 5409->5414 5411->5408 5413->5409 5414->5409 5415 7ff8b90ac2ac 5416 7ff8b90ac2d0 __scrt_release_startup_lock 5415->5416 5417 7ff8b90af22f _seh_filter_dll 5416->5417 4701 7ff8b90a2c20 4704 7ff8b90a2bdc 4701->4704 4709 7ff8b90a17b0 DeleteCriticalSection 4704->4709 4710 7ff8b90a17d8 4709->4710 4711 7ff8b90a1804 4710->4711 4712 7ff8b90a17e1 CloseHandle 4710->4712 4712->4710 4713 7ff8b90ad820 4714 7ff8b90ad83a 4713->4714 4715 7ff8b90ad829 4713->4715 4715->4714 4716 7ff8b90ad835 free 4715->4716 4716->4714 5418 7ff8b90af598 5421 7ff8b90ac33c 5418->5421 5422 7ff8b90ac347 __scrt_uninitialize_crt 5421->5422 5425 7ff8b90ad9d0 5422->5425 5426 7ff8b90ad9df FlsFree 5425->5426 5427 7ff8b90ad80d 5425->5427 5426->5427 5428 7ff8b90aba9c 5430 7ff8b90abad4 __GSHandlerCheckCommon 5428->5430 5429 7ff8b90abb00 5430->5429 5432 7ff8b90acf38 5430->5432 5433 7ff8b90ad890 FindHandler 7 API calls 5432->5433 5434 7ff8b90acf5a 5433->5434 5435 7ff8b90ad890 FindHandler 7 API calls 5434->5435 5436 7ff8b90acf67 5435->5436 5437 7ff8b90ad890 FindHandler 7 API calls 5436->5437 5438 7ff8b90acf74 5437->5438 5439 7ff8b90ae668 __InternalCxxFrameHandler 30 API calls 5438->5439 5440 7ff8b90acfa5 5439->5440 5440->5429 4717 7ff8b90a4d50 4730 7ff8b90a567c 4717->4730 4719 7ff8b90a4da6 4734 7ff8b90a7388 4719->4734 4722 7ff8b90a4db7 4746 7ff8b90a4058 4722->4746 4725 7ff8b90a4dca 4726 7ff8b90a4df3 4725->4726 4727 7ff8b90a23f4 WppAutoLogTrace 4725->4727 4728 7ff8b90a2340 2 API calls 4726->4728 4727->4726 4729 7ff8b90a4e14 4728->4729 4731 7ff8b90a56e8 4730->4731 4732 7ff8b90a575b WppAutoLogTrace 4730->4732 4731->4732 4733 7ff8b90a56f3 TraceMessage 4731->4733 4732->4719 4733->4732 4735 7ff8b90a73af 4734->4735 4736 7ff8b90a9390 7 API calls 4735->4736 4737 7ff8b90a4dab 4736->4737 4737->4722 4738 7ff8b90a3f8c CreateEventW 4737->4738 4739 7ff8b90a4002 4738->4739 4740 7ff8b90a4032 4739->4740 4741 7ff8b90a23f4 WppAutoLogTrace 4739->4741 4742 7ff8b90a4040 4740->4742 4743 7ff8b90a4037 CloseHandle 4740->4743 4741->4740 4744 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 4742->4744 4743->4742 4745 7ff8b90a404d 4744->4745 4745->4722 4747 7ff8b90ab994 4 API calls 4746->4747 4748 7ff8b90a4093 4747->4748 4749 7ff8b90a40ab 4748->4749 4781 7ff8b90a59a4 4748->4781 4751 7ff8b90a40e7 4749->4751 4752 7ff8b90a40b7 4749->4752 4786 7ff8b90a5c3c 4751->4786 4753 7ff8b90a2340 2 API calls 4752->4753 4768 7ff8b90a40dd 4753->4768 4755 7ff8b90a40f2 4756 7ff8b90a40f6 4755->4756 4757 7ff8b90a413f 4755->4757 4758 7ff8b90a23f4 WppAutoLogTrace 4756->4758 4761 7ff8b90a4194 4757->4761 4762 7ff8b90a416c 4757->4762 4759 7ff8b90a4122 4758->4759 4760 7ff8b90a6170 9 API calls 4759->4760 4763 7ff8b90a412a 4760->4763 4797 7ff8b90a6cd0 4761->4797 4764 7ff8b90a2340 2 API calls 4762->4764 4766 7ff8b90a59f8 8 API calls 4763->4766 4764->4759 4766->4768 4767 7ff8b90a41ae 4769 7ff8b90a41b2 4767->4769 4770 7ff8b90a41e4 4767->4770 4768->4725 4771 7ff8b90a2a98 2 API calls 4769->4771 4772 7ff8b90a2340 2 API calls 4770->4772 4780 7ff8b90a424c 4770->4780 4771->4759 4774 7ff8b90a4214 4772->4774 4773 7ff8b90a4420 11 API calls 4773->4768 4802 7ff8b90a4420 EnterCriticalSection 4774->4802 4780->4773 4807 7ff8b90a7c08 4781->4807 4785 7ff8b90a59dc memset 4785->4749 4787 7ff8b90a5c60 4786->4787 4815 7ff8b90a2620 4787->4815 4789 7ff8b90a2340 2 API calls 4796 7ff8b90a5cdb 4789->4796 4791 7ff8b90a5cdd 4839 7ff8b90a800c 4791->4839 4792 7ff8b90a5caf 4794 7ff8b90a23f4 WppAutoLogTrace 4792->4794 4794->4796 4795 7ff8b90a5c74 4795->4789 4795->4796 4796->4755 4798 7ff8b90a6cfb 4797->4798 4799 7ff8b90a6cfe EnterCriticalSection 4797->4799 4798->4799 4801 7ff8b90a6d16 4799->4801 4800 7ff8b90a6d36 LeaveCriticalSection 4800->4767 4801->4800 4803 7ff8b90a4460 4802->4803 4804 7ff8b90a4457 4802->4804 4861 7ff8b90a3adc 4803->4861 4805 7ff8b90a446a LeaveCriticalSection SetEvent 4804->4805 4814 7ff8b90a794c InitializeCriticalSection 4807->4814 4809 7ff8b90a7c23 CreateEventW 4810 7ff8b90a59cf 4809->4810 4811 7ff8b90a7c4e 4809->4811 4813 7ff8b90a57e4 memset 4810->4813 4812 7ff8b90a2340 2 API calls 4811->4812 4812->4810 4813->4785 4814->4809 4816 7ff8b90a2340 2 API calls 4815->4816 4817 7ff8b90a267d 4816->4817 4818 7ff8b90a26c5 4817->4818 4819 7ff8b90a269c 4817->4819 4821 7ff8b90a26f5 4818->4821 4825 7ff8b90a2723 4818->4825 4820 7ff8b90a23f4 WppAutoLogTrace 4819->4820 4838 7ff8b90a26be 4820->4838 4822 7ff8b90a23f4 WppAutoLogTrace 4821->4822 4822->4838 4823 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 4824 7ff8b90a28e2 4823->4824 4824->4791 4824->4792 4824->4795 4826 7ff8b90a277f 4825->4826 4828 7ff8b90a27ad 4825->4828 4827 7ff8b90a23f4 WppAutoLogTrace 4826->4827 4827->4838 4829 7ff8b90a2800 4828->4829 4830 7ff8b90a27da 4828->4830 4847 7ff8b90a28fc 4829->4847 4831 7ff8b90a23f4 WppAutoLogTrace 4830->4831 4833 7ff8b90a27fe 4831->4833 4834 7ff8b90a2871 4833->4834 4835 7ff8b90a2897 4833->4835 4836 7ff8b90a23f4 WppAutoLogTrace 4834->4836 4837 7ff8b90a2a98 2 API calls 4835->4837 4836->4838 4837->4838 4838->4823 4840 7ff8b90a8050 4839->4840 4841 7ff8b90a8036 4839->4841 4852 7ff8b90a7aa0 CreateThread 4840->4852 4843 7ff8b90a2340 2 API calls 4841->4843 4843->4840 4845 7ff8b90a8081 4845->4795 4846 7ff8b90a2340 2 API calls 4846->4845 4848 7ff8b90a2a05 WppAutoLogTrace 4847->4848 4850 7ff8b90a297e 4847->4850 4848->4833 4850->4848 4850->4850 4851 7ff8b90a29a7 TraceMessage 4850->4851 4851->4848 4853 7ff8b90a7ae6 GetLastError 4852->4853 4854 7ff8b90a7b1a EnterCriticalSection 4852->4854 4855 7ff8b90a23f4 WppAutoLogTrace 4853->4855 4856 7ff8b90a7b39 LeaveCriticalSection 4854->4856 4857 7ff8b90a7b2b 4854->4857 4858 7ff8b90a7b16 4855->4858 4859 7ff8b90a7b48 TerminateThread CloseHandle 4856->4859 4860 7ff8b90a7b5e ResumeThread 4856->4860 4857->4856 4858->4845 4858->4846 4859->4858 4860->4858 4862 7ff8b90a3bd9 4861->4862 4863 7ff8b90a3b2a 4861->4863 4883 7ff8b90a4520 4862->4883 4870 7ff8b90a4534 4863->4870 4867 7ff8b90a3b67 4879 7ff8b90a4498 4867->4879 4869 7ff8b90a3bc2 4869->4805 4871 7ff8b90a4586 4870->4871 4872 7ff8b90a455d 4870->4872 4873 7ff8b90a4595 4871->4873 4875 7ff8b90ab994 4 API calls 4871->4875 4874 7ff8b90ab994 4 API calls 4872->4874 4873->4867 4876 7ff8b90a456d 4874->4876 4875->4873 4877 7ff8b90a4575 4876->4877 4878 7ff8b90a459a _invalid_parameter_noinfo_noreturn 4876->4878 4877->4867 4880 7ff8b90a44c0 4879->4880 4882 7ff8b90a44e9 4879->4882 4881 7ff8b90a4519 _invalid_parameter_noinfo_noreturn 4880->4881 4880->4882 4882->4869 4886 7ff8b90ab954 4883->4886 4891 7ff8b90ab868 4886->4891 4889 7ff8b90ac908 _CxxThrowException 2 API calls 4890 7ff8b90a4530 4889->4890 4892 7ff8b90ad67c __std_exception_copy 2 API calls 4891->4892 4893 7ff8b90ab89f 4892->4893 4893->4889 4894 7ff8b90a4f50 4895 7ff8b90a2a98 2 API calls 4894->4895 4896 7ff8b90a4fa3 4895->4896 4897 7ff8b90a4fd3 4896->4897 4898 7ff8b90a4ffc 4896->4898 4900 7ff8b90a2340 2 API calls 4897->4900 4899 7ff8b90a5275 4898->4899 4902 7ff8b90a5017 4898->4902 4913 7ff8b90a389c 4899->4913 4904 7ff8b90a4ff2 4900->4904 4905 7ff8b90a24d0 2 API calls 4902->4905 4911 7ff8b90a5046 4902->4911 4903 7ff8b90a5273 4907 7ff8b90a2340 2 API calls 4903->4907 4905->4911 4906 7ff8b90a505c memset 4908 7ff8b90a24d0 2 API calls 4906->4908 4907->4904 4908->4911 4909 7ff8b90a24d0 TraceMessage WppAutoLogTrace 4909->4911 4910 7ff8b90a23f4 WppAutoLogTrace 4910->4911 4911->4903 4911->4906 4911->4909 4911->4910 4912 7ff8b90a2a98 2 API calls 4911->4912 4912->4911 4914 7ff8b90a3952 WppAutoLogTrace 4913->4914 4915 7ff8b90a38fa 4913->4915 4914->4903 4915->4914 4916 7ff8b90a3905 TraceMessage 4915->4916 4916->4914 4917 7ff8b90abe50 4918 7ff8b90abe71 4917->4918 4919 7ff8b90abe6c 4917->4919 4921 7ff8b90ac0f0 4919->4921 4922 7ff8b90ac113 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 4921->4922 4923 7ff8b90ac187 4921->4923 4922->4923 4923->4918 4927 7ff8b90a7e40 AvSetMmThreadCharacteristicsW 4928 7ff8b90a7eae 4927->4928 4929 7ff8b90a7e7e 4927->4929 4933 7ff8b90a2340 2 API calls 4928->4933 4934 7ff8b90a7ed4 4928->4934 4930 7ff8b90a2340 2 API calls 4929->4930 4932 7ff8b90a7e9c GetCurrentThread SetThreadPriority 4930->4932 4932->4928 4933->4934 4935 7ff8b90a7f06 WaitForSingleObject 4934->4935 4936 7ff8b90a7f50 WaitForMultipleObjects 4934->4936 4937 7ff8b90a7fc5 4934->4937 4938 7ff8b90a2340 2 API calls 4934->4938 4942 7ff8b90a7f87 4934->4942 4948 7ff8b90a7cf4 4934->4948 4935->4934 4940 7ff8b90a7f16 4935->4940 4936->4934 4936->4940 4939 7ff8b90a23f4 WppAutoLogTrace 4937->4939 4938->4935 4946 7ff8b90a7fab 4939->4946 4941 7ff8b90a7f3a ResetEvent 4940->4941 4947 7ff8b90a2340 2 API calls 4940->4947 4941->4946 4943 7ff8b90a23f4 WppAutoLogTrace 4942->4943 4943->4946 4944 7ff8b90a7ff7 4945 7ff8b90a7fee AvRevertMmThreadCharacteristics 4945->4944 4946->4944 4946->4945 4947->4941 4962 7ff8b90a5ba0 QueryPerformanceCounter 4948->4962 4953 7ff8b90a23f4 WppAutoLogTrace 4956 7ff8b90a7d4d 4953->4956 4954 7ff8b90a7d71 4983 7ff8b90a6014 4954->4983 4955 7ff8b90a7d1f 4955->4953 4955->4956 4959 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 4956->4959 4960 7ff8b90a7dd0 4959->4960 4960->4934 4961 7ff8b90a2340 2 API calls 4961->4956 4963 7ff8b90a5bc5 4962->4963 4967 7ff8b90a5bc1 4962->4967 4964 7ff8b90a5c0e 4963->4964 4965 7ff8b90a23f4 WppAutoLogTrace 4963->4965 4993 7ff8b90a5814 4964->4993 4965->4964 4967->4955 4968 7ff8b90a5a30 4967->4968 4969 7ff8b90a5a51 QueryPerformanceCounter memset 4968->4969 4970 7ff8b90a5a4c 4968->4970 4972 7ff8b90a5a90 4969->4972 4971 7ff8b90a5e88 7 API calls 4970->4971 4971->4969 4973 7ff8b90a5b27 4972->4973 4974 7ff8b90a5a9c 4972->4974 4999 7ff8b90a5eac 4973->4999 4976 7ff8b90a5aa3 4974->4976 4977 7ff8b90a5ad8 4974->4977 4978 7ff8b90a5ad3 4976->4978 4981 7ff8b90a2340 2 API calls 4976->4981 4979 7ff8b90a23f4 WppAutoLogTrace 4977->4979 4978->4954 4978->4955 4979->4978 4981->4978 4982 7ff8b90a2340 2 API calls 4982->4978 5022 7ff8b90a6140 4983->5022 4986 7ff8b90a606a 4991 7ff8b90a6106 QueryPerformanceCounter 4986->4991 4992 7ff8b90a608c 4986->4992 4987 7ff8b90a603d 4988 7ff8b90a2340 2 API calls 4987->4988 4990 7ff8b90a6063 4988->4990 4989 7ff8b90a23f4 WppAutoLogTrace 4989->4990 4990->4956 4990->4961 4991->4990 4992->4989 4994 7ff8b90a5984 4993->4994 4997 7ff8b90a5858 4993->4997 4995 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 4994->4995 4996 7ff8b90a5990 4995->4996 4996->4967 4997->4994 4998 7ff8b90a23f4 WppAutoLogTrace 4997->4998 4998->4994 5000 7ff8b90a5f01 4999->5000 5001 7ff8b90a5f05 5000->5001 5002 7ff8b90a5f36 memset 5000->5002 5003 7ff8b90a23f4 WppAutoLogTrace 5001->5003 5004 7ff8b90a5f5a 5002->5004 5013 7ff8b90a5f31 5003->5013 5005 7ff8b90a5fd1 5004->5005 5007 7ff8b90a5f6c 5004->5007 5006 7ff8b90a2340 2 API calls 5005->5006 5006->5013 5008 7ff8b90a5f90 5007->5008 5009 7ff8b90a5f7d 5007->5009 5014 7ff8b90a2340 2 API calls 5008->5014 5015 7ff8b90a5d34 5009->5015 5010 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 5012 7ff8b90a5b54 5010->5012 5012->4978 5012->4982 5013->5010 5014->5013 5016 7ff8b90a5d72 5015->5016 5017 7ff8b90a5d7a 5016->5017 5019 7ff8b90a5da5 5016->5019 5018 7ff8b90a2340 2 API calls 5017->5018 5021 7ff8b90a5da0 5018->5021 5020 7ff8b90a23f4 WppAutoLogTrace 5019->5020 5019->5021 5020->5021 5021->5013 5023 7ff8b90a6152 CloseHandle QueryPerformanceCounter 5022->5023 5024 7ff8b90a6034 5022->5024 5023->5024 5024->4986 5024->4987 5441 7ff8b90a7cc0 5444 7ff8b90a7c80 5441->5444 5445 7ff8b90a7cb0 5444->5445 5446 7ff8b90a7ca9 CloseHandle 5444->5446 5446->5445 5025 7ff8b90a9a40 5026 7ff8b90a2340 2 API calls 5025->5026 5027 7ff8b90a9a75 5026->5027 5028 7ff8b90a9ac1 5027->5028 5029 7ff8b90a2340 2 API calls 5027->5029 5029->5028 5030 7ff8b90af340 5031 7ff8b90af360 5030->5031 5032 7ff8b90ac908 _CxxThrowException 2 API calls 5031->5032 5033 7ff8b90af369 5032->5033 5034 7ff8b90ac908 _CxxThrowException 2 API calls 5033->5034 5035 7ff8b90af393 5034->5035 5447 7ff8b90a9bc0 5448 7ff8b90a2a98 2 API calls 5447->5448 5449 7ff8b90a9c04 5448->5449 5457 7ff8b90a9c52 5449->5457 5459 7ff8b90a99dc 5449->5459 5451 7ff8b90a2340 2 API calls 5453 7ff8b90a9c70 5451->5453 5456 7ff8b90a9cd2 5473 7ff8b90a3518 5456->5473 5457->5451 5460 7ff8b90a9a05 5459->5460 5461 7ff8b90a9a30 5460->5461 5462 7ff8b90a2340 2 API calls 5460->5462 5461->5457 5463 7ff8b90a18ac EnterCriticalSection 5461->5463 5462->5461 5464 7ff8b90a18ef 5463->5464 5465 7ff8b90a1919 5464->5465 5467 7ff8b90a1943 5464->5467 5466 7ff8b90a2340 2 API calls 5465->5466 5468 7ff8b90a1941 LeaveCriticalSection 5466->5468 5467->5468 5472 7ff8b90a23f4 WppAutoLogTrace 5467->5472 5470 7ff8b90a19c2 CloseHandle 5468->5470 5471 7ff8b90a19cb 5468->5471 5470->5471 5471->5456 5471->5457 5472->5468 5474 7ff8b90a35f9 5473->5474 5475 7ff8b90a353f 5473->5475 5474->5453 5475->5474 5477 7ff8b90a389c 2 API calls 5475->5477 5478 7ff8b90a23f4 WppAutoLogTrace 5475->5478 5479 7ff8b90a6b58 EnterCriticalSection 5475->5479 5477->5475 5478->5475 5482 7ff8b90a6eb0 5479->5482 5481 7ff8b90a6b8b LeaveCriticalSection 5481->5475 5483 7ff8b90a6ed9 5482->5483 5483->5481 5036 7ff8b90af746 5037 7ff8b90ad890 FindHandler 7 API calls 5036->5037 5038 7ff8b90af754 5037->5038 5039 7ff8b90af75f 5038->5039 5040 7ff8b90ad890 FindHandler 7 API calls 5038->5040 5040->5039 5484 7ff8b90addba terminate 5485 7ff8b90af6b8 5486 7ff8b90ace8c __CxxCallCatchBlock 8 API calls 5485->5486 5488 7ff8b90af6cb 5486->5488 5487 7ff8b90ad890 FindHandler 7 API calls 5489 7ff8b90af710 5487->5489 5492 7ff8b90af0f8 __CxxCallCatchBlock 7 API calls 5488->5492 5493 7ff8b90af6fc __DestructExceptionObject 5488->5493 5490 7ff8b90ad890 FindHandler 7 API calls 5489->5490 5491 7ff8b90af720 5490->5491 5492->5493 5493->5487 5041 7ff8b90a4870 5060 7ff8b90a39bc 5041->5060 5043 7ff8b90a48b8 5044 7ff8b90a48e7 5043->5044 5045 7ff8b90a48be 5043->5045 5047 7ff8b90a4914 5044->5047 5057 7ff8b90a4983 5044->5057 5046 7ff8b90a23f4 WppAutoLogTrace 5045->5046 5049 7ff8b90a48e0 5046->5049 5048 7ff8b90a2340 2 API calls 5047->5048 5048->5049 5050 7ff8b90a4aa9 5051 7ff8b90a2340 2 API calls 5050->5051 5051->5049 5053 7ff8b90a49e3 CreateEventW 5054 7ff8b90a49fd GetLastError 5053->5054 5053->5057 5054->5057 5055 7ff8b90a23f4 WppAutoLogTrace 5055->5057 5057->5050 5057->5053 5057->5055 5058 7ff8b90a23f4 WppAutoLogTrace 5057->5058 5064 7ff8b90a746c 5057->5064 5086 7ff8b90a30b0 5057->5086 5059 7ff8b90a4a80 CloseHandle 5058->5059 5059->5057 5061 7ff8b90a3a72 WppAutoLogTrace 5060->5061 5062 7ff8b90a3a1a 5060->5062 5061->5043 5062->5061 5063 7ff8b90a3a25 TraceMessage 5062->5063 5063->5061 5065 7ff8b90a7642 5064->5065 5066 7ff8b90a74aa 5064->5066 5067 7ff8b90a2340 2 API calls 5065->5067 5066->5065 5069 7ff8b90a74bc 5066->5069 5068 7ff8b90a763e 5067->5068 5072 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 5068->5072 5114 7ff8b90a8328 memset 5069->5114 5074 7ff8b90a7678 5072->5074 5074->5057 5087 7ff8b90a23f4 WppAutoLogTrace 5086->5087 5088 7ff8b90a3129 5087->5088 5174 7ff8b90a3614 5088->5174 5090 7ff8b90a313b 5092 7ff8b90a2340 2 API calls 5090->5092 5091 7ff8b90a3137 5091->5090 5093 7ff8b90a319d 5091->5093 5105 7ff8b90a3160 5092->5105 5183 7ff8b90a73e0 5093->5183 5094 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 5095 7ff8b90a33a4 5094->5095 5095->5057 5100 7ff8b90a31e6 5102 7ff8b90a2340 2 API calls 5100->5102 5101 7ff8b90a321b 5193 7ff8b90a3be0 5101->5193 5102->5105 5105->5094 5106 7ff8b90a2340 2 API calls 5108 7ff8b90a3263 5106->5108 5109 7ff8b90a2340 2 API calls 5108->5109 5110 7ff8b90a23f4 WppAutoLogTrace 5108->5110 5112 7ff8b90a334a 5108->5112 5200 7ff8b90a6bb0 EnterCriticalSection 5108->5200 5208 7ff8b90a6c5c EnterCriticalSection 5108->5208 5109->5108 5110->5108 5113 7ff8b90a39bc 2 API calls 5112->5113 5113->5105 5115 7ff8b90a8377 5114->5115 5139 7ff8b90a8a20 5115->5139 5117 7ff8b90a8395 5143 7ff8b90a89a4 5117->5143 5140 7ff8b90a8a66 5139->5140 5142 7ff8b90a8a3b 5139->5142 5146 7ff8b90a8098 5140->5146 5142->5117 5144 7ff8b90a89f5 5143->5144 5166 7ff8b90a818c 5144->5166 5147 7ff8b90a8186 5146->5147 5148 7ff8b90a80cc 5146->5148 5163 7ff8b90a8924 5147->5163 5155 7ff8b90a8938 5148->5155 5152 7ff8b90a8107 5153 7ff8b90a8159 5152->5153 5154 7ff8b90a8180 _invalid_parameter_noinfo_noreturn 5152->5154 5153->5142 5154->5147 5156 7ff8b90a895e 5155->5156 5159 7ff8b90a8987 5155->5159 5157 7ff8b90ab994 4 API calls 5156->5157 5161 7ff8b90a896e 5157->5161 5158 7ff8b90a8996 5158->5152 5159->5158 5160 7ff8b90ab994 4 API calls 5159->5160 5160->5158 5161->5159 5162 7ff8b90a899b _invalid_parameter_noinfo_noreturn 5161->5162 5164 7ff8b90ab954 std::_Xinvalid_argument 4 API calls 5163->5164 5165 7ff8b90a8934 5164->5165 5167 7ff8b90a82c5 5166->5167 5168 7ff8b90a81cb 5166->5168 5169 7ff8b90a8924 4 API calls 5167->5169 5170 7ff8b90a8938 5 API calls 5168->5170 5171 7ff8b90a820a 5169->5171 5170->5171 5172 7ff8b90a82cb _invalid_parameter_noinfo_noreturn 5171->5172 5173 7ff8b90a8278 5171->5173 5175 7ff8b90a362f 5174->5175 5178 7ff8b90a365f 5174->5178 5176 7ff8b90a23f4 WppAutoLogTrace 5175->5176 5181 7ff8b90a365a 5176->5181 5177 7ff8b90a36f0 5180 7ff8b90a24d0 2 API calls 5177->5180 5178->5177 5179 7ff8b90a36a6 5178->5179 5178->5181 5211 7ff8b90a3740 5179->5211 5180->5181 5181->5091 5184 7ff8b90a7407 5183->5184 5185 7ff8b90a9390 7 API calls 5184->5185 5186 7ff8b90a31b1 5185->5186 5187 7ff8b90a3ce0 CoCreateGuid 5186->5187 5188 7ff8b90a3d4e 5187->5188 5189 7ff8b90a23f4 WppAutoLogTrace 5188->5189 5190 7ff8b90a3d7c 5188->5190 5189->5190 5191 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 5190->5191 5192 7ff8b90a31e2 5191->5192 5192->5100 5192->5101 5194 7ff8b90a3c82 5193->5194 5196 7ff8b90a3c11 5193->5196 5215 7ff8b90a45e4 5194->5215 5196->5194 5198 7ff8b90a3c2a memset InitializeCriticalSection 5196->5198 5197 7ff8b90a3237 5197->5106 5197->5108 5198->5197 5201 7ff8b90a6be8 5200->5201 5202 7ff8b90a6c1d 5201->5202 5203 7ff8b90a6bed 5201->5203 5219 7ff8b90a67f4 5202->5219 5205 7ff8b90a23f4 WppAutoLogTrace 5203->5205 5206 7ff8b90a6c1b LeaveCriticalSection 5205->5206 5206->5108 5209 7ff8b90a6c9a 5208->5209 5210 7ff8b90a6caa LeaveCriticalSection 5209->5210 5210->5108 5212 7ff8b90a37a3 5211->5212 5213 7ff8b90a3816 WppAutoLogTrace 5211->5213 5212->5213 5214 7ff8b90a37ae TraceMessage 5212->5214 5213->5181 5214->5213 5216 7ff8b90a46d7 WppAutoLogTrace 5215->5216 5217 7ff8b90a464e 5215->5217 5216->5197 5217->5216 5218 7ff8b90a4659 TraceMessage 5217->5218 5218->5216 5220 7ff8b90a681a 5219->5220 5224 7ff8b90a6841 5220->5224 5225 7ff8b90a61e0 5220->5225 5224->5206 5254 7ff8b90a6f94 5225->5254 5228 7ff8b90a64ac 5229 7ff8b90a64e4 5228->5229 5230 7ff8b90a6507 5228->5230 5257 7ff8b90a6220 5229->5257 5232 7ff8b90a6510 5230->5232 5233 7ff8b90a6542 5230->5233 5235 7ff8b90a651d 5232->5235 5236 7ff8b90a666f 5232->5236 5237 7ff8b90a6547 5233->5237 5238 7ff8b90a6579 5233->5238 5234 7ff8b90a64ff 5234->5224 5241 7ff8b90a6220 4 API calls 5235->5241 5287 7ff8b90a66b4 5236->5287 5237->5236 5239 7ff8b90a6557 5237->5239 5243 7ff8b90a659c 5238->5243 5244 7ff8b90a65e1 5238->5244 5242 7ff8b90a6220 4 API calls 5239->5242 5241->5234 5242->5234 5245 7ff8b90a65ce 5243->5245 5246 7ff8b90a65be 5243->5246 5244->5236 5247 7ff8b90a6636 5244->5247 5249 7ff8b90a6220 4 API calls 5245->5249 5248 7ff8b90a6220 4 API calls 5246->5248 5250 7ff8b90a6662 5247->5250 5251 7ff8b90a6652 5247->5251 5248->5234 5249->5234 5253 7ff8b90a6220 4 API calls 5250->5253 5252 7ff8b90a6220 4 API calls 5251->5252 5252->5234 5253->5234 5255 7ff8b90ab994 4 API calls 5254->5255 5256 7ff8b90a61fb 5255->5256 5256->5228 5258 7ff8b90a6490 5257->5258 5275 7ff8b90a624f 5257->5275 5259 7ff8b90ab954 std::_Xinvalid_argument 4 API calls 5258->5259 5260 7ff8b90a64a9 5259->5260 5261 7ff8b90a64e4 5260->5261 5262 7ff8b90a6507 5260->5262 5263 7ff8b90a6220 4 API calls 5261->5263 5264 7ff8b90a6510 5262->5264 5265 7ff8b90a6542 5262->5265 5266 7ff8b90a64ff 5263->5266 5267 7ff8b90a651d 5264->5267 5268 7ff8b90a666f 5264->5268 5269 7ff8b90a6547 5265->5269 5270 7ff8b90a6579 5265->5270 5266->5234 5273 7ff8b90a6220 4 API calls 5267->5273 5272 7ff8b90a66b4 4 API calls 5268->5272 5269->5268 5271 7ff8b90a6557 5269->5271 5276 7ff8b90a659c 5270->5276 5279 7ff8b90a65e1 5270->5279 5274 7ff8b90a6220 4 API calls 5271->5274 5272->5266 5273->5266 5274->5266 5275->5234 5277 7ff8b90a65ce 5276->5277 5278 7ff8b90a65be 5276->5278 5281 7ff8b90a6220 4 API calls 5277->5281 5280 7ff8b90a6220 4 API calls 5278->5280 5279->5268 5282 7ff8b90a6636 5279->5282 5280->5266 5281->5266 5283 7ff8b90a6662 5282->5283 5284 7ff8b90a6652 5282->5284 5286 7ff8b90a6220 4 API calls 5283->5286 5285 7ff8b90a6220 4 API calls 5284->5285 5285->5266 5286->5266 5290 7ff8b90a66ef 5287->5290 5288 7ff8b90a676c 5292 7ff8b90a6220 4 API calls 5288->5292 5293 7ff8b90a675d 5288->5293 5289 7ff8b90a6738 5291 7ff8b90a6220 4 API calls 5289->5291 5290->5288 5290->5289 5291->5293 5292->5293 5293->5234 5294 7ff8b90a7370 5295 7ff8b90a78e8 _invalid_parameter_noinfo_noreturn 5294->5295 5296 7ff8b90a7382 5295->5296 5497 7ff8b90a52f0 5498 7ff8b90a2a98 2 API calls 5497->5498 5499 7ff8b90a532a 5498->5499 5504 7ff8b90a4284 5499->5504 5502 7ff8b90a2340 2 API calls 5503 7ff8b90a5353 5502->5503 5505 7ff8b90a42b6 5504->5505 5506 7ff8b90a42e9 5505->5506 5507 7ff8b90a42be 5505->5507 5509 7ff8b90a6cd0 2 API calls 5506->5509 5508 7ff8b90a2340 2 API calls 5507->5508 5510 7ff8b90a42e4 5508->5510 5511 7ff8b90a4303 5509->5511 5510->5502 5512 7ff8b90a4307 5511->5512 5513 7ff8b90a4336 5511->5513 5514 7ff8b90a2a98 2 API calls 5512->5514 5516 7ff8b90a6170 9 API calls 5513->5516 5519 7ff8b90a4357 5513->5519 5514->5510 5515 7ff8b90a4420 11 API calls 5515->5510 5517 7ff8b90a4345 5516->5517 5518 7ff8b90a59f8 8 API calls 5517->5518 5517->5519 5518->5519 5519->5515 4235 7ff8b90a9af0 4236 7ff8b90a23f4 WppAutoLogTrace 4235->4236 4237 7ff8b90a9b34 4236->4237 4244 7ff8b90a7434 4237->4244 4240 7ff8b90a9b9f 4243 7ff8b90a23f4 WppAutoLogTrace 4243->4240 4261 7ff8b90a8f44 4244->4261 4247 7ff8b90a2c54 4248 7ff8b90a2340 2 API calls 4247->4248 4249 7ff8b90a2ca8 4248->4249 4274 7ff8b90a83e0 GetCurrentProcessId OpenProcess 4249->4274 4252 7ff8b90a83e0 17 API calls 4253 7ff8b90a2db4 4252->4253 4254 7ff8b90a2db8 4253->4254 4255 7ff8b90a2ddf 4253->4255 4256 7ff8b90a23f4 WppAutoLogTrace 4254->4256 4287 7ff8b90a2a98 4255->4287 4257 7ff8b90a2ddd 4256->4257 4291 7ff8b90aba70 4257->4291 4262 7ff8b90a8fa0 4261->4262 4263 7ff8b90a8fd7 4262->4263 4264 7ff8b90a8fa4 4262->4264 4266 7ff8b90a9080 RtlInitUnicodeString 4263->4266 4267 7ff8b90a8fe6 RtlInitUnicodeString 4263->4267 4265 7ff8b90a23f4 WppAutoLogTrace 4264->4265 4270 7ff8b90a745c 4265->4270 4268 7ff8b90a90cd 4266->4268 4269 7ff8b90a902c 4267->4269 4268->4270 4272 7ff8b90a9600 2 API calls 4268->4272 4269->4266 4271 7ff8b90a9030 4269->4271 4270->4240 4270->4247 4273 7ff8b90a23f4 WppAutoLogTrace 4271->4273 4272->4270 4273->4270 4275 7ff8b90a843e GetLastError 4274->4275 4278 7ff8b90a8473 4274->4278 4276 7ff8b90a23f4 WppAutoLogTrace 4275->4276 4277 7ff8b90a846e 4276->4277 4279 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 4277->4279 4280 7ff8b90a84a9 K32EnumProcessModules 4278->4280 4281 7ff8b90a2d88 4279->4281 4282 7ff8b90a85bc 4280->4282 4285 7ff8b90a84c9 4280->4285 4281->4252 4283 7ff8b90a85c9 FindCloseChangeNotification 4282->4283 4283->4277 4284 7ff8b90a851c GetCurrentProcess 4284->4285 4285->4282 4285->4284 4286 7ff8b90a8567 VirtualProtect VirtualProtect 4285->4286 4286->4285 4288 7ff8b90a2af0 4287->4288 4289 7ff8b90a2b2c WppAutoLogTrace 4287->4289 4288->4289 4290 7ff8b90a2afb TraceMessage 4288->4290 4289->4257 4290->4289 4292 7ff8b90aba7a 4291->4292 4293 7ff8b90a2e46 4292->4293 4294 7ff8b90abfa0 IsProcessorFeaturePresent 4292->4294 4293->4240 4293->4243 4295 7ff8b90abfb7 4294->4295 4300 7ff8b90ac074 RtlCaptureContext 4295->4300 4301 7ff8b90ac08e RtlLookupFunctionEntry 4300->4301 4302 7ff8b90ac0a4 RtlVirtualUnwind 4301->4302 4303 7ff8b90abfca 4301->4303 4302->4301 4302->4303 4304 7ff8b90abf64 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 4303->4304 5520 7ff8b90a9cf0 5521 7ff8b90a9d2d 5520->5521 5522 7ff8b90a39bc 2 API calls 5521->5522 5523 7ff8b90a9d60 5522->5523 5524 7ff8b90a99dc 2 API calls 5523->5524 5525 7ff8b90a9d68 5524->5525 5526 7ff8b90a9d9f 5525->5526 5527 7ff8b90a9d6d 5525->5527 5531 7ff8b90a19e8 EnterCriticalSection 5526->5531 5528 7ff8b90a2340 2 API calls 5527->5528 5530 7ff8b90a9d9d 5528->5530 5534 7ff8b90a1620 5531->5534 5533 7ff8b90a1a25 LeaveCriticalSection 5533->5530 5535 7ff8b90a1646 5534->5535 5537 7ff8b90a166e 5535->5537 5538 7ff8b90a1000 5535->5538 5537->5533 5541 7ff8b90a1c44 5538->5541 5542 7ff8b90ab994 4 API calls 5541->5542 5543 7ff8b90a101b 5542->5543 5543->5537 5547 7ff8b90ab8f4 5548 7ff8b90ad70c 5547->5548 5549 7ff8b90ad723 5548->5549 5550 7ff8b90ad71b free 5548->5550 5550->5549 5297 7ff8b90ac26c 5302 7ff8b90ad7bc 5297->5302 5299 7ff8b90ac279 5300 7ff8b90ac275 __scrt_uninitialize_crt 5300->5299 5305 7ff8b90ad7d0 5300->5305 5303 7ff8b90ad8ac __vcrt_getptd_noexit 7 API calls 5302->5303 5304 7ff8b90ad7c5 5303->5304 5304->5300 5308 7ff8b90ad840 5305->5308 5309 7ff8b90ad854 5308->5309 5310 7ff8b90ad7db 5308->5310 5311 7ff8b90ad868 FlsSetValue 5309->5311 5312 7ff8b90ad859 FlsGetValue 5309->5312 5310->5299 5311->5310 5313 7ff8b90ad875 5311->5313 5312->5311 5313->5310 5314 7ff8b90ad881 free 5313->5314 5314->5310 5315 7ff8b90a2e60 5316 7ff8b90a2a98 2 API calls 5315->5316 5317 7ff8b90a2e91 5316->5317 5318 7ff8b90a5360 5319 7ff8b90a2340 2 API calls 5318->5319 5321 7ff8b90a539d 5319->5321 5320 7ff8b90a541a 5323 7ff8b90a2340 2 API calls 5320->5323 5321->5320 5322 7ff8b90a53b3 5321->5322 5324 7ff8b90a5450 5 API calls 5322->5324 5325 7ff8b90a5416 5323->5325 5326 7ff8b90a53ce 5324->5326 5327 7ff8b90a53f5 5326->5327 5328 7ff8b90a2340 2 API calls 5326->5328 5329 7ff8b90a2340 2 API calls 5327->5329 5328->5327 5329->5325 5552 7ff8b90a4ae0 5553 7ff8b90a4b35 5552->5553 5554 7ff8b90a4b1f 5552->5554 5556 7ff8b90a4d06 5553->5556 5557 7ff8b90a4b4d 5553->5557 5555 7ff8b90a2340 2 API calls 5554->5555 5555->5553 5558 7ff8b90a2340 2 API calls 5556->5558 5559 7ff8b90a4b56 5557->5559 5560 7ff8b90a4cdd 5557->5560 5561 7ff8b90a4d1f 5558->5561 5562 7ff8b90a4cb1 5559->5562 5563 7ff8b90a4b61 5559->5563 5564 7ff8b90a2340 2 API calls 5560->5564 5708 7ff8b90aac80 5561->5708 5568 7ff8b90a2340 2 API calls 5562->5568 5566 7ff8b90a4c88 5563->5566 5567 7ff8b90a4b6c 5563->5567 5569 7ff8b90a4cf6 5564->5569 5570 7ff8b90a2340 2 API calls 5566->5570 5571 7ff8b90a4b75 5567->5571 5572 7ff8b90a4c59 5567->5572 5573 7ff8b90a4cca 5568->5573 5693 7ff8b90ab0ec 5569->5693 5575 7ff8b90a4ca1 5570->5575 5576 7ff8b90a4c23 5571->5576 5577 7ff8b90a4b7e 5571->5577 5579 7ff8b90a2340 2 API calls 5572->5579 5676 7ff8b90aaa8c 5573->5676 5664 7ff8b90ab1f4 5575->5664 5583 7ff8b90a4c43 5576->5583 5588 7ff8b90a2340 2 API calls 5576->5588 5581 7ff8b90a4b83 5577->5581 5582 7ff8b90a4bf7 5577->5582 5584 7ff8b90a4c72 5579->5584 5586 7ff8b90a4b88 5581->5586 5587 7ff8b90a4bce 5581->5587 5585 7ff8b90a2340 2 API calls 5582->5585 5631 7ff8b90aa88c 5583->5631 5651 7ff8b90aaf9c 5584->5651 5591 7ff8b90a4c10 5585->5591 5592 7ff8b90a23f4 WppAutoLogTrace 5586->5592 5593 7ff8b90a2340 2 API calls 5587->5593 5588->5583 5605 7ff8b90aa644 5591->5605 5595 7ff8b90a4ba5 5592->5595 5596 7ff8b90a4be7 5593->5596 5598 7ff8b90aa800 5596->5598 5738 7ff8b90aa5a8 5598->5738 5603 7ff8b90aa852 5604 7ff8b90a2340 2 API calls 5604->5603 5765 7ff8b90aa360 5605->5765 5608 7ff8b90aa688 5610 7ff8b90a23f4 WppAutoLogTrace 5608->5610 5609 7ff8b90aa6b9 5611 7ff8b90a99dc 2 API calls 5609->5611 5628 7ff8b90aa6b4 5610->5628 5612 7ff8b90aa6c1 5611->5612 5613 7ff8b90aa6c6 5612->5613 5614 7ff8b90a6b58 2 API calls 5612->5614 5616 7ff8b90a2340 2 API calls 5613->5616 5615 7ff8b90aa70e 5614->5615 5615->5613 5772 7ff8b90a7688 5615->5772 5616->5628 5619 7ff8b90aa73f 5620 7ff8b90aa5a8 7 API calls 5619->5620 5621 7ff8b90aa749 5620->5621 5622 7ff8b90a6cd0 2 API calls 5621->5622 5623 7ff8b90aa762 5622->5623 5624 7ff8b90aa766 5623->5624 5625 7ff8b90aa79b 5623->5625 5626 7ff8b90a2a98 2 API calls 5624->5626 5627 7ff8b90a6170 9 API calls 5625->5627 5625->5628 5626->5628 5629 7ff8b90aa7aa 5627->5629 5628->5595 5629->5628 5630 7ff8b90a59f8 8 API calls 5629->5630 5630->5628 5632 7ff8b90aa360 3 API calls 5631->5632 5633 7ff8b90aa8df 5632->5633 5634 7ff8b90aa8e5 5633->5634 5635 7ff8b90aa919 5633->5635 5636 7ff8b90a23f4 WppAutoLogTrace 5634->5636 5637 7ff8b90a99dc 2 API calls 5635->5637 5643 7ff8b90aa911 5636->5643 5638 7ff8b90aa921 5637->5638 5639 7ff8b90aa929 5638->5639 5640 7ff8b90aa98d 5638->5640 5641 7ff8b90a2340 2 API calls 5639->5641 5785 7ff8b90a300c 5640->5785 5641->5643 5643->5595 5646 7ff8b90a2340 2 API calls 5646->5643 5648 7ff8b90aa9a1 5648->5646 5649 7ff8b90aaa0a 5649->5643 5813 7ff8b90aa4c8 5649->5813 5652 7ff8b90aa360 3 API calls 5651->5652 5653 7ff8b90aafed 5652->5653 5654 7ff8b90aaff3 5653->5654 5655 7ff8b90ab024 5653->5655 5656 7ff8b90a23f4 WppAutoLogTrace 5654->5656 5657 7ff8b90a99dc 2 API calls 5655->5657 5663 7ff8b90ab01d 5656->5663 5658 7ff8b90ab02c 5657->5658 5659 7ff8b90ab034 5658->5659 5660 7ff8b90ab095 5658->5660 5662 7ff8b90a2340 2 API calls 5659->5662 5827 7ff8b90a33b8 5660->5827 5662->5663 5663->5595 5665 7ff8b90aa360 3 API calls 5664->5665 5666 7ff8b90ab22f 5665->5666 5667 7ff8b90ab266 5666->5667 5668 7ff8b90ab235 5666->5668 5669 7ff8b90a99dc 2 API calls 5667->5669 5670 7ff8b90a23f4 WppAutoLogTrace 5668->5670 5672 7ff8b90ab26e 5669->5672 5673 7ff8b90ab261 5670->5673 5671 7ff8b90ab273 5671->5673 5674 7ff8b90a2340 2 API calls 5671->5674 5672->5671 5838 7ff8b90a1a4c OpenProcess 5672->5838 5673->5595 5674->5673 5677 7ff8b90aa360 3 API calls 5676->5677 5678 7ff8b90aaae4 5677->5678 5679 7ff8b90aaaea 5678->5679 5680 7ff8b90aab19 5678->5680 5682 7ff8b90a23f4 WppAutoLogTrace 5679->5682 5681 7ff8b90a99dc 2 API calls 5680->5681 5683 7ff8b90aab21 5681->5683 5686 7ff8b90aab14 5682->5686 5684 7ff8b90a6b58 2 API calls 5683->5684 5692 7ff8b90aab29 5683->5692 5687 7ff8b90aaba3 5684->5687 5685 7ff8b90a2340 2 API calls 5685->5686 5686->5595 5688 7ff8b90aac1e 5687->5688 5690 7ff8b90aabd3 5687->5690 5687->5692 5689 7ff8b90a2340 2 API calls 5688->5689 5689->5686 5691 7ff8b90aa4c8 7 API calls 5690->5691 5691->5692 5692->5685 5692->5686 5694 7ff8b90aa360 3 API calls 5693->5694 5695 7ff8b90ab127 5694->5695 5696 7ff8b90ab17c 5695->5696 5697 7ff8b90ab12d 5695->5697 5699 7ff8b90a99dc 2 API calls 5696->5699 5698 7ff8b90a23f4 WppAutoLogTrace 5697->5698 5706 7ff8b90ab159 5698->5706 5700 7ff8b90ab184 5699->5700 5701 7ff8b90ab18c 5700->5701 5851 7ff8b90a3430 5700->5851 5703 7ff8b90a2340 2 API calls 5701->5703 5703->5706 5705 7ff8b90ab1d7 5707 7ff8b90aa5a8 7 API calls 5705->5707 5706->5595 5707->5706 5709 7ff8b90aa360 3 API calls 5708->5709 5710 7ff8b90aacdd 5709->5710 5711 7ff8b90aad12 5710->5711 5712 7ff8b90aace3 5710->5712 5713 7ff8b90aaf2f 5711->5713 5715 7ff8b90aad39 5711->5715 5714 7ff8b90a23f4 WppAutoLogTrace 5712->5714 5868 7ff8b90ab31c 5713->5868 5723 7ff8b90aad0d 5714->5723 5717 7ff8b90a99dc 2 API calls 5715->5717 5718 7ff8b90aad41 5717->5718 5719 7ff8b90aadb3 5718->5719 5720 7ff8b90aad49 5718->5720 5864 7ff8b90a2e98 5719->5864 5721 7ff8b90a2340 2 API calls 5720->5721 5721->5723 5723->5595 5724 7ff8b90aadc9 5725 7ff8b90aae24 CreateEventW 5724->5725 5726 7ff8b90aadd8 5724->5726 5727 7ff8b90aae73 5725->5727 5728 7ff8b90aae3e GetLastError 5725->5728 5729 7ff8b90a23f4 WppAutoLogTrace 5726->5729 5731 7ff8b90a30b0 39 API calls 5727->5731 5730 7ff8b90a23f4 WppAutoLogTrace 5728->5730 5734 7ff8b90aae00 5729->5734 5730->5723 5731->5734 5732 7ff8b90aa4c8 7 API calls 5732->5734 5733 7ff8b90a2340 2 API calls 5735 7ff8b90aaecf CloseHandle 5733->5735 5734->5732 5734->5733 5736 7ff8b90aaf1e 5734->5736 5735->5734 5736->5723 5737 7ff8b90aaf24 SetEvent 5736->5737 5737->5723 5752 7ff8b90a9164 5738->5752 5741 7ff8b90aa60c 5743 7ff8b90a8bf8 5741->5743 5742 7ff8b90a2340 2 API calls 5742->5741 5744 7ff8b90a8c46 5743->5744 5745 7ff8b90a8c4a 5744->5745 5746 7ff8b90a8c7d RegDeleteTreeW 5744->5746 5747 7ff8b90a23f4 WppAutoLogTrace 5745->5747 5749 7ff8b90a8c76 5746->5749 5750 7ff8b90a8cb4 5746->5750 5747->5749 5749->5603 5749->5604 5751 7ff8b90a23f4 WppAutoLogTrace 5750->5751 5751->5749 5753 7ff8b90a91c3 5752->5753 5754 7ff8b90a91c7 5753->5754 5755 7ff8b90a91fa 5753->5755 5756 7ff8b90a23f4 WppAutoLogTrace 5754->5756 5757 7ff8b90a9209 RtlInitUnicodeString 5755->5757 5758 7ff8b90a92ae RtlInitUnicodeString 5755->5758 5761 7ff8b90a91f3 5756->5761 5760 7ff8b90a925a 5757->5760 5759 7ff8b90a92f6 5758->5759 5759->5761 5763 7ff8b90a9600 2 API calls 5759->5763 5760->5758 5762 7ff8b90a925e 5760->5762 5761->5741 5761->5742 5764 7ff8b90a23f4 WppAutoLogTrace 5762->5764 5763->5761 5764->5761 5766 7ff8b90aa393 5765->5766 5767 7ff8b90aa3d3 5766->5767 5769 7ff8b90aa42b 5766->5769 5771 7ff8b90aa401 5766->5771 5768 7ff8b90a23f4 WppAutoLogTrace 5767->5768 5768->5771 5770 7ff8b90a2340 2 API calls 5769->5770 5769->5771 5770->5771 5771->5608 5771->5609 5773 7ff8b90a8328 18 API calls 5772->5773 5774 7ff8b90a76e9 5773->5774 5775 7ff8b90a9164 5 API calls 5774->5775 5781 7ff8b90a76ed 5774->5781 5776 7ff8b90a772d 5775->5776 5779 7ff8b90a9164 5 API calls 5776->5779 5776->5781 5777 7ff8b90a2340 2 API calls 5778 7ff8b90a779d 5777->5778 5780 7ff8b90a78e8 _invalid_parameter_noinfo_noreturn 5778->5780 5779->5781 5782 7ff8b90a77aa 5780->5782 5781->5777 5781->5778 5783 7ff8b90aba70 __FrameHandler3::UnwindNestedFrames 8 API calls 5782->5783 5784 7ff8b90a77b8 5783->5784 5784->5613 5784->5619 5786 7ff8b90a6b58 2 API calls 5785->5786 5787 7ff8b90a3020 5786->5787 5788 7ff8b90a3025 5787->5788 5789 7ff8b90a306a 5787->5789 5790 7ff8b90a23f4 WppAutoLogTrace 5788->5790 5791 7ff8b90a5ba0 10 API calls 5789->5791 5792 7ff8b90a3051 5790->5792 5793 7ff8b90a306f 5791->5793 5792->5648 5795 7ff8b90a2ea4 5792->5795 5793->5792 5794 7ff8b90a24d0 2 API calls 5793->5794 5794->5792 5796 7ff8b90a6b58 2 API calls 5795->5796 5798 7ff8b90a2ed1 5796->5798 5797 7ff8b90a2edc 5801 7ff8b90a23f4 WppAutoLogTrace 5797->5801 5798->5797 5799 7ff8b90a2f21 5798->5799 5800 7ff8b90a5a30 19 API calls 5799->5800 5802 7ff8b90a2f28 5800->5802 5809 7ff8b90a2f08 5801->5809 5803 7ff8b90a2f30 5802->5803 5804 7ff8b90a2fc7 5802->5804 5805 7ff8b90a2f92 5803->5805 5806 7ff8b90a2f37 5803->5806 5807 7ff8b90a6014 6 API calls 5804->5807 5810 7ff8b90a24d0 2 API calls 5805->5810 5806->5809 5811 7ff8b90a23f4 WppAutoLogTrace 5806->5811 5808 7ff8b90a2fd9 5807->5808 5808->5809 5812 7ff8b90a2340 2 API calls 5808->5812 5809->5648 5809->5649 5810->5809 5811->5809 5812->5809 5814 7ff8b90aa516 5813->5814 5815 7ff8b90aa4ea 5813->5815 5823 7ff8b90a1bc4 5814->5823 5818 7ff8b90a2340 2 API calls 5815->5818 5820 7ff8b90aa512 5818->5820 5819 7ff8b90aa529 GetCurrentProcess DuplicateHandle 5819->5820 5821 7ff8b90aa55c GetLastError 5819->5821 5820->5643 5822 7ff8b90a24d0 2 API calls 5821->5822 5822->5820 5824 7ff8b90a1bcf 5823->5824 5826 7ff8b90a1bff 5823->5826 5825 7ff8b90a24d0 2 API calls 5824->5825 5825->5826 5826->5815 5826->5819 5828 7ff8b90a6b58 2 API calls 5827->5828 5829 7ff8b90a33db 5828->5829 5830 7ff8b90a33e0 5829->5830 5831 7ff8b90a340c 5829->5831 5832 7ff8b90a23f4 WppAutoLogTrace 5830->5832 5835 7ff8b90a438c EnterCriticalSection 5831->5835 5834 7ff8b90a340a 5832->5834 5834->5663 5836 7ff8b90a43f1 LeaveCriticalSection 5835->5836 5837 7ff8b90a43cc 5835->5837 5837->5836 5839 7ff8b90a1a80 GetLastError 5838->5839 5840 7ff8b90a1abb EnterCriticalSection 5838->5840 5841 7ff8b90a24d0 2 API calls 5839->5841 5842 7ff8b90a1ad3 5840->5842 5849 7ff8b90a1ab4 5841->5849 5843 7ff8b90a1afe 5842->5843 5845 7ff8b90a1b46 5842->5845 5844 7ff8b90a2340 2 API calls 5843->5844 5846 7ff8b90a1b44 LeaveCriticalSection 5844->5846 5845->5846 5848 7ff8b90a24d0 2 API calls 5845->5848 5846->5849 5850 7ff8b90a1b9d CloseHandle 5846->5850 5848->5846 5849->5671 5850->5849 5852 7ff8b90a23f4 WppAutoLogTrace 5851->5852 5853 7ff8b90a3477 5852->5853 5861 7ff8b90a6d5c EnterCriticalSection 5853->5861 5855 7ff8b90a3490 5856 7ff8b90a3494 5855->5856 5857 7ff8b90a34b9 5855->5857 5858 7ff8b90a2340 2 API calls 5856->5858 5859 7ff8b90a23f4 WppAutoLogTrace 5857->5859 5860 7ff8b90a34b5 5857->5860 5858->5860 5859->5860 5860->5701 5860->5705 5863 7ff8b90a6d9b 5861->5863 5862 7ff8b90a6db9 LeaveCriticalSection 5862->5855 5863->5862 5865 7ff8b90a6b58 EnterCriticalSection 5864->5865 5866 7ff8b90a6eb0 5865->5866 5867 7ff8b90a6b8b LeaveCriticalSection 5866->5867 5867->5724 5869 7ff8b90ab3e0 WppAutoLogTrace 5868->5869 5870 7ff8b90ab37f 5868->5870 5869->5723 5870->5869 5871 7ff8b90ab38a TraceMessage 5870->5871 5871->5869 5872 7ff8b90a7be0 5873 7ff8b90a7bf6 5872->5873 5876 7ff8b90a7a18 EnterCriticalSection LeaveCriticalSection 5873->5876 5877 7ff8b90a7a8b 5876->5877 5878 7ff8b90a7a4c CloseHandle 5876->5878 5878->5877 5879 7ff8b90a7a59 GetLastError 5878->5879 5880 7ff8b90a23f4 WppAutoLogTrace 5879->5880 5880->5877 4077 7ff8b90ab460 4078 7ff8b90ab468 4077->4078 4079 7ff8b90ab543 4078->4079 4080 7ff8b90ab4e5 4078->4080 4081 7ff8b90ab4bc DbgPrintEx DbgPrintEx 4078->4081 4082 7ff8b90ab511 4080->4082 4083 7ff8b90ab54a 4080->4083 4081->4080 4082->4079 4085 7ff8b90ab51a DbgPrintEx DbgPrintEx 4082->4085 4084 7ff8b90ab553 DbgPrintEx DbgPrintEx 4083->4084 4086 7ff8b90ab57c 4083->4086 4084->4086 4085->4079 4086->4079 4087 7ff8b90ab5a1 DbgPrintEx DbgPrintEx 4086->4087 4088 7ff8b90ab5ca 4086->4088 4087->4088 4095 7ff8b90a9ec8 4088->4095 4091 7ff8b90ab5db 4091->4079 4093 7ff8b90ab5e4 DbgPrintEx DbgPrintEx 4091->4093 4092 7ff8b90ab60f 4092->4079 4094 7ff8b90ab618 DbgPrintEx DbgPrintEx 4092->4094 4093->4079 4094->4079 4110 7ff8b90aa328 4095->4110 4097 7ff8b90a9f34 4098 7ff8b90a2340 TraceMessage WppAutoLogTrace 4097->4098 4099 7ff8b90a9f5a memset 4098->4099 4100 7ff8b90a9fdb 4099->4100 4101 7ff8b90a9fe1 4100->4101 4102 7ff8b90aa00c 4100->4102 4103 7ff8b90a23f4 WppAutoLogTrace 4101->4103 4104 7ff8b90a8790 TraceMessage WppAutoLogTrace 4102->4104 4105 7ff8b90aa005 4103->4105 4106 7ff8b90aa011 4104->4106 4107 7ff8b90aa1cc UnregisterTraceGuids WppAutoLogStop 4105->4107 4108 7ff8b90a2340 TraceMessage WppAutoLogTrace 4106->4108 4109 7ff8b90aa00a 4107->4109 4108->4109 4109->4091 4109->4092 4114 7ff8b90aa2b0 4110->4114 4115 7ff8b90aa318 4114->4115 4116 7ff8b90aa2ca RegisterTraceGuidsW 4115->4116 4117 7ff8b90aa31d WppAutoLogStart 4115->4117 4116->4115

                                                                                                      Executed Functions

                                                                                                      Function 00007FF8B90AB460 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 126COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Print
                                                                                                      • String ID: FxDriverEntryUm: DriverEntry status %08X$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully bound to class library if present$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully bound to version library$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully returned from driver's DriverEntry$FxDriverEntryUm: VersionBind status %08X$FxDriverEntrydUm Enter PDRIVER_OBJECT_UM 0x%p$Wudfx2000:
                                                                                                      • API String ID: 3558298466-1472618948
                                                                                                      • Opcode ID: bb4ab19fbeff9559545acc8e689e09482ef8633d8afe6dfe3a3301a72c603fc2
                                                                                                      • Instruction ID: 4ec6a04e786d848aed02365bf88f24f6152f06e0a111a71001282d7d8528995a
                                                                                                      • Opcode Fuzzy Hash: bb4ab19fbeff9559545acc8e689e09482ef8633d8afe6dfe3a3301a72c603fc2
                                                                                                      • Instruction Fuzzy Hash: 9D512E24A09FC396EB548F59A8582B96361FF49BE4F504036DB0E573A9DE3CE44BCA40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A83E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 135memoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentProtectVirtual$AutoChangeCloseEnumErrorFindLastModulesNotificationOpenTrace
                                                                                                      • String ID: iddcx.dll
                                                                                                      • API String ID: 197447298-4163666229
                                                                                                      • Opcode ID: d1a90e512ccf06b52219f042a78ee737138c3a24375b34af5ca96d04cfab1a1d
                                                                                                      • Instruction ID: 99a10a7f3a68e81c91793795b26a066ef53483b4ff9041c37f3785ac6ec2e89c
                                                                                                      • Opcode Fuzzy Hash: d1a90e512ccf06b52219f042a78ee737138c3a24375b34af5ca96d04cfab1a1d
                                                                                                      • Instruction Fuzzy Hash: 0E51813261DA8285EE54DF2AA8546AA6370FB89BE4F404131EF5E47794DF3CE847CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A9774 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: mallocmemset
                                                                                                      • String ID: ($8
                                                                                                      • API String ID: 2882185209-284530546
                                                                                                      • Opcode ID: f93b40dbff8dc9722ff73209c0e77ece645ce7ca20c8cf9f68070899220af56c
                                                                                                      • Instruction ID: bcff24a79c0058ccbec7b443b346f3ddc360805975fbb84ea634d8dffa78eeab
                                                                                                      • Opcode Fuzzy Hash: f93b40dbff8dc9722ff73209c0e77ece645ce7ca20c8cf9f68070899220af56c
                                                                                                      • Instruction Fuzzy Hash: B4614836A09B8285EB508F1AE8802A977B4FB89BE4F504136DF4D53765DF3CE446CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A9390 Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$AutoCloseMessageOpenQueryValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 157522393-0
                                                                                                      • Opcode ID: b83dc03b227b42366ff2d5519f44e7d9cf7ad76f3d7e1daed7e8827a0b818578
                                                                                                      • Instruction ID: ac36bcd3c16b6712644453b39c204f9b86b17b4d28861070eaaab1cffa93a363
                                                                                                      • Opcode Fuzzy Hash: b83dc03b227b42366ff2d5519f44e7d9cf7ad76f3d7e1daed7e8827a0b818578
                                                                                                      • Instruction Fuzzy Hash: D5318D32718B8286DB208F15E48096973B8FB89BD8F540136DB9D43B65CF3DE546CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90AA090 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF8B90A2340: TraceMessage.ADVAPI32 ref: 00007FF8B90A23BC
                                                                                                        • Part of subcall function 00007FF8B90A2340: WppAutoLogTrace.WPPRECORDERUM ref: 00007FF8B90A23DA
                                                                                                        • Part of subcall function 00007FF8B90A9DE8: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B90A9E01
                                                                                                      • RtlInitUnicodeString.NTDLL ref: 00007FF8B90AA12D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$AutoInitMessageStringUnicodememset
                                                                                                      • String ID: \DosDevices\Global\v3DDKIndirectCtrlMirrorOp
                                                                                                      • API String ID: 3309296490-203415369
                                                                                                      • Opcode ID: 6237c8417ddc51fb533f343be5af83b2c491143f0f210a4f617f79f007cd6a3c
                                                                                                      • Instruction ID: add2ba2fbf2340f59b31f966baaca175742168f9ad27fca4c13a5bd2ba5c54d1
                                                                                                      • Opcode Fuzzy Hash: 6237c8417ddc51fb533f343be5af83b2c491143f0f210a4f617f79f007cd6a3c
                                                                                                      • Instruction Fuzzy Hash: 1D315A31B08B8281EE208F1AE8906796761FB89FE4F400032DF4D877A5CE6DE547DB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A8F44 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$AutoInitStringUnicode$Message
                                                                                                      • String ID:
                                                                                                      • API String ID: 2970552445-0
                                                                                                      • Opcode ID: 26d93693c8a34fc82003f05adb3041b0b6f3c0deb2e5d1dad2c642d86f346ab4
                                                                                                      • Instruction ID: f7de2341916d37ea90358675ab64f7346cdae5c00d71ae7e421140694f6219d5
                                                                                                      • Opcode Fuzzy Hash: 26d93693c8a34fc82003f05adb3041b0b6f3c0deb2e5d1dad2c642d86f346ab4
                                                                                                      • Instruction Fuzzy Hash: FD511536B18A9685EB508F19E8847A92374FB89BE8F440136DF4D57768CF39D086CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A9EC8 Relevance: 1.3, APIs: 1, Instructions: 83COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF8B90A2340: TraceMessage.ADVAPI32 ref: 00007FF8B90A23BC
                                                                                                        • Part of subcall function 00007FF8B90A2340: WppAutoLogTrace.WPPRECORDERUM ref: 00007FF8B90A23DA
                                                                                                      • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B90A9F64
                                                                                                        • Part of subcall function 00007FF8B90A23F4: WppAutoLogTrace.WPPRECORDERUM ref: 00007FF8B90A24B4
                                                                                                        • Part of subcall function 00007FF8B90AA1CC: UnregisterTraceGuids.ADVAPI32(?,?,?,00007FF8B90AA00A), ref: 00007FF8B90AA1F7
                                                                                                        • Part of subcall function 00007FF8B90AA1CC: WppAutoLogStop.WPPRECORDERUM(?,?,?,00007FF8B90AA00A), ref: 00007FF8B90AA214
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$Auto$GuidsMessageStopUnregistermemset
                                                                                                      • String ID:
                                                                                                      • API String ID: 1399362584-0
                                                                                                      • Opcode ID: 6ddb2a2449b1b3cc31c96d76f3c801e575412145e0f3f500434ab18c60f2ec76
                                                                                                      • Instruction ID: 447388e7e9e41aaa3f5f52e608a01ac1adcad0ceb5f5df7cfab5a0375deb9c20
                                                                                                      • Opcode Fuzzy Hash: 6ddb2a2449b1b3cc31c96d76f3c801e575412145e0f3f500434ab18c60f2ec76
                                                                                                      • Instruction Fuzzy Hash: 18415B32A09B8299EB11CF19E8506AD33A5FB49798F804235DB4C43764CF3DE55ADB44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A9DE8 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 186 7ff8b90a9de8-7ff8b90a9e8e memset 188 7ff8b90a9e90-7ff8b90a9eb7 call 7ff8b90a23f4 186->188 189 7ff8b90a9ebc-7ff8b90a9ec6 186->189 188->189
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AutoTracememset
                                                                                                      • String ID:
                                                                                                      • API String ID: 689702502-0
                                                                                                      • Opcode ID: 9490bf59f5409ea6e6973d7511feb8822fd87c3eefbbca1bd2a373c16c37a8f0
                                                                                                      • Instruction ID: 274ee628bf40856efb7aaf6fa8e6040374cc1a08713b8bda76ea4cd6c7d1b107
                                                                                                      • Opcode Fuzzy Hash: 9490bf59f5409ea6e6973d7511feb8822fd87c3eefbbca1bd2a373c16c37a8f0
                                                                                                      • Instruction Fuzzy Hash: 5921B935619F8695EE118F19F4902AA73A4FB85790F500136DB8D43724EF3DE55ACB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF8B90ABB20 Relevance: 19.7, APIs: 13, Instructions: 235COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
                                                                                                      • String ID:
                                                                                                      • API String ID: 1988982384-0
                                                                                                      • Opcode ID: 8d8b0e93604f7b03aea2aa78e3838d357983f06e7bcd9ff22b2a10f1b62a33d3
                                                                                                      • Instruction ID: a1fb7864e4ac59faab524732fad2b086e7745de671b8c3cad5ca27f265f97566
                                                                                                      • Opcode Fuzzy Hash: 8d8b0e93604f7b03aea2aa78e3838d357983f06e7bcd9ff22b2a10f1b62a33d3
                                                                                                      • Instruction Fuzzy Hash: 5291A221E1C6D386FE90AF7D94812B966D1AF85BE0F544435DB0D477A6DE3CE8438780
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A7E40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117threadsynchronizationCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Thread$CharacteristicsTraceWait$AutoCurrentEventMessageMultipleObjectObjectsPriorityResetRevertSingle
                                                                                                      • String ID: Distribution
                                                                                                      • API String ID: 3895777651-3162107001
                                                                                                      • Opcode ID: ba62c29dfb673f1b1e723df5feba3de5e7d2b8e6b0306b30644bfac8037b0bf5
                                                                                                      • Instruction ID: 87492dd58b92cbe38f1cb70ad0c8a5e0e5ad7426faf9d845038bc7b7706e0e06
                                                                                                      • Opcode Fuzzy Hash: ba62c29dfb673f1b1e723df5feba3de5e7d2b8e6b0306b30644bfac8037b0bf5
                                                                                                      • Instruction Fuzzy Hash: D1515D32A18A8682EE20DF1AE4905697760FB85FE8F404135DF4E47BA4DF3DE5479B80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A7AA0 Relevance: 10.6, APIs: 7, Instructions: 58threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionThread$AutoCloseCreateEnterErrorHandleLastLeaveTerminateTrace
                                                                                                      • String ID:
                                                                                                      • API String ID: 2287874929-0
                                                                                                      • Opcode ID: cfd441021691846264737c729189ec89ccbfd936bbe59bff10446568655a7716
                                                                                                      • Instruction ID: 4cb02b1c0bd9c11bd20f3dad939a39e39fa4f9d4d941d648b18ca9d398baa7e0
                                                                                                      • Opcode Fuzzy Hash: cfd441021691846264737c729189ec89ccbfd936bbe59bff10446568655a7716
                                                                                                      • Instruction Fuzzy Hash: 60218E32A18A8286EF54CF29E8802A97375FB49BD8F504131DB4D43768DF3CE946CB44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90AAC80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$AutoEvent$CloseCreateErrorHandleLastMessage
                                                                                                      • String ID: $
                                                                                                      • API String ID: 3185613287-3993045852
                                                                                                      • Opcode ID: 096dfecbe59222bc1f9c0b65a47521039350d6e8050f453a2acb67b19557d57a
                                                                                                      • Instruction ID: c5d0e3b29b034192ee1e6f8c752c41b0beb0af2eb22831a209020cce452f51e0
                                                                                                      • Opcode Fuzzy Hash: 096dfecbe59222bc1f9c0b65a47521039350d6e8050f453a2acb67b19557d57a
                                                                                                      • Instruction Fuzzy Hash: E4914732A18A8286EB24CF1AE4906AD37B5FB49BD8F414032DF4D57B64CF39E546DB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A1A4C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionTrace$AutoCloseEnterErrorHandleLastLeaveMessageOpenProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 2031306231-0
                                                                                                      • Opcode ID: 3e2bb08ac1c2f13e974f2cdaca79f2374d0cb90e86d9eb2d476af5c7a330f06f
                                                                                                      • Instruction ID: dbe6f9dbfa23307279b4bc0777af963823d9049e27a4398a96fb3340d6a38ae5
                                                                                                      • Opcode Fuzzy Hash: 3e2bb08ac1c2f13e974f2cdaca79f2374d0cb90e86d9eb2d476af5c7a330f06f
                                                                                                      • Instruction Fuzzy Hash: 90416D72A18A8686EF608F19E4802797765FB94BE8F104136DB4D47B64DF3CE943C780
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A9600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$AutoMessage
                                                                                                      • String ID: InsiderPreviewPatch01$NULL
                                                                                                      • API String ID: 3974790930-884961456
                                                                                                      • Opcode ID: 2eb4c23508f2ef29a44afe2daf3477ce2fff856d3a3f1fbcbb8be093f61854a0
                                                                                                      • Instruction ID: b8b5e08c73806085cbd07ac2424c8169abd796c0db0acf0e38d813cb3d0312f2
                                                                                                      • Opcode Fuzzy Hash: 2eb4c23508f2ef29a44afe2daf3477ce2fff856d3a3f1fbcbb8be093f61854a0
                                                                                                      • Instruction Fuzzy Hash: F731AB32718B9185EB108F09E80075AB7A9F784BE4F444235EFAD43B94DF39D842C740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A94BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • TraceMessage.ADVAPI32(?,?,?,?,?,?,InsiderPreviewPatch01,00007FF8B90A9464), ref: 00007FF8B90A958E
                                                                                                      • WppAutoLogTrace.WPPRECORDERUM(?,?,?,?,?,?,InsiderPreviewPatch01,00007FF8B90A9464), ref: 00007FF8B90A95DB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$AutoMessage
                                                                                                      • String ID: InsiderPreviewPatch01$NULL
                                                                                                      • API String ID: 3974790930-884961456
                                                                                                      • Opcode ID: 42168d8271cd299be1d8d30371282fe681c0d436852659867abbaaebbfde9337
                                                                                                      • Instruction ID: 9ae6c9d0f107b3205a97bc9f9ba74a17908314603731df016d8e0e07a48e2272
                                                                                                      • Opcode Fuzzy Hash: 42168d8271cd299be1d8d30371282fe681c0d436852659867abbaaebbfde9337
                                                                                                      • Instruction Fuzzy Hash: BC31C132718B9181EB148F29A805659B7A9F788BE4F484231EFAD43B95DF3CD853C740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90AEA0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                      • String ID: csm
                                                                                                      • API String ID: 2280078643-1018135373
                                                                                                      • Opcode ID: 823ddda207a4dd51195e4671787722eba51f5941b724e0260e40f807ab11711d
                                                                                                      • Instruction ID: 95e948c7fa26b31753c737b88a498d25d178d4337d79a5ace7d4025643634931
                                                                                                      • Opcode Fuzzy Hash: 823ddda207a4dd51195e4671787722eba51f5941b724e0260e40f807ab11711d
                                                                                                      • Instruction Fuzzy Hash: B5211E36608A8186EA30DF59E04066E7B60F7A8BB5F144221DF9E07795CF3CE846CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90AA4C8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$AutoCurrentDuplicateErrorHandleLastMessageProcess
                                                                                                      • String ID: @
                                                                                                      • API String ID: 1247356310-2766056989
                                                                                                      • Opcode ID: 67e5f5490c3d454e8b1c4a7cc8738c7be903818a90e45f5893b4764a942c097b
                                                                                                      • Instruction ID: b55b21528bb4628340f796c20a85977065b40d660191274af07e1a0eae71b691
                                                                                                      • Opcode Fuzzy Hash: 67e5f5490c3d454e8b1c4a7cc8738c7be903818a90e45f5893b4764a942c097b
                                                                                                      • Instruction Fuzzy Hash: 16215372A08B8286EB60CF19E45026977B0FB89BD8F440134EB4D47B59DF3DE546DB44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90AF14C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: terminate
                                                                                                      • String ID: MOC$RCC$csm
                                                                                                      • API String ID: 1821763600-2671469338
                                                                                                      • Opcode ID: ee6917a798ecef4973d7d3b4ec4d4fe72bfcd9ad21f17a0a37251a6e57eff394
                                                                                                      • Instruction ID: 5ca2f183b0ec7921948066f1b547ad30e517a10ed53362ad51fe6912b214e138
                                                                                                      • Opcode Fuzzy Hash: ee6917a798ecef4973d7d3b4ec4d4fe72bfcd9ad21f17a0a37251a6e57eff394
                                                                                                      • Instruction Fuzzy Hash: CBF0303AD18186C6EBA42E9DC14527C3294EF94BF6FA55471C708473828F7CE8428BD2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A746C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 00007FF8B90A8328: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B90A835E
                                                                                                      • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B90A75BE
                                                                                                        • Part of subcall function 00007FF8B90A2340: TraceMessage.ADVAPI32 ref: 00007FF8B90A23BC
                                                                                                        • Part of subcall function 00007FF8B90A2340: WppAutoLogTrace.WPPRECORDERUM ref: 00007FF8B90A23DA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Tracememset$AutoMessage
                                                                                                      • String ID: MonitorConnectionInfo$MonitorIndex$Target_
                                                                                                      • API String ID: 2212811-1388336407
                                                                                                      • Opcode ID: 6e94b7cc79ccb3cd0481249f042a7643cee928777ec7d752cca1f47396928f99
                                                                                                      • Instruction ID: 1be381796bd7da044f7e3a93747a38927610ff94cf46f481a7fdace71949a2ac
                                                                                                      • Opcode Fuzzy Hash: 6e94b7cc79ccb3cd0481249f042a7643cee928777ec7d752cca1f47396928f99
                                                                                                      • Instruction Fuzzy Hash: 4D511A32F08A8289EF20CF69E8506AC2760AB597E8F544135DF4D57AA5DF38E547C740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A28FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Trace$AutoMessage
                                                                                                      • String ID: NULL
                                                                                                      • API String ID: 3974790930-324932091
                                                                                                      • Opcode ID: 3958be23fc19336d7dd03439b4c9d1e2cab747305af9fd8e5f1ff0d2e02bc9a2
                                                                                                      • Instruction ID: 8b510492771ea4bea927b3d15fab494881c7bae18dd1976fd72350ef4060bbca
                                                                                                      • Opcode Fuzzy Hash: 3958be23fc19336d7dd03439b4c9d1e2cab747305af9fd8e5f1ff0d2e02bc9a2
                                                                                                      • Instruction Fuzzy Hash: 6541BD32618BD182DB208F19E84069AB7B8F784BA0F544235EF9D43B98DF38D952C740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FF8B90A7A18 Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000D.00000002.4459129552.00007FF8B90A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8B90A0000, based on PE: true
                                                                                                      • Associated: 0000000D.00000002.4459113505.00007FF8B90A0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459165976.00007FF8B90B5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 0000000D.00000002.4459182943.00007FF8B90B6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_13_2_7ff8b90a0000_WUDFHost.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$AutoCloseEnterErrorHandleLastLeaveTrace
                                                                                                      • String ID:
                                                                                                      • API String ID: 4100837725-0
                                                                                                      • Opcode ID: 4b4167614deb192c73a699e9770e0b8d2a4b680929817ad647641f825cbb9811
                                                                                                      • Instruction ID: de4584044a279b85a10263c2f69bdd09818c095592049e618e7d91eff9080c61
                                                                                                      • Opcode Fuzzy Hash: 4b4167614deb192c73a699e9770e0b8d2a4b680929817ad647641f825cbb9811
                                                                                                      • Instruction Fuzzy Hash: 71011A32A08A8292EA548F19E4903296774FB8ABD4F444530DB4D47B68CF2CE567CB44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%