Play interactive tour

Edit tour

Analysis Report c541a313a0492231a3_wmiprvse.exe

Overview

General Information

Sample Name:	c541a313a0492231a3_wmiprvse.exe
Analysis ID:	328714
MD5:	60ff40cfd7fb8fe41ee4fe9ae5fe1c51
SHA1:	3ea7cc066317ac45f963c2227c4c7c50aa16eb7c
SHA256:	2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3
Most interesting Screenshot:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains sections with non-standard names

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Startup

System is w10x64

c541a313a0492231a3_wmiprvse.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe' MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE69F110 NtdllDefWindowProc_W,PostMessageW,		0_2_00007FF6EE69F110
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE698490 NtQuerySystemInformation,GetCurrentProcessId,char_traits,		0_2_00007FF6EE698490

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE69AC50	0_2_00007FF6EE69AC50
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE69C334	0_2_00007FF6EE69C334
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6AFF50	0_2_00007FF6EE6AFF50
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6BDFD0	0_2_00007FF6EE6BDFD0
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6B1E60	0_2_00007FF6EE6B1E60
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6D5F00	0_2_00007FF6EE6D5F00
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6AFC40	0_2_00007FF6EE6AFC40
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6CE9E8	0_2_00007FF6EE6CE9E8
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6AEA6C	0_2_00007FF6EE6AEA6C
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6C9B00	0_2_00007FF6EE6C9B00
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6D0AC4	0_2_00007FF6EE6D0AC4
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE69775C	0_2_00007FF6EE69775C
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6AF868	0_2_00007FF6EE6AF868
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE69B8FC	0_2_00007FF6EE69B8FC
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6938C4	0_2_00007FF6EE6938C4
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6BD580	0_2_00007FF6EE6BD580
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6B34EC	0_2_00007FF6EE6B34EC
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6C728C	0_2_00007FF6EE6C728C
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6B1264	0_2_00007FF6EE6B1264
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6922D0	0_2_00007FF6EE6922D0

Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: c541a313a0492231a3_wmiprvse.exe	Binary or memory string: OriginalFilename vs c541a313a0492231a3_wmiprvse.exe
Source: c541a313a0492231a3_wmiprvse.exe, 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs c541a313a0492231a3_wmiprvse.exe
Source: c541a313a0492231a3_wmiprvse.exe, 00000000.00000002.491931781.00000248BD470000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs c541a313a0492231a3_wmiprvse.exe
Source: c541a313a0492231a3_wmiprvse.exe	Binary or memory string: OriginalFilenameWmiprvse.exej% vs c541a313a0492231a3_wmiprvse.exe

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: c541a313a0492231a3_wmiprvse.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: c541a313a0492231a3_wmiprvse.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: c541a313a0492231a3_wmiprvse.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: c541a313a0492231a3_wmiprvse.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WmiPrvSE.pdbUGP source: c541a313a0492231a3_wmiprvse.exe
Source:	Binary string: WmiPrvSE.pdb source: c541a313a0492231a3_wmiprvse.exe

Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c541a313a0492231a3_wmiprvse.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: c541a313a0492231a3_wmiprvse.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Code function: 0_2_00007FF6EE698490 NtQuerySystemInformation,GetCurrentProcessId,char_traits,

0_2_00007FF6EE698490

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

API coverage: 5.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Code function: 0_2_00007FF6EE69F260 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,

0_2_00007FF6EE69F260

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Code function: 0_2_00007FF6EE698490 NtQuerySystemInformation,GetCurrentProcessId,char_traits,

0_2_00007FF6EE698490

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Code function: 0_2_00007FF6EE699E60 EtwEventUnregister,GetProcessHeap,HeapDestroy,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,

0_2_00007FF6EE699E60

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6A2CC0 SetUnhandledExceptionFilter,		0_2_00007FF6EE6A2CC0
Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe	Code function: 0_2_00007FF6EE6A293C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF6EE6A293C

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Code function: 0_2_00007FF6EE69C334 InitializeSecurityDescriptor,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,RtlLengthSid,LocalAlloc,RtlCreateAcl,RtlAddAccessAllowedAce,LocalFree,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,LocalFree,FreeSid,FreeSid,GetLastError,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,GetLastError,GetLastError,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,GetLastError,GetLastError,GetLastError,GetLastError,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,GetLastError,GetLastError,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,RtlNtStatusToDosError,LocalFree,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,RtlNtStatusToDosError,LocalFree,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,GetLastError,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,GetLastError,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,GetLastError,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,LocalFree,FreeSid,FreeSid,GetMemLogObject,?Write@CMemoryLog@@QEAAXJ@Z,

0_2_00007FF6EE69C334

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

0_2_00007FF6EE69C334

Source: C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe

Code function: 0_2_00007FF6EE6A2E94 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF6EE6A2E94

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
c541a313a0492231a3_wmiprvse.exe	0%	Virustotal	Browse
c541a313a0492231a3_wmiprvse.exe	0%	Metadefender	Browse
c541a313a0492231a3_wmiprvse.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	328714
Start date:	09.12.2020
Start time:	16:20:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	c541a313a0492231a3_wmiprvse.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 75.6% (good quality ratio 34.7%) Quality average: 29.8% Quality standard deviation: 38.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Max analysis timeout: 720s exceeded, the analysis took too long Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.2141826593596825
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c541a313a0492231a3_wmiprvse.exe
File size:	496640
MD5:	60ff40cfd7fb8fe41ee4fe9ae5fe1c51
SHA1:	3ea7cc066317ac45f963c2227c4c7c50aa16eb7c
SHA256:	2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3
SHA512:	991e38e2b480ffc58ec5ade9dcc8747a57b29fbc9b12397a8010e73143c4dfb420e5248a0c3acf0832812c0e804080ed5a83952b9c05419d93763372ece775c3
SSDEEP:	12288:ahBzXzR4mnIu0CWQjONc3XmvzjnyBEIl/t8:qumnGDjnyBll/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.8.X.k.X.k.X.k. .k.X.k.3.j.X.k.3.j.X.k.X.k.Y.k.3.j.X.k.3.j.X.k.3.j.X.k.3wk.X.k.3.j.X.kRich.X.k........................PE..d..

File Icon


Icon Hash:	a4e0a6beb8aea0a0

Static PE Info

General
Entrypoint:	0x140012580
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5DA7AB91 [Wed Oct 16 23:45:21 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	b71cb3ac5c352bec857c940cbc95f0f3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0828F0D950h
dec eax
add esp, 28h
jmp 00007F0828F0D04Bh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [00039F7Dh]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [00054AD2h], ebx
je 00007F0828F0D04Ch
dec eax
cmp eax, ebx
jne 00007F0828F0D05Ch
mov edi, 00000001h
mov eax, dword ptr [00054AC8h]
cmp eax, 01h
jne 00007F0828F0D059h
lea ecx, dword ptr [eax+1Eh]
call 00007F0828F0D7E3h
jmp 00007F0828F0D0BCh
mov ecx, 000003E8h
call dword ptr [0003A006h]
jmp 00007F0828F0D009h
mov eax, dword ptr [00054AA6h]
test eax, eax
jne 00007F0828F0D09Bh
mov dword ptr [00054A98h], 00000001h
dec esp
lea esi, dword ptr [0003A359h]
dec eax
lea ebx, dword ptr [0003A33Ah]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007F0828F0D067h
test eax, eax
jne 00007F0828F0D067h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007F0828F0D052h
dec eax
mov eax, dword ptr [ebx]
dec eax
mov ecx, dword ptr [0003A2B0h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63420	0x21c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0xfa48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x68000	0x36cc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7d000	0xd00	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x51e80	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4af70	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4c358	0x598	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x62bbc	0x1a0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4711c	0x47200	False	0.406775181239	data	6.24353319739	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x49000	0x1bc4c	0x1be00	False	0.296559697309	data	4.38560302658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x65000	0x2588	0x1c00	False	0.1787109375	data	4.17250851172	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x68000	0x36cc	0x3800	False	0.505929129464	data	5.64407195399	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6c000	0x1d8	0x200	False	0.3125	data	2.60351504795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0xfa48	0xfc00	False	0.70372953869	data	6.8321114608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7d000	0xd00	0xe00	False	0.344308035714	data	5.31711045203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x6d9c0	0x668	data	English	United States
RT_ICON	0x6e028	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2298443911, next used block 8849520	English	United States
RT_ICON	0x6e310	0x1e8	data	English	United States
RT_ICON	0x6e4f8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x6e620	0xea8	data	English	United States
RT_ICON	0x6f4c8	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x6fd70	0x6c8	data	English	United States
RT_ICON	0x70438	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x709a0	0x7ba8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x78548	0x25a8	data	English	United States
RT_ICON	0x7aaf0	0x10a8	data	English	United States
RT_ICON	0x7bb98	0x988	data	English	United States
RT_ICON	0x7c520	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x7c988	0xbc	data	English	United States
RT_VERSION	0x6d628	0x398	data	English	United States
RT_MANIFEST	0x6d390	0x296	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
msvcrt.dll	_cexit, _exit, _ismbblead, __set_app_type, memcmp, __setusermatherr, _initterm, _acmdln, __getmainargs, _onexit, __dllonexit, _amsg_exit, _fmode, _XcptFilter, ??8type_info@@QEBAHAEBV0@@Z, ?what@exception@@UEBAPEBDXZ, ??1exception@@UEAA@XZ, ??0exception@@QEAA@AEBV0@@Z, ??0exception@@QEAA@AEBQEBDH@Z, __CxxFrameHandler3, _unlock, _lock, ??1type_info@@UEAA@XZ, ?terminate@@YAXXZ, ??0exception@@QEAA@AEBQEBD@Z, memmove, memcpy, _commode, _CxxThrowException, __C_specific_handler, _purecall, _itow, wcstok, _vsnwprintf, exit, memset
ntdll.dll	RtlNtStatusToDosError, RtlAddAccessAllowedAce, RtlLengthSid, EtwGetTraceLoggerHandle, EtwGetTraceEnableLevel, EtwGetTraceEnableFlags, NtQuerySystemInformation, RtlCreateAcl, EtwRegisterTraceGuidsW, EtwUnregisterTraceGuids, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, EtwTraceMessage
api-ms-win-core-synch-l1-1-0.dll	SetEvent, EnterCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, CreateEventW, WaitForSingleObject, LeaveCriticalSection, WaitForMultipleObjectsEx
api-ms-win-core-heap-l2-1-0.dll	LocalAlloc, LocalFree
api-ms-win-security-base-l1-1-0.dll	MakeSelfRelativeSD, GetSecurityDescriptorLength, AddAce, MakeAbsoluteSD, CopySid, GetLengthSid, InitializeSecurityDescriptor, AccessCheck, MapGenericMask, AllocateAndInitializeSid, FreeSid, GetTokenInformation, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, InitializeAcl, SetSecurityDescriptorDacl, GetAclInformation, RevertToSelf, ImpersonateLoggedOnUser
api-ms-win-core-errorhandling-l1-1-0.dll	GetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter
api-ms-win-core-libraryloader-l1-2-0.dll	FreeLibrary, GetModuleHandleExW, GetProcAddress, GetModuleFileNameW, GetModuleHandleW
api-ms-win-core-handle-l1-1-0.dll	DuplicateHandle, CloseHandle
api-ms-win-core-processthreads-l1-1-0.dll	GetCurrentThreadId, GetCurrentThread, TlsFree, CreateThread, OpenThreadToken, SetThreadToken, GetCurrentProcess, SwitchToThread, TlsAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcessId, OpenProcessToken
api-ms-win-core-processenvironment-l1-1-0.dll	GetCommandLineW
api-ms-win-core-string-l1-1-0.dll	CompareStringW, GetStringTypeExW
api-ms-win-core-heap-l1-1-0.dll	GetProcessHeap, HeapAlloc, HeapFree, HeapCreate, HeapDestroy, HeapSetInformation
api-ms-win-core-registry-l1-1-0.dll	RegCloseKey, RegSetValueExW, RegQueryValueExW, RegDeleteKeyExW, RegCreateKeyExW, RegOpenKeyExW
api-ms-win-eventing-provider-l1-1-0.dll	EventRegister, EventWrite, EventUnregister
api-ms-win-core-synch-l1-2-0.dll	Sleep
api-ms-win-core-memory-l1-1-0.dll	MapViewOfFile, CreateFileMappingW, OpenFileMappingW, UnmapViewOfFile
api-ms-win-core-sysinfo-l1-1-0.dll	GetSystemTimeAsFileTime, GetTickCount
api-ms-win-core-localization-l1-2-0.dll	LCMapStringW
api-ms-win-core-threadpool-legacy-l1-1-0.dll	ChangeTimerQueueTimer
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence
FastProx.dll	?Release@CWbemCallSecurity@@UEAAKXZ, ?QueryInterface@CWbemCallSecurity@@UEAAJAEBU_GUID@@PEAPEAX@Z, ?SetThreadSecurity@CWbemCallSecurity@@UEAAJPEAU_IWmiThreadSecHandle@@@Z, ?GetThreadSecurity@CWbemCallSecurity@@UEAAJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PEAPEAU_IWmiThreadSecHandle@@@Z, ?AddRef@CWbemCallSecurity@@UEAAKXZ, ?New@CWbemCallSecurity@@SAPEAV1@XZ
NCObjAPI.DLL	WmiCreateObjectWithFormat, WmiDestroyObject, WmiEventSourceDisconnect, WmiSetAndCommitObject, WmiEventSourceConnect
wbemcomn.dll	BreakOnDbgAndRenterLoop, GetMemLogObject, ?Write@CMemoryLog@@QEAAXJ@Z, _ThrowMemoryException_, ?GetPreferredLanguages@CMUILocale@@SAJKPEAPEAGPEAK@Z, ?_Free@CMUILocale@@SAHPEAX@Z, ?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z, ?PublishProviderStarted@CPublishWMIOperationEvent@@SAJPEAGJ0K0@Z, ?Init@CPublishWMIOperationEvent@@SAJXZ
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Wmiprvse.exe
FileVersion	10.0.19041.546 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.19041.546
FileDescription	WMI Provider Host
OriginalFilename	Wmiprvse.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: c541a313a0492231a3_wmiprvse.exe PID: 6960 Parent PID: 5704

General

Start time:	16:21:02
Start date:	09/12/2020
Path:	C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\c541a313a0492231a3_wmiprvse.exe'
Imagebase:	0x7ff6ee690000
File size:	496640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: c541a313a0492231a3_wmiprvse.exe PID: 6960 Parent PID: 5704 c541a313a0492231a3_wmiprvse.exeCOMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.1%
Total number of Nodes:	630
Total number of Limit Nodes:	15

Executed Functions

Function 00007FF6EE69C334, Relevance: 96.8, APIs: 54, Strings: 1, Instructions: 556
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C3B8
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C403
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C466
RtlLengthSid.NTDLL ref: 00007FF6EE69C495
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6EE69C4A8
RtlCreateAcl.NTDLL ref: 00007FF6EE69C4C9
RtlAddAccessAllowedAce.NTDLL ref: 00007FF6EE69C4EA
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C51C
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C53B
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C55B
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6EE69C5B7
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C5C7
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C5D7
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC322
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC34D
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC35E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC3C6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC3E4
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC3FB
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC40C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC437
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC468
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC493
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC4B1
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC4C8
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC4D9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC504
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC538
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC564
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC57A
RtlNtStatusToDosError.NTDLL ref: 00007FF6EE6AC5C3
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6EE6AC5ED
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC5FD
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC60E
RtlNtStatusToDosError.NTDLL ref: 00007FF6EE6AC651
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6EE6AC67B
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC68B
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC69C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC6F0
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC71B
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC72C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC76D
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC798
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC7A9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC7EA
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC815
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC826
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC864
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC875
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6EE6AC8BC
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6AC8CC
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6AC8DC
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC8EE
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC8FF

Strings

@, xrefs: 00007FF6EE69C574

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Error$Last$Log@@MemoryObjectWrite@$Free$Local$DescriptorSecurity$Initialize$AllocateStatus$AccessAllocAllowedCreateDaclGroupLengthOwner
String ID: @
API String ID: 839596735-2766056989
Opcode ID: 8c723d9ffb27e65b3770e332976803b59c30872583bfd1e90f88a267b8357a44
Instruction ID: 276e0106deb1fd6088d673b5355245507d022a59448db8e98ea1946532aac8c6
Opcode Fuzzy Hash: 8c723d9ffb27e65b3770e332976803b59c30872583bfd1e90f88a267b8357a44
Instruction Fuzzy Hash: E2427137A08A428AE7009F11D4443787FA1FBA9B15F969135EA0EC33A4CFBED405D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69AC50, Relevance: 18.2, APIs: 12, Instructions: 238
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69AD31
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF6EE69AD71

Part of subcall function 00007FF6EE69D350: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6EE69A3B6), ref: 00007FF6EE69D35A

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF6EE6ABCD2

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMultipleObjectsSleepWait
String ID:
API String ID: 1173844453-0
Opcode ID: a745c0e0f876e26306f9d46a9b60649f614862a05416d7ac85aead05d917477e
Instruction ID: 88ac9e99881b20daf26f3ce249ad04667bb154d3d2327958288cc9e41abde6e9
Opcode Fuzzy Hash: a745c0e0f876e26306f9d46a9b60649f614862a05416d7ac85aead05d917477e
Instruction Fuzzy Hash: 4DA1E033A0864282EA608B15D44477977E1FFA5B84F674131EA4EC7290DFBFE845E70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE698490, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

NtQuerySystemInformation.NTDLL ref: 00007FF6EE6984E8
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE698513
char_traits.LIBCPMT ref: 00007FF6EE6A9A6F

Strings

PrivatePageCount, xrefs: 00007FF6EE6A9B13
HandleCount, xrefs: 00007FF6EE6A9AAC
ThreadCount, xrefs: 00007FF6EE6A9ADB

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocateCurrentHeapInformationProcessQuerySystemchar_traits
String ID: HandleCount$PrivatePageCount$ThreadCount
API String ID: 4172923599-1022455807
Opcode ID: 0009d0f3211147f6729f4867fc0437a0785ba300d8f549d4203438b50944a81f
Instruction ID: 35295fd13d775f1013ec839018974044fffb9a78f444f860f1f927f37b0ca404
Opcode Fuzzy Hash: 0009d0f3211147f6729f4867fc0437a0785ba300d8f549d4203438b50944a81f
Instruction Fuzzy Hash: 36517F23A2864282EB50DF11E84077973A0FBA4B40F525135FA4EC7796DFBEE844DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE699E60, Relevance: 7.7, APIs: 5, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

EtwEventUnregister.NTDLL ref: 00007FF6EE69A01E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE69A064

Part of subcall function 00007FF6EE6985E0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,80000002,00007FF6EE6AD91A,?,?,?,00007FF6EE69800E), ref: 00007FF6EE6985F6

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Heap$EventFreeProcessUnregister
String ID:
API String ID: 1416143176-0
Opcode ID: e5d6496c9477112659f9e88a0831bb703ce4b367f3a88c3037666df4770912f1
Instruction ID: a95cf3c4d927f03543d2478dec5087b946c15f7bd28ed04778e7944f1a0fe039
Opcode Fuzzy Hash: e5d6496c9477112659f9e88a0831bb703ce4b367f3a88c3037666df4770912f1
Instruction Fuzzy Hash: 3A81DB27A58A0A85EB109F15D8543383761FFA8B95F624231E91D873B1CFAFE454E30A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69F110, Relevance: 3.0, APIs: 2, Instructions: 18nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL ref: 00007FF6EE69F11D
PostMessageW.USER32 ref: 00007FF6EE69F140

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: MessageNtdllPostProc_Window
String ID:
API String ID: 3717879920-0
Opcode ID: e17f56cb4a7ce05c59183ad68f8b8db617f9f3891a303444387c22ae15eb203f
Instruction ID: e4572947ad4ebf7e5ecede616d4cfd41f83557b9650c71172591c5f223c3e957
Opcode Fuzzy Hash: e17f56cb4a7ce05c59183ad68f8b8db617f9f3891a303444387c22ae15eb203f
Instruction Fuzzy Hash: B4E0CD33A04501C7E3641FB0D44DA797720EB5F711B1A5030DE0D417408F7E6495E605

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69F260, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrResolveDelayLoadedAPI.NTDLL ref: 00007FF6EE69F28B

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: DelayLoadedResolve
String ID:
API String ID: 841769287-0
Opcode ID: 8c62940f31489bd919e188286d043ab842333bba8da889ca5f5923d987ab52e5
Instruction ID: 56328fe00b894cabf5ba8f897be4c83ab1e6448efbd7bc463e42bb34e3948094
Opcode Fuzzy Hash: 8c62940f31489bd919e188286d043ab842333bba8da889ca5f5923d987ab52e5
Instruction Fuzzy Hash: 1FE0B67A908A4586D610DF40E8402647BA0FB69B84F924132F94CC3734CF7D9514DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A2CC0, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF6EE6A2CCB

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f67ced8c2176299b387adc415fe50041e30ae321456327889725b89db8fc2d11
Instruction ID: ec846410b0338af0c5fec765697775a910127cbd1a1db92dea4dc2a5953b648f
Opcode Fuzzy Hash: f67ced8c2176299b387adc415fe50041e30ae321456327889725b89db8fc2d11
Instruction Fuzzy Hash: 30B01215FE5403D2D604BB22DC8517413A0BF7C304FD24430E00EC0220DE9D919BAB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69B4D0, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 248
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EE69C334: InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C3B8
Part of subcall function 00007FF6EE69C334: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C403
Part of subcall function 00007FF6EE69C334: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C466
Part of subcall function 00007FF6EE69C334: RtlLengthSid.NTDLL ref: 00007FF6EE69C495
Part of subcall function 00007FF6EE69C334: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6EE69C4A8
Part of subcall function 00007FF6EE69C334: RtlCreateAcl.NTDLL ref: 00007FF6EE69C4C9

SysAllocString.OLEAUT32 ref: 00007FF6EE69B56D
SysFreeString.OLEAUT32 ref: 00007FF6EE69B6C6
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE69B7A7
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE69B7B6
DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE69B7E1
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69B808
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE69B818
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC0F0
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC101

Part of subcall function 00007FF6EE69C260: OpenFileMappingW.KERNELBASE ref: 00007FF6EE69C290
Part of subcall function 00007FF6EE69C260: MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF6EE69C2C3

Part of subcall function 00007FF6EE69C174: WmiEventSourceConnect.NCOBJAPI ref: 00007FF6EE69C1B2
Part of subcall function 00007FF6EE69C174: WmiCreateObjectWithFormat.NCOBJAPI ref: 00007FF6EE69C1F8

Part of subcall function 00007FF6EE69BCD4: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BD47
Part of subcall function 00007FF6EE69BCD4: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BD5F
Part of subcall function 00007FF6EE69BCD4: CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BD99
Part of subcall function 00007FF6EE69BCD4: CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BDE4
Part of subcall function 00007FF6EE69BCD4: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BE3C
Part of subcall function 00007FF6EE69BCD4: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BE54

Strings

Root, xrefs: 00007FF6EE69B566

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Initialize$Allocate$LengthObject$AllocCopyCreateCurrentFileHandleProcessString$CloseConnectDescriptorDuplicateEventFormatFreeLocalLog@@MappingMemoryOpenSecuritySingleSourceViewWaitWithWrite@
String ID: Root
API String ID: 3934963168-3066451557
Opcode ID: bf7f30300bae9e2d9c47c816e5df0a5e30c4a5cbcde9337f07ab91f8079d285b
Instruction ID: da90027fab7a0adf18823c77dd2b1d5ee17ff03cadb33682b2183ddb63534535
Opcode Fuzzy Hash: bf7f30300bae9e2d9c47c816e5df0a5e30c4a5cbcde9337f07ab91f8079d285b
Instruction Fuzzy Hash: 47C16F37A08B468AE700DF25D8402BC37A0FBA9B54B524235EE0D93765DFBEE415E709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69C890, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconW.USER32 ref: 00007FF6EE69C8CA
LoadCursorW.USER32 ref: 00007FF6EE69C8E5
RegisterClassW.USER32 ref: 00007FF6EE69C91E
CreateWindowExW.USER32 ref: 00007FF6EE69C964
ShowWindow.USER32 ref: 00007FF6EE69C978
UpdateWindow.USER32 ref: 00007FF6EE69C987
GetSystemMenu.USER32 ref: 00007FF6EE69C998
DeleteMenu.USER32 ref: 00007FF6EE69C9B4

Strings

Wmi Provider Host, xrefs: 00007FF6EE69C8F9

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Window$LoadMenu$ClassCreateCursorDeleteIconRegisterShowSystemUpdate
String ID: Wmi Provider Host
API String ID: 2564365438-660353315
Opcode ID: 07ee024710d894325b704247af5016c181b44703dfe2c019a49ed5c6e65fb461
Instruction ID: 7c3918e3e333cf6f88a611e7cb7e1eb89c3b0002883bb1be23b040474daf78a3
Opcode Fuzzy Hash: 07ee024710d894325b704247af5016c181b44703dfe2c019a49ed5c6e65fb461
Instruction Fuzzy Hash: 99311C33A08B8187E7108F15F40837ABBA0F799B51F559138EA8E82B58DF7DD058CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69A940, Relevance: 15.3, APIs: 10, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EE69A8A8: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69A90A

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69A9D7
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69AA2C
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69AA7B

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 77a85c4642fc07aa3be59ea04cd757de25151c3c374c9b4c7c58f576d0ec66b4
Instruction ID: 77ad30e9def35bceb44c01cb097a10d691ab37026f0a8249dc803f905bb7fde8
Opcode Fuzzy Hash: 77a85c4642fc07aa3be59ea04cd757de25151c3c374c9b4c7c58f576d0ec66b4
Instruction Fuzzy Hash: 75E17023E0864296FB109B51D4847B837A4EF75784F970131EA0DC72D5EFABE845E34A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69C260, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingW.KERNELBASE ref: 00007FF6EE69C290
MapViewOfFile.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF6EE69C2C3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AC226
CreateFileMappingW.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF6EE6AC281
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE6AC2C5
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC2D7
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC2E8

Strings

Global\Wmi Provider Sub System Counters, xrefs: 00007FF6EE69C281

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: File$Mapping$CloseCreateErrorHandleLastLog@@MemoryObjectOpenViewWrite@
String ID: Global\Wmi Provider Sub System Counters
API String ID: 1489113169-3057216162
Opcode ID: bcf6ec7b18f721335222fbd12099de190e4c59b0f9bdfc9a034ef6e2e368fd1d
Instruction ID: 563ec4f346fb2d5684e0c2d11f2eee6698799947c18c7c2029d54cce19ea13e5
Opcode Fuzzy Hash: bcf6ec7b18f721335222fbd12099de190e4c59b0f9bdfc9a034ef6e2e368fd1d
Instruction Fuzzy Hash: 9D41E733A08B4286E7109F50E4443787BA1FBA9B90FA64235EA1D837D4DFBEE404D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A2580, Relevance: 12.1, APIs: 8, Instructions: 136
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EE6A2E94: GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6EE6A2EC4
Part of subcall function 00007FF6EE6A2E94: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6A2ED2
Part of subcall function 00007FF6EE6A2E94: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6A2EDE
Part of subcall function 00007FF6EE6A2E94: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6EE6A2EEA
Part of subcall function 00007FF6EE6A2E94: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6EE6A2EFA
Part of subcall function 00007FF6EE6A2E94: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF6EE6A2F15

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6A25B5
_amsg_exit.MSVCRT ref: 00007FF6EE6A25F0
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF6EE6A25FC
_initterm.MSVCRT ref: 00007FF6EE6A268A
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6EE6A26B7
exit.KERNELBASE ref: 00007FF6EE6A2749
_cexit.MSVCRT ref: 00007FF6EE6A2758
_ismbblead.MSVCRT ref: 00007FF6EE6A2778

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: 1b2c3ffdca65d3f28dde6d4b15da860c4e3d8628c268bcf447f6e91f46cbfdae
Instruction ID: 9de4b201b97f9078e74c56e6d718212955d2c038987daf271e9a0605c6f8fb5e
Opcode Fuzzy Hash: 1b2c3ffdca65d3f28dde6d4b15da860c4e3d8628c268bcf447f6e91f46cbfdae
Instruction Fuzzy Hash: 68516633E8C65686E7209B20E85077937A0FF64744F660031E90DC72A0DFBEE940EB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE697C2C, Relevance: 10.9, APIs: 7, Instructions: 361
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF6EE697D63

Part of subcall function 00007FF6EE699AF0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000001,00007FF6EE697C6C), ref: 00007FF6EE699B0C

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE697C8C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE697CCF
HeapCreate.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE6A974C

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Heap$Process$AllocCreateEventRegister
String ID:
API String ID: 861403313-0
Opcode ID: 57327b1a173ec6dca0a6aef04701fe4a2a6c47191cbf9749d22fa1829b1a9c67
Instruction ID: 54d238ddd487d01b98e7c6ae45c61ebe23965bb24e1a3e31773d5af07d94ac66
Opcode Fuzzy Hash: 57327b1a173ec6dca0a6aef04701fe4a2a6c47191cbf9749d22fa1829b1a9c67
Instruction Fuzzy Hash: 2BF13B27A49B0686EA509F15E44033877A0FFA4B50B664135EA4E877A0DFBFF451E30A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69DBEC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE69DC1D
SysAllocString.OLEAUT32 ref: 00007FF6EE69DC86

Part of subcall function 00007FF6EE69DD40: GetStringTypeExW.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6EE69DE5B

VariantClear.OLEAUT32 ref: 00007FF6EE69DD0A
SysFreeString.OLEAUT32 ref: 00007FF6EE6AD102
SysFreeString.OLEAUT32 ref: 00007FF6EE6AD131

Strings

ClearAfter, xrefs: 00007FF6EE69DC4D

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$FreeVariant$AllocClearInitType
String ID: ClearAfter
API String ID: 205876146-1373074809
Opcode ID: 8f75aa0f25e001a35e037801d3004651ea934c7664730159f0328fcf5a27bd42
Instruction ID: adc57632571f51d906e13e5afcc5773653041a57ba3400dd67d62453b2811afe
Opcode Fuzzy Hash: 8f75aa0f25e001a35e037801d3004651ea934c7664730159f0328fcf5a27bd42
Instruction Fuzzy Hash: 54417F33A04B01CAEB109F24D4503BC77A4FBA8B58F464235EA1E87794DF7AE558D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69DA94, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE69DAB2
SysFreeString.OLEAUT32 ref: 00007FF6EE69DB2F
SysAllocString.OLEAUT32 ref: 00007FF6EE69DB4A
SysFreeString.OLEAUT32 ref: 00007FF6EE69DBC7

Part of subcall function 00007FF6EE69DBEC: VariantInit.OLEAUT32 ref: 00007FF6EE69DC1D
Part of subcall function 00007FF6EE69DBEC: SysAllocString.OLEAUT32 ref: 00007FF6EE69DC86
Part of subcall function 00007FF6EE69DBEC: VariantClear.OLEAUT32 ref: 00007FF6EE69DD0A

Strings

__EventProviderCacheControl=@, xrefs: 00007FF6EE69DB43
__ObjectProviderCacheControl=@, xrefs: 00007FF6EE69DAAB

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$Alloc$FreeVariant$ClearInit
String ID: __EventProviderCacheControl=@$__ObjectProviderCacheControl=@
API String ID: 2896020287-2580875564
Opcode ID: dceccf2cae2346d73daf8f65b4abcf32c6ea89e677fd9e32a439cd3da5fc9f33
Instruction ID: 29a9568a8a4d5a7819ced332960b06af1550a0ffe1a1a28b9eec6f8c66df61be
Opcode Fuzzy Hash: dceccf2cae2346d73daf8f65b4abcf32c6ea89e677fd9e32a439cd3da5fc9f33
Instruction Fuzzy Hash: C1414C77608F4682DB108F56E040369B7A0FB9DB94F524132EA4D83B28DFBED155DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69C69C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE69C6BC
RegDisablePredefinedCache.ADVAPI32 ref: 00007FF6EE69C72A

Part of subcall function 00007FF6EE697C2C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE697C8C
Part of subcall function 00007FF6EE697C2C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE697CCF
Part of subcall function 00007FF6EE697C2C: EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF6EE697D63

EtwUnregisterTraceGuids.NTDLL ref: 00007FF6EE69C7D2

Part of subcall function 00007FF6EE69C9DC: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,00007FF6EE69C74D), ref: 00007FF6EE69C9FC
Part of subcall function 00007FF6EE69C9DC: wcstok.MSVCRT ref: 00007FF6EE69CA1B
Part of subcall function 00007FF6EE69C9DC: wcstok.MSVCRT ref: 00007FF6EE69CA30
Part of subcall function 00007FF6EE69C9DC: CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,00007FF6EE69C74D), ref: 00007FF6EE69CA6D
Part of subcall function 00007FF6EE69C9DC: CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,00007FF6EE69C74D), ref: 00007FF6EE69CAA0
Part of subcall function 00007FF6EE69C9DC: CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,00007FF6EE69C74D), ref: 00007FF6EE69CACF
Part of subcall function 00007FF6EE69C9DC: wcstok.MSVCRT ref: 00007FF6EE69CAEB

DestroyWindow.USER32 ref: 00007FF6EE69C78A
UnregisterClassW.USER32 ref: 00007FF6EE69C7A0

Part of subcall function 00007FF6EE69C890: LoadIconW.USER32 ref: 00007FF6EE69C8CA
Part of subcall function 00007FF6EE69C890: LoadCursorW.USER32 ref: 00007FF6EE69C8E5
Part of subcall function 00007FF6EE69C890: RegisterClassW.USER32 ref: 00007FF6EE69C91E
Part of subcall function 00007FF6EE69C890: CreateWindowExW.USER32 ref: 00007FF6EE69C964
Part of subcall function 00007FF6EE69C890: ShowWindow.USER32 ref: 00007FF6EE69C978
Part of subcall function 00007FF6EE69C890: UpdateWindow.USER32 ref: 00007FF6EE69C987
Part of subcall function 00007FF6EE69C890: GetSystemMenu.USER32 ref: 00007FF6EE69C998
Part of subcall function 00007FF6EE69C890: DeleteMenu.USER32 ref: 00007FF6EE69C9B4

Strings

Wmi Provider Host, xrefs: 00007FF6EE69C799

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Window$CompareHeapStringwcstok$ClassLoadMenuRegisterUnregister$AllocCacheCommandCreateCursorDeleteDestroyDisableEventGuidsIconInformationLinePredefinedProcessShowSystemTraceUpdate
String ID: Wmi Provider Host
API String ID: 143112325-660353315
Opcode ID: acf7dc74e7269a57921760be4d024ab2fb519413accd334ab9636eb3cfa467b5
Instruction ID: 253a758b545277f8fac5b70726153f5b491a25b794004fc4a8c25b0a4894d1a0
Opcode Fuzzy Hash: acf7dc74e7269a57921760be4d024ab2fb519413accd334ab9636eb3cfa467b5
Instruction Fuzzy Hash: DA413B37918A4296E7009F10E8403B47BA4FF64B84B664136F94DCA665DFBFF424E70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69C174, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WmiEventSourceConnect.NCOBJAPI ref: 00007FF6EE69C1B2
WmiCreateObjectWithFormat.NCOBJAPI ref: 00007FF6EE69C1F8
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6AC1D6
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6AC1EC

Strings

ProviderSubSystem, xrefs: 00007FF6EE69C18B
root\cimv2, xrefs: 00007FF6EE69C196

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$ConnectCreateEventFormatLog@@MemorySourceWithWrite@
String ID: ProviderSubSystem$root\cimv2
API String ID: 3037073835-474028568
Opcode ID: fd2e6e4c3f93275b1b9ed7dd8d4af24b48827d0ba8df2ab954d451dc1091ddbb
Instruction ID: 9eb0c970fc50ec74bc0f64247217135a00c9645ffa6ae2e16ba066aab040d2dd
Opcode Fuzzy Hash: fd2e6e4c3f93275b1b9ed7dd8d4af24b48827d0ba8df2ab954d451dc1091ddbb
Instruction Fuzzy Hash: E6319437A08B4286EB108F05E44437877A1FBA8B44FA64435EA0D83354DFBEE546D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69F884, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00007FF6EE69801E), ref: 00007FF6EE69F8B3
RegQueryValueExW.KERNELBASE ref: 00007FF6EE69F8FF
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE69F918

Strings

DefaultRpcStackSize, xrefs: 00007FF6EE69F8DB
Software\Microsoft\Wbem\Cimom, xrefs: 00007FF6EE69F8A5

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: DefaultRpcStackSize$Software\Microsoft\Wbem\Cimom
API String ID: 3677997916-1710159536
Opcode ID: e55298bf2c94b6b169dae4c27c82baacbd020aeb8c2c6be4b892d8d5ab4d0de4
Instruction ID: d00eba69783ff78ef0be4175e12ca143cf84a6349651b4562fda3ae02f435ede
Opcode Fuzzy Hash: e55298bf2c94b6b169dae4c27c82baacbd020aeb8c2c6be4b892d8d5ab4d0de4
Instruction Fuzzy Hash: DF116D37A08A419AE7108F14E40072ABBB0FB95354F914235FA8C82768DFBED118DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69F978, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00007FF6EE698019), ref: 00007FF6EE69F9A7
RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,00007FF6EE698019), ref: 00007FF6EE69F9EE
RegCloseKey.KERNELBASE(?,?,?,?,?,?,00007FF6EE698019), ref: 00007FF6EE69F9FF

Strings

Software\Microsoft\WBEM\CIMOM, xrefs: 00007FF6EE69F999
Sink Transmit Buffer Size, xrefs: 00007FF6EE69F9C6

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Sink Transmit Buffer Size$Software\Microsoft\WBEM\CIMOM
API String ID: 3677997916-3607532515
Opcode ID: 0caf20f3fc621c95a47c2ce3296a8ad7ab2ef3a846648a516cf08344389450f7
Instruction ID: fba4dd7352038c3d85c56cd705b00f1593b32a11ab93b8d04a96d2703cba533b
Opcode Fuzzy Hash: 0caf20f3fc621c95a47c2ce3296a8ad7ab2ef3a846648a516cf08344389450f7
Instruction Fuzzy Hash: 3201C93AA08B41C6D7109F54F840669BB70FB9A754F914231EA4D83764DFBED114DF09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69A164, Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF6EE69A196
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE69A1AC
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE69A1C2
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE69A1D8
DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69A216

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Close$Handle$ChangeCriticalDeleteFindNotificationSection
String ID:
API String ID: 2366415780-0
Opcode ID: 887c3cca207599f24ad1a6ba64e49930058a7cb00094a3e78fed6c74b8173d6d
Instruction ID: e85d12378477436de5102c6e61f2d023111e4fc3145056b14b4be7d391b256c0
Opcode Fuzzy Hash: 887c3cca207599f24ad1a6ba64e49930058a7cb00094a3e78fed6c74b8173d6d
Instruction Fuzzy Hash: 9521A237A09A418AEB00AF64D01437C77A0FFA6F55F5A9630E91E832A1CF6BD445D31A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69BBB4, Relevance: 4.5, APIs: 3, Instructions: 18windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32 ref: 00007FF6EE69BBC5
TranslateMessage.USER32 ref: 00007FF6EE69BBE1
DispatchMessageW.USER32 ref: 00007FF6EE69BBF2

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID:
API String ID: 1706434739-0
Opcode ID: d01fa456b169024905821af58e566ef6aae29338f380d2e2354b80fbef61be83
Instruction ID: edda451d31903109859944e2924471f712036410b9bb29eaba8757b980826f4e
Opcode Fuzzy Hash: d01fa456b169024905821af58e566ef6aae29338f380d2e2354b80fbef61be83
Instruction Fuzzy Hash: 3EE09233918881C3E2209B14E858279BB30FBEA709BD64130E64E816A8DF3ED108DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE699CC0, Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE698490: NtQuerySystemInformation.NTDLL ref: 00007FF6EE6984E8
Part of subcall function 00007FF6EE698490: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE698513

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6AB4F1
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6AB505

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Process$Current$InformationQuerySystemTerminate
String ID:
API String ID: 3934176361-0
Opcode ID: 9e8c0b4e96c77d085304ef45b624f7b61937b1fb198f676b9f76498d6e332834
Instruction ID: a1e5a9e8ede0c8b6f9b163d8572f5d83a7b4f9427833eb279e0bc23c3be0047b
Opcode Fuzzy Hash: 9e8c0b4e96c77d085304ef45b624f7b61937b1fb198f676b9f76498d6e332834
Instruction Fuzzy Hash: 6141A433A48A4681EB009B26E8503787760FF99F94F564231EA1EC33A5DFBED405D706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69A0B4, Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 18ad28867c11d85dcee626c3599d483ba0aec4071da85a5e326870dc1cdce650
Instruction ID: ce7c94b1a690a56b61ee0215bb728b59ed8d945c71f2c3b3afe3fafef21a1d10
Opcode Fuzzy Hash: 18ad28867c11d85dcee626c3599d483ba0aec4071da85a5e326870dc1cdce650
Instruction Fuzzy Hash: 07316E33A18A0286FB009F10E8543743BA4FF65745FA65035E90D863A1DFBFE459E70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69B194, Relevance: 1.5, APIs: 1, Instructions: 41threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF6EE69B1D1

Part of subcall function 00007FF6EE69B234: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE69B29C

Part of subcall function 00007FF6EE69FA20: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69FA2A

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocCreateCriticalHeapLeaveSectionThread
String ID:
API String ID: 3522657792-0
Opcode ID: bca23a1166f8ba30ba3b858a4079989081ac05bba6f538450568af6b9ad981d5
Instruction ID: e66b77cdd573080b9d7514d77c48cf18548d3576abcb49690c323fa286625178
Opcode Fuzzy Hash: bca23a1166f8ba30ba3b858a4079989081ac05bba6f538450568af6b9ad981d5
Instruction Fuzzy Hash: 8611AC37608B4582EB009F24E4403B977B0FB58B84FA64131EA4C87365DFBED459D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE699D18, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cce4a06a9f02964a55e763556b23a1c041e33f0a21067738e2a78e5354bd037
Instruction ID: e57beceec4f5284d4ef21a0669510d9d679564112dfbd9c96005264f732f94b7
Opcode Fuzzy Hash: 3cce4a06a9f02964a55e763556b23a1c041e33f0a21067738e2a78e5354bd037
Instruction Fuzzy Hash: 38012133E18602C6F7149F21A8957353761AF69701F965435E80EC6250CEBFB459E70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69B120, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69B149

Part of subcall function 00007FF6EE69A940: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69A9D7
Part of subcall function 00007FF6EE69A940: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69AA2C
Part of subcall function 00007FF6EE69A940: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69AA7B

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CriticalLeaveSection$Event
String ID:
API String ID: 3363972230-0
Opcode ID: 468f4079afd67c253c0e160e91c45eccd527b1185a2bf9d558737bf88757af60
Instruction ID: 5dead61af643f0307a3f6be1e104b89f9723ef2dfd4cb49cbbc103d0dc9d8349
Opcode Fuzzy Hash: 468f4079afd67c253c0e160e91c45eccd527b1185a2bf9d558737bf88757af60
Instruction Fuzzy Hash: 5AF04F2B714B0A86DB00AF2AE89023827B0FF99F947574131EE1E83330DE7DC4559705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69C808, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

EtwRegisterTraceGuidsW.NTDLL ref: 00007FF6EE69C867

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: GuidsRegisterTrace
String ID:
API String ID: 3540399512-0
Opcode ID: 6821b378e45b07a1ce288d0b40075502476f32c7685eccd2cacab646a47effcc
Instruction ID: 906b289a6c8319b9a6974bda2af2a020d78d76a4aafa3f242098e235fc8ee838
Opcode Fuzzy Hash: 6821b378e45b07a1ce288d0b40075502476f32c7685eccd2cacab646a47effcc
Instruction Fuzzy Hash: 6C011A33618B4592D7108F01F1403A9B774F758B88F694235EB8C4B658DF7ED564C749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69B320, Relevance: 1.5, APIs: 1, Instructions: 29synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE69B194: CreateThread.KERNELBASE ref: 00007FF6EE69B1D1

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6EE6C7390), ref: 00007FF6EE69B349

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: d0bbf05717f960358e330a993c2b347ad261e14c4f4a8875d1ffb17c9922de24
Instruction ID: a58cc0cd2a905f5fc28af5b4f113155b99cc5761acf7223bae8a9ad59a77d40a
Opcode Fuzzy Hash: d0bbf05717f960358e330a993c2b347ad261e14c4f4a8875d1ffb17c9922de24
Instruction Fuzzy Hash: 50F03033E18546D6E750CF29D48137973A0EF68B94F214034EA0DC7259FE6BE8909B49

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE698440, Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5e5c636c68ae9ceaf29c88842d810163a31ceaa73c8eee9b0867bba47d92b475
Instruction ID: 19cbbffc1ea232d580b9b693b54b4485da789134730e5a61295e957c513d4f38
Opcode Fuzzy Hash: 5e5c636c68ae9ceaf29c88842d810163a31ceaa73c8eee9b0867bba47d92b475
Instruction Fuzzy Hash: 2FE09253E1A70681FE558B52984033427A0AFBCF41F6E4430EE0DC6381EFBEF850A65A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69FE78, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE ref: 00007FF6EE69FE90

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 2d49d7b125421083320701a9310e85dacbaaab062d48e9bc65b14fdeaf88b777
Instruction ID: 861b6b5621b074ed6974f1261c11d72e221a527257616d3e484140f4aea56f52
Opcode Fuzzy Hash: 2d49d7b125421083320701a9310e85dacbaaab062d48e9bc65b14fdeaf88b777
Instruction Fuzzy Hash: 0FD05E36C04A4286D1345B24AC051383B21BBA6334BA60324F1BE852F4CF7DA016DB05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6EE6922D0, Relevance: 160.6, APIs: 66, Strings: 25, Instructions: 1398memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE69230F
VariantInit.OLEAUT32 ref: 00007FF6EE69231F
SysAllocStringLen.OLEAUT32 ref: 00007FF6EE692445
VariantClear.OLEAUT32 ref: 00007FF6EE692661
VariantClear.OLEAUT32 ref: 00007FF6EE692671
VariantInit.OLEAUT32 ref: 00007FF6EE69268A
VariantClear.OLEAUT32 ref: 00007FF6EE692703
VariantInit.OLEAUT32 ref: 00007FF6EE69271C
SysAllocString.OLEAUT32 ref: 00007FF6EE69278D
VariantClear.OLEAUT32 ref: 00007FF6EE6927AE
VariantInit.OLEAUT32 ref: 00007FF6EE6927C7
VariantClear.OLEAUT32 ref: 00007FF6EE692840
VariantInit.OLEAUT32 ref: 00007FF6EE692859
VariantClear.OLEAUT32 ref: 00007FF6EE6928F6
VariantInit.OLEAUT32 ref: 00007FF6EE69290F
VariantClear.OLEAUT32 ref: 00007FF6EE69298C
VariantInit.OLEAUT32 ref: 00007FF6EE6929A5
VariantClear.OLEAUT32 ref: 00007FF6EE692A24
VariantInit.OLEAUT32 ref: 00007FF6EE692A3D
VariantClear.OLEAUT32 ref: 00007FF6EE692AC3
VariantInit.OLEAUT32 ref: 00007FF6EE692ADC
VariantClear.OLEAUT32 ref: 00007FF6EE692B5B
VariantInit.OLEAUT32 ref: 00007FF6EE692B74
VariantClear.OLEAUT32 ref: 00007FF6EE692BED
VariantInit.OLEAUT32 ref: 00007FF6EE692C06
VariantClear.OLEAUT32 ref: 00007FF6EE692C7C
VariantInit.OLEAUT32 ref: 00007FF6EE692C95
VariantClear.OLEAUT32 ref: 00007FF6EE692D0B
VariantInit.OLEAUT32 ref: 00007FF6EE692D24
VariantClear.OLEAUT32 ref: 00007FF6EE692DA3
VariantInit.OLEAUT32 ref: 00007FF6EE692DBC
VariantClear.OLEAUT32 ref: 00007FF6EE692E3B
VariantInit.OLEAUT32 ref: 00007FF6EE692E54
VariantClear.OLEAUT32 ref: 00007FF6EE692ECA
VariantInit.OLEAUT32 ref: 00007FF6EE692EE3
VariantClear.OLEAUT32 ref: 00007FF6EE692F44
VariantInit.OLEAUT32 ref: 00007FF6EE692F5D
VariantClear.OLEAUT32 ref: 00007FF6EE692FD4
VariantInit.OLEAUT32 ref: 00007FF6EE692FED
VariantClear.OLEAUT32 ref: 00007FF6EE693063
VariantInit.OLEAUT32 ref: 00007FF6EE69307C
VariantClear.OLEAUT32 ref: 00007FF6EE6930F2
VariantInit.OLEAUT32 ref: 00007FF6EE69310B
VariantClear.OLEAUT32 ref: 00007FF6EE693184
VariantInit.OLEAUT32 ref: 00007FF6EE69319D
VariantClear.OLEAUT32 ref: 00007FF6EE693218
VariantInit.OLEAUT32 ref: 00007FF6EE693231
VariantClear.OLEAUT32 ref: 00007FF6EE6932CD
VariantInit.OLEAUT32 ref: 00007FF6EE693301
VariantClear.OLEAUT32 ref: 00007FF6EE693371
SysFreeString.OLEAUT32 ref: 00007FF6EE693385
SysFreeString.OLEAUT32 ref: 00007FF6EE6A5F33
SysAllocString.OLEAUT32 ref: 00007FF6EE6A5F43
SysFreeString.OLEAUT32 ref: 00007FF6EE6A5FD5
SysAllocString.OLEAUT32 ref: 00007FF6EE6A619B
SysAllocString.OLEAUT32 ref: 00007FF6EE6A61F6

Strings

HostingModel, xrefs: 00007FF6EE693266
InitializationReentrancy, xrefs: 00007FF6EE692F92
CLSID, xrefs: 00007FF6EE69288E
__NAMESPACE, xrefs: 00007FF6EE69234F
ImpersonationLevel, xrefs: 00007FF6EE692B11
UnloadTimeout, xrefs: 00007FF6EE692A72
ClientLoadableCLSID, xrefs: 00007FF6EE692944
OperationTimeoutInterval, xrefs: 00007FF6EE692D59
SupportsThrottling, xrefs: 00007FF6EE692E89
SupportsQuotas, xrefs: 00007FF6EE692CCA
Enabled, xrefs: 00007FF6EE6927FC
SupportsSendStatus, xrefs: 00007FF6EE692BA9
SecurityDescriptor, xrefs: 00007FF6EE693334
SupportsShutdown, xrefs: 00007FF6EE692C3B
Name, xrefs: 00007FF6EE692751
InitializeAsAdminFirst, xrefs: 00007FF6EE693022
DefaultNetworkServiceHost, xrefs: 00007FF6EE6A6194, 00007FF6EE6A61EF
Pure, xrefs: 00007FF6EE6931D2
PerUserInitialization, xrefs: 00007FF6EE6930B1
PerLocaleInitialization, xrefs: 00007FF6EE693140
DefaultMachineName, xrefs: 00007FF6EE6929DA
ConcurrentIndependantRequests, xrefs: 00007FF6EE692F18
InitializationTimeoutInterval, xrefs: 00007FF6EE692DF1
Version, xrefs: 00007FF6EE6926BF
__RELPATH, xrefs: 00007FF6EE692394

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$ClearInit$String$Alloc$Free
String ID: CLSID$ClientLoadableCLSID$ConcurrentIndependantRequests$DefaultMachineName$DefaultNetworkServiceHost$Enabled$HostingModel$ImpersonationLevel$InitializationReentrancy$InitializationTimeoutInterval$InitializeAsAdminFirst$Name$OperationTimeoutInterval$PerLocaleInitialization$PerUserInitialization$Pure$SecurityDescriptor$SupportsQuotas$SupportsSendStatus$SupportsShutdown$SupportsThrottling$UnloadTimeout$Version$__NAMESPACE$__RELPATH
API String ID: 2302583246-829198682
Opcode ID: 0b41557d9a72976ef50d1907882301312694f3173bc941d16f0a2dbda55ff086
Instruction ID: 4e0ac95a8b1ea22e1b39fd5f1c7bbb64a51744d1a31684dfc84ec878d325744b
Opcode Fuzzy Hash: 0b41557d9a72976ef50d1907882301312694f3173bc941d16f0a2dbda55ff086
Instruction Fuzzy Hash: 60E27337A48A52C6EB209F14E4403B977A0FBA5748F524135EB4E83664DFBFE448E709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6D0AC4, Relevance: 120.0, APIs: 48, Strings: 20, Instructions: 961COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE6D0B05
VariantClear.OLEAUT32 ref: 00007FF6EE6D0B83
VariantInit.OLEAUT32 ref: 00007FF6EE6D0B9C
VariantClear.OLEAUT32 ref: 00007FF6EE6D0C22
VariantInit.OLEAUT32 ref: 00007FF6EE6D0C3B
VariantClear.OLEAUT32 ref: 00007FF6EE6D0CBC
VariantInit.OLEAUT32 ref: 00007FF6EE6D0CD5
VariantClear.OLEAUT32 ref: 00007FF6EE6D0D56
VariantInit.OLEAUT32 ref: 00007FF6EE6D0D6F
VariantClear.OLEAUT32 ref: 00007FF6EE6D0DF0
VariantInit.OLEAUT32 ref: 00007FF6EE6D0E09
VariantClear.OLEAUT32 ref: 00007FF6EE6D0E8A
VariantInit.OLEAUT32 ref: 00007FF6EE6D0EA3
VariantClear.OLEAUT32 ref: 00007FF6EE6D0F24
VariantInit.OLEAUT32 ref: 00007FF6EE6D0F3D
VariantClear.OLEAUT32 ref: 00007FF6EE6D0FBE
VariantInit.OLEAUT32 ref: 00007FF6EE6D0FD7
VariantClear.OLEAUT32 ref: 00007FF6EE6D1058
VariantInit.OLEAUT32 ref: 00007FF6EE6D1071
SafeArrayGetDim.OLEAUT32 ref: 00007FF6EE6D10D5
SafeArrayGetLBound.OLEAUT32 ref: 00007FF6EE6D10F4
SafeArrayGetUBound.OLEAUT32 ref: 00007FF6EE6D110B
SafeArrayGetElement.OLEAUT32 ref: 00007FF6EE6D1140
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D11B3
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D120E
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D12AE
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D1309
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D13A7
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D1403
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D1499
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D14F4
SysFreeString.OLEAUT32 ref: 00007FF6EE6D1543
VariantClear.OLEAUT32 ref: 00007FF6EE6D158A
VariantInit.OLEAUT32 ref: 00007FF6EE6D15A3
VariantClear.OLEAUT32 ref: 00007FF6EE6D1629

Strings

WQL:UnarySelect, xrefs: 00007FF6EE6D1158
ReferencedSetQueries, xrefs: 00007FF6EE6D17AC
SupportsPut, xrefs: 00007FF6EE6D0BCD
WQL:Associators, xrefs: 00007FF6EE6D1350
ReSynchroniseOnNamespaceOpen, xrefs: 00007FF6EE6D1008
PerUserSchema, xrefs: 00007FF6EE6D0F6E
WQL:References, xrefs: 00007FF6EE6D1259
CacheRefreshInterval, xrefs: 00007FF6EE6D1898
QuerySupportLevels, xrefs: 00007FF6EE6D10A2
SupportsBatching, xrefs: 00007FF6EE6D0E3A
__ClassProviderRegistration, xrefs: 00007FF6EE6D0ACC
SupportsDelete, xrefs: 00007FF6EE6D0D06
WQL:V1ProviderDefined, xrefs: 00007FF6EE6D1444
Version, xrefs: 00007FF6EE6D0B36
SupportsTransactions, xrefs: 00007FF6EE6D0ED4
UnSupportedQueries, xrefs: 00007FF6EE6D1703
InteractionType, xrefs: 00007FF6EE6D15D4
SupportsGet, xrefs: 00007FF6EE6D0C6C
SupportsEnumeration, xrefs: 00007FF6EE6D0DA0
ResultSetQueries, xrefs: 00007FF6EE6D1673

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$ClearInit$String$ArraySafe$Bound$ElementFree
String ID: CacheRefreshInterval$InteractionType$PerUserSchema$QuerySupportLevels$ReSynchroniseOnNamespaceOpen$ReferencedSetQueries$ResultSetQueries$SupportsBatching$SupportsDelete$SupportsEnumeration$SupportsGet$SupportsPut$SupportsTransactions$UnSupportedQueries$Version$WQL:Associators$WQL:References$WQL:UnarySelect$WQL:V1ProviderDefined$__ClassProviderRegistration
API String ID: 3756312870-3152331778
Opcode ID: ed9d752fe71a02e59acae1870345c69a7a688dbb0f0e1a98738882664f1c25a3
Instruction ID: 0f52407202e7e7a230e208685fe84cfb4ec29bcb5cfd205d7de0fe34800c4362
Opcode Fuzzy Hash: ed9d752fe71a02e59acae1870345c69a7a688dbb0f0e1a98738882664f1c25a3
Instruction Fuzzy Hash: 54A2653BA08741C7E720AF10D4802BD77B4FB69748BA24135EA4D83A54DFBEE558DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B1264, Relevance: 65.2, APIs: 35, Strings: 2, Instructions: 493memoryregistryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B12F4
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1344
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1526
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B155A
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B15BF
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B15D5
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1607
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1312

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B13AE
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B13C2
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B13F3
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1459
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B146D
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B14A1
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1512
InitializeAcl.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1681
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B16B3
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B16E6
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1717
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1747
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B177B
InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1796
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B17B8
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B17D7
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B17F6
GetSecurityDescriptorLength.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B180E
MakeSelfRelativeSD.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1837
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B1867
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1925
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B193A
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B194F
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1964
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B1979
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6B1989
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6B199A

Strings

Microsoft WMI Provider Subsystem Host, xrefs: 00007FF6EE6B126E
LaunchPermission, xrefs: 00007FF6EE6B185C

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Initialize$AllocateLength$CopyDescriptorFreeSecurity$DaclGroupHeapLog@@MakeMemoryObjectOwnerRelativeSelfValueWrite@
String ID: LaunchPermission$Microsoft WMI Provider Subsystem Host
API String ID: 2460958007-1944748634
Opcode ID: 61bba1533552776ee4d8420f2578fb51a79de3e89371a7012b178bff525ffa86
Instruction ID: 178277da047191335c6a84e3e2cc2da431da502134a4f69af189155d0fadd20d
Opcode Fuzzy Hash: 61bba1533552776ee4d8420f2578fb51a79de3e89371a7012b178bff525ffa86
Instruction Fuzzy Hash: AC329D33B086818BE7109F61E4402BD7BB0FB99B84B525135EE0EA7B98DF7AD405DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BDFD0, Relevance: 63.5, APIs: 9, Strings: 27, Instructions: 475memoryCOMMON

Download Yara Rule

APIs

LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6BE060
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6BE0BC
SysAllocString.OLEAUT32 ref: 00007FF6EE6BE0FA
VariantInit.OLEAUT32 ref: 00007FF6EE6BE6EE
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6BE701
VariantClear.OLEAUT32 ref: 00007FF6EE6BE738
SysFreeString.OLEAUT32 ref: 00007FF6EE6BE782
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BE7BE
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BE7CF

Strings

ProviderOperation_ExecQueryAsync, xrefs: 00007FF6EE6BE2F5
ProviderOperation_GetObjects, xrefs: 00007FF6EE6BE4D4
ProviderOperation_PutProperty, xrefs: 00007FF6EE6BE540
ProviderOperation_FindConsumer, xrefs: 00007FF6EE6BE684
ProviderOperation_CreateInstanceEnumAsync, xrefs: 00007FF6EE6BE2B8
ProviderOperation_AccessCheck, xrefs: 00007FF6EE6BE622
ProviderOperation_PutInstanceAsync, xrefs: 00007FF6EE6BE282
ProviderOperation_StopRefreshing, xrefs: 00007FF6EE6BE468
ProviderOperation_CreateRefreshableObject, xrefs: 00007FF6EE6BE432
ProviderOperation_QueryInstances, xrefs: 00007FF6EE6BE3C6
ProviderOperation_ExecNotificationQueryAsync, xrefs: 00007FF6EE6BE324
ProviderOperation_NewQuery, xrefs: 00007FF6EE6BE5AC
Msft_Providers, xrefs: 00007FF6EE6BDFF3
ProviderOperation_GetProperty, xrefs: 00007FF6EE6BE50A
ProviderOperation_DeleteClassAsync, xrefs: 00007FF6EE6BE216
ProviderOperation_CreateRefresher, xrefs: 00007FF6EE6BE3FC
ProviderOperation_CreateClassEnumAsync, xrefs: 00007FF6EE6BE24C
ProviderOperation_CreateRefreshableEnum, xrefs: 00007FF6EE6BE49E
HostProcessIdentifier, xrefs: 00007FF6EE6BE71A
ProviderOperation_SetRegistrationObject, xrefs: 00007FF6EE6BE64E
ProviderOperation_CancelQuery, xrefs: 00007FF6EE6BE5E2
ProviderOperation_GetObjectAsync, xrefs: 00007FF6EE6BE1A0
ProviderOperation_ProvideEvents, xrefs: 00007FF6EE6BE576
ProviderOperation_DeleteInstanceAsync, xrefs: 00007FF6EE6BE35A
ProviderOperation_ValidateSubscription, xrefs: 00007FF6EE6BE6BA
ProviderOperation_ExecMethodAsync, xrefs: 00007FF6EE6BE390
ProviderOperation_PutClassAsync, xrefs: 00007FF6EE6BE1E0

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$Variant$AllocClearCurrentFreeInitLog@@MemoryObjectProcessWrite@
String ID: HostProcessIdentifier$Msft_Providers$ProviderOperation_AccessCheck$ProviderOperation_CancelQuery$ProviderOperation_CreateClassEnumAsync$ProviderOperation_CreateInstanceEnumAsync$ProviderOperation_CreateRefreshableEnum$ProviderOperation_CreateRefreshableObject$ProviderOperation_CreateRefresher$ProviderOperation_DeleteClassAsync$ProviderOperation_DeleteInstanceAsync$ProviderOperation_ExecMethodAsync$ProviderOperation_ExecNotificationQueryAsync$ProviderOperation_ExecQueryAsync$ProviderOperation_FindConsumer$ProviderOperation_GetObjectAsync$ProviderOperation_GetObjects$ProviderOperation_GetProperty$ProviderOperation_NewQuery$ProviderOperation_ProvideEvents$ProviderOperation_PutClassAsync$ProviderOperation_PutInstanceAsync$ProviderOperation_PutProperty$ProviderOperation_QueryInstances$ProviderOperation_SetRegistrationObject$ProviderOperation_StopRefreshing$ProviderOperation_ValidateSubscription
API String ID: 2174166760-2198336999
Opcode ID: 8d0b8ce01f6127dde1bd504b74c3466ba5d36308da6c1758d7ba40e69e197a5e
Instruction ID: 69971e1f38b9e8aa6c517f06103deeb69be6d07c5a9eb78f1a6aa80ebc6f84a8
Opcode Fuzzy Hash: 8d0b8ce01f6127dde1bd504b74c3466ba5d36308da6c1758d7ba40e69e197a5e
Instruction Fuzzy Hash: 6A426F77614B9A86DB10CF15E8806A97BA5FB9CB98F425136EE4D83B28DF7DC104CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BD580, Relevance: 63.5, APIs: 9, Strings: 27, Instructions: 475memoryCOMMON

Download Yara Rule

APIs

LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6BD610
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6BD66C
SysAllocString.OLEAUT32 ref: 00007FF6EE6BD6AA
VariantInit.OLEAUT32 ref: 00007FF6EE6BDC9E
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6BDCB1
VariantClear.OLEAUT32 ref: 00007FF6EE6BDCE8
SysFreeString.OLEAUT32 ref: 00007FF6EE6BDD32
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BDD6E
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BDD7F

Strings

ProviderOperation_ExecQueryAsync, xrefs: 00007FF6EE6BD8A5
ProviderOperation_GetObjects, xrefs: 00007FF6EE6BDA84
ProviderOperation_PutProperty, xrefs: 00007FF6EE6BDAF0
ProviderOperation_FindConsumer, xrefs: 00007FF6EE6BDC34
ProviderOperation_CreateInstanceEnumAsync, xrefs: 00007FF6EE6BD868
ProviderOperation_AccessCheck, xrefs: 00007FF6EE6BDBD2
ProviderOperation_PutInstanceAsync, xrefs: 00007FF6EE6BD832
ProviderOperation_StopRefreshing, xrefs: 00007FF6EE6BDA18
ProviderOperation_CreateRefreshableObject, xrefs: 00007FF6EE6BD9E2
ProviderOperation_QueryInstances, xrefs: 00007FF6EE6BD976
ProviderOperation_ExecNotificationQueryAsync, xrefs: 00007FF6EE6BD8D4
ProviderOperation_NewQuery, xrefs: 00007FF6EE6BDB5C
Msft_Providers, xrefs: 00007FF6EE6BD5A3
ProviderOperation_GetProperty, xrefs: 00007FF6EE6BDABA
ProviderOperation_DeleteClassAsync, xrefs: 00007FF6EE6BD7C6
ProviderOperation_CreateRefresher, xrefs: 00007FF6EE6BD9AC
ProviderOperation_CreateClassEnumAsync, xrefs: 00007FF6EE6BD7FC
ProviderOperation_CreateRefreshableEnum, xrefs: 00007FF6EE6BDA4E
HostProcessIdentifier, xrefs: 00007FF6EE6BDCCA
ProviderOperation_SetRegistrationObject, xrefs: 00007FF6EE6BDBFE
ProviderOperation_CancelQuery, xrefs: 00007FF6EE6BDB92
ProviderOperation_GetObjectAsync, xrefs: 00007FF6EE6BD750
ProviderOperation_ProvideEvents, xrefs: 00007FF6EE6BDB26
ProviderOperation_DeleteInstanceAsync, xrefs: 00007FF6EE6BD90A
ProviderOperation_ValidateSubscription, xrefs: 00007FF6EE6BDC6A
ProviderOperation_ExecMethodAsync, xrefs: 00007FF6EE6BD940
ProviderOperation_PutClassAsync, xrefs: 00007FF6EE6BD790

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$Variant$AllocClearCurrentFreeInitLog@@MemoryObjectProcessWrite@
String ID: HostProcessIdentifier$Msft_Providers$ProviderOperation_AccessCheck$ProviderOperation_CancelQuery$ProviderOperation_CreateClassEnumAsync$ProviderOperation_CreateInstanceEnumAsync$ProviderOperation_CreateRefreshableEnum$ProviderOperation_CreateRefreshableObject$ProviderOperation_CreateRefresher$ProviderOperation_DeleteClassAsync$ProviderOperation_DeleteInstanceAsync$ProviderOperation_ExecMethodAsync$ProviderOperation_ExecNotificationQueryAsync$ProviderOperation_ExecQueryAsync$ProviderOperation_FindConsumer$ProviderOperation_GetObjectAsync$ProviderOperation_GetObjects$ProviderOperation_GetProperty$ProviderOperation_NewQuery$ProviderOperation_ProvideEvents$ProviderOperation_PutClassAsync$ProviderOperation_PutInstanceAsync$ProviderOperation_PutProperty$ProviderOperation_QueryInstances$ProviderOperation_SetRegistrationObject$ProviderOperation_StopRefreshing$ProviderOperation_ValidateSubscription
API String ID: 2174166760-2198336999
Opcode ID: 75a332b072a2d772100f8de9ce77e8d87328dff64c648ec8a7289b55530ed476
Instruction ID: 04de33dfd9b4694046f41c3260fb2c6ba939b8990252864654e485613d3d4b6c
Opcode Fuzzy Hash: 75a332b072a2d772100f8de9ce77e8d87328dff64c648ec8a7289b55530ed476
Instruction Fuzzy Hash: EF427F77614B9686DB10CF19E8806A97BA5FB9CB98F425136EE4D83B28DF7DC104CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B34EC, Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 383memoryCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3535
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3598
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B35E1
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B37CE
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B37E2
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3814
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B35B2

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3657
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B366B
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B369C
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B370C
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3722
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3756
InitializeAcl.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B388D
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B38BE
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B38EF
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B391F
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B394D
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3967
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B39F0
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3A05
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3A1A
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B3A2F
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6B3A46
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6B3A57

Strings

Global\Wmi Provider Sub System Counters, xrefs: 00007FF6EE6B34EF

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Initialize$Allocate$CopyFreeLength$DescriptorSecurity$DaclHeapLog@@MemoryObjectWrite@
String ID: Global\Wmi Provider Sub System Counters
API String ID: 790938941-3057216162
Opcode ID: e1216f7808de3b9d06fc073dab8606a9bba8e613695bbb048467e4e7537ccedd
Instruction ID: d204ea2ebbb467e0906879db999d274ea035f8e0ea6b16cdec8ae478c0a72eeb
Opcode Fuzzy Hash: e1216f7808de3b9d06fc073dab8606a9bba8e613695bbb048467e4e7537ccedd
Instruction Fuzzy Hash: 78026F37B086818AE7109F21E4406BE7BB0FB99B48B525135FE4D93B68DFBAD404D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B1E60, Relevance: 40.7, APIs: 14, Strings: 9, Instructions: 488registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF6EE6B1ECE
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B209A
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B212E
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B2141
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B2166
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B22E6
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B22FF
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B23E6
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B2422
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B243B
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B251C
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B2552
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B2567
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B20D7

Part of subcall function 00007FF6EE6985E0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,80000002,00007FF6EE6AD91A,?,?,?,00007FF6EE69800E), ref: 00007FF6EE6985F6

Strings

CLSID\, xrefs: 00007FF6EE6B2173
ThreadingModel, xrefs: 00007FF6EE6B2546
Both, xrefs: 00007FF6EE6B2534
NotInsertable, xrefs: 00007FF6EE6B2298
APPID\, xrefs: 00007FF6EE6B2029
AppIDFlags, xrefs: 00007FF6EE6B2122
LocalServer32, xrefs: 00007FF6EE6B239E, 00007FF6EE6B24D4
AppId, xrefs: 00007FF6EE6B21A0
?, xrefs: 00007FF6EE6B22C2

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Close$CreateValue$FileFreeHeapModuleNameOpen
String ID: ?$APPID\$AppIDFlags$AppId$Both$CLSID\$LocalServer32$NotInsertable$ThreadingModel
API String ID: 807124017-932693166
Opcode ID: bbd784c193a6f99d01535bc95273eda68c77843abdbcc585b6de6f5158c611f5
Instruction ID: 4253975f1cb0143128316d11d5677251fdfa016dee648ed2fdf8683f5e86b41a
Opcode Fuzzy Hash: bbd784c193a6f99d01535bc95273eda68c77843abdbcc585b6de6f5158c611f5
Instruction Fuzzy Hash: B7128E67F1868295EA209F21D8103BA63A4FFA4B84F524131FA0DC7B99DFBED504D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6CE9E8, Relevance: 39.4, APIs: 26, Instructions: 430COMMON

Download Yara Rule

APIs

MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEA9E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6CEAB2
InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEB5C
MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEBB8
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEBDA
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEBFC
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEACA

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEC28
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEC42
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEC5C
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEC7A
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CECB6
GetAclInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CED0B
memmove.MSVCRT ref: 00007FF6EE6CED6F
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CED97
InitializeAcl.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEDF2
GetAclInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEE10
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEE4F
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEE99
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEEDA
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEF1B
AddAce.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEF5C
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEF88
MakeSelfRelativeSD.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEFAB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6CEFBB
MakeSelfRelativeSD.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEFE7

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: DescriptorSecurity$Make$InitializeLength$AbsoluteErrorGroupInformationLastOwnerRelativeSelf$AllocateCopyDaclHeapmemmove
String ID:
API String ID: 1094331661-0
Opcode ID: 400b851a78be5933eafcb84392394e27d0459f2086d4391a6583a3e5d5f53fac
Instruction ID: 175bc1a5233cec8c98ef6416f0180efb6af8a52f0efc347b8ee513eeabce20f3
Opcode Fuzzy Hash: 400b851a78be5933eafcb84392394e27d0459f2086d4391a6583a3e5d5f53fac
Instruction Fuzzy Hash: 69125027B08A428AEB109F61A4403BD77F1BF59B88B524035EE0D9B754DFBEE405E709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6938C4, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 200registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693909
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693942
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693954
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A65D3
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6602
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6614
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A664E
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A667D
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A668F
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A66C5
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A66F4
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6706
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6744
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6782
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6794

Strings

Software\Microsoft\WBEM\CIMOM, xrefs: 00007FF6EE6A673A
SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders, xrefs: 00007FF6EE6A6644, 00007FF6EE6A66BB
DefaultSecuredHost, xrefs: 00007FF6EE6A6774
SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders, xrefs: 00007FF6EE6938F1, 00007FF6EE6A65C9

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: DefaultSecuredHost$SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders$SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders$Software\Microsoft\WBEM\CIMOM
API String ID: 3677997916-590304595
Opcode ID: fdbb5d6d12196acb7d215e2e40c34db746e3ff7e2cae11550d2896073631a190
Instruction ID: e9c110d1c3c9181f1d271f8eb0a8448d340f9538ffaaaed3c51bf4bcce9eca06
Opcode Fuzzy Hash: fdbb5d6d12196acb7d215e2e40c34db746e3ff7e2cae11550d2896073631a190
Instruction Fuzzy Hash: 0E91B037E04B61CAE7208F60E4406BD7BA0FB59B98B825235EE4E83B04DF79D544DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6D5F00, Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 609COMMON

Download Yara Rule

APIs

LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D630B
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D6369
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D6515
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D6575

Strings

Lower, xrefs: 00007FF6EE6D628E, 00007FF6EE6D63AD, 00007FF6EE6D65C4
Upper, xrefs: 00007FF6EE6D6299, 00007FF6EE6D64AF

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String
String ID: Lower$Upper
API String ID: 2568140703-361161821
Opcode ID: e497a0a6e5dfa857643ed9bf1c3a61973be6c5d88d32219b51fc515d7ae34baa
Instruction ID: f6eb382de37f1e63a065112ac91f51284f205e19f517978edc15a9f19e2e4e1a
Opcode Fuzzy Hash: e497a0a6e5dfa857643ed9bf1c3a61973be6c5d88d32219b51fc515d7ae34baa
Instruction Fuzzy Hash: CA42F837E0974285E714AF51A4003BD27A0FB64798FA64035E94E87B85DF7EE440EB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6AEA6C, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowsleepCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00007FF6EE6AEB26
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AEB5E
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF6EE6AEB79
GetMessageW.USER32 ref: 00007FF6EE6AEBBD
TranslateMessage.USER32 ref: 00007FF6EE6AEBD3
DispatchMessageW.USER32 ref: 00007FF6EE6AEBE4
PeekMessageW.USER32 ref: 00007FF6EE6AEC02
WaitForMultipleObjectsEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6AEC25
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AEC61

Strings

:, xrefs: 00007FF6EE6AEAEF

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Message$ErrorLastMultipleObjectsWait$DispatchPeekSleepTranslate
String ID: :
API String ID: 2223531894-336475711
Opcode ID: 54a36b7c58106e23defce4ad74a69fd5b3be9f2f3bd5310a8d0a736bead4d9e2
Instruction ID: 83a6bb56ecb0f83bdbcb8d6fed428cb34809e5f5e87e8a9835c8e2d9b898317d
Opcode Fuzzy Hash: 54a36b7c58106e23defce4ad74a69fd5b3be9f2f3bd5310a8d0a736bead4d9e2
Instruction Fuzzy Hash: 3461B533E9866286F6608BA8E44437D6791FBA9754F524131FA0F83690CF7EE484D70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69775C, Relevance: 12.8, APIs: 8, Instructions: 770synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE697AF0
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE697B6F

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$CommitSingleWait
String ID:
API String ID: 4292635895-0
Opcode ID: daecce16aa0192b35a5f89d88524924fe1bfeb1900bdc9605bb976dc922bd1cc
Instruction ID: ac09e811f873c34f591809178a4b8a274a1dc8df88817d828b8599ffc989fbef
Opcode Fuzzy Hash: daecce16aa0192b35a5f89d88524924fe1bfeb1900bdc9605bb976dc922bd1cc
Instruction Fuzzy Hash: 1C829537A0CB8682DB20DF15E4403A9B7A1FB94B94F624035EA8D87754CFBEE445DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C9B00, Relevance: 12.6, APIs: 8, Instructions: 594synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6C9F3D
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6CA017
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C9FB4

Part of subcall function 00007FF6EE698834: GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE698844
Part of subcall function 00007FF6EE698834: OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE698863
Part of subcall function 00007FF6EE698834: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69889C
Part of subcall function 00007FF6EE698834: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE6988AF

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6CA2C5
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6CA337
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6CA397
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6CA405
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6CA416

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$Commit$SingleThreadTokenWait$CloseCurrentHandleInformationLog@@MemoryOpenWrite@
String ID:
API String ID: 2682698108-0
Opcode ID: 88f463e200b10d83fc9a013829797b036701c6059566ea4c3ae31ca0c64e73da
Instruction ID: a5965b860b0fcba9cbc7503cdf96a4015ae413b2b6b41580c5e416f75c7f0eb0
Opcode Fuzzy Hash: 88f463e200b10d83fc9a013829797b036701c6059566ea4c3ae31ca0c64e73da
Instruction Fuzzy Hash: 2D428133708B8686EB10CF65E4802A9B7A1FB98B94F124135EE4E87754CFBEE454DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6AF868, Relevance: 12.1, APIs: 8, Instructions: 135sleepwindowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00007FF6EE6AF902
PeekMessageW.USER32 ref: 00007FF6EE6AF98E
WaitForMultipleObjectsEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EE6AF819), ref: 00007FF6EE6AF9B1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EE6AF819), ref: 00007FF6EE6AF9E1
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EE6AF819), ref: 00007FF6EE6AF9FC

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: MultipleObjectsWait$ErrorLastMessagePeekSleep
String ID:
API String ID: 1890068862-0
Opcode ID: 5d8e7b178e1a7d3ff2e1484ac7b2fdb8143ac09070fe3f97731f7d6b66ea428a
Instruction ID: c31d2778a2f20d7fe6b608277900eff1907a23e8143b6fb035a3b830399a27ae
Opcode Fuzzy Hash: 5d8e7b178e1a7d3ff2e1484ac7b2fdb8143ac09070fe3f97731f7d6b66ea428a
Instruction Fuzzy Hash: CF518F33E44A52CAF7608F21E4803BC77A0FB29B44F5A5231EA0ED2654CF7AD454D70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6AFF50, Relevance: 12.1, APIs: 8, Instructions: 109sleepwindowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00007FF6EE6AFFB5
PeekMessageW.USER32 ref: 00007FF6EE6B002E
WaitForMultipleObjectsEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6B0052
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6B0077
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF6EE6B0091

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: MultipleObjectsWait$ErrorLastMessagePeekSleep
String ID:
API String ID: 1890068862-0
Opcode ID: f06a71133979ee200c8f002aac760af63754c7724974ffb011682881722a08e2
Instruction ID: 4f2dfaf4e2a5eb4032b66413f82c9cd561ca0a0dfd5265fa594a1aba1012f118
Opcode Fuzzy Hash: f06a71133979ee200c8f002aac760af63754c7724974ffb011682881722a08e2
Instruction Fuzzy Hash: DE418F33E08A02CAFB608B65D84477D7BA1FB69758F924135EA0DC2648CFBAD444D70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6AFC40, Relevance: 12.1, APIs: 8, Instructions: 105windowsleepCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00007FF6EE6AFCA7
GetMessageW.USER32 ref: 00007FF6EE6AFCD1
TranslateMessage.USER32 ref: 00007FF6EE6AFCE6
DispatchMessageW.USER32 ref: 00007FF6EE6AFCF6
PeekMessageW.USER32 ref: 00007FF6EE6AFD12
WaitForMultipleObjectsEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6AFD35
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6AFD56
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF6EE6AFD70

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchErrorLastPeekSleepTranslate
String ID:
API String ID: 1449207833-0
Opcode ID: 3ff2884ba3b3a468489f0cfc5135bbe4a0ffa616ee2fae1fda9384e7e3f3496d
Instruction ID: 86cbda7b18734e829f733d72ba642b0b9dfc469ec8f5045162dfaf81a77de62b
Opcode Fuzzy Hash: 3ff2884ba3b3a468489f0cfc5135bbe4a0ffa616ee2fae1fda9384e7e3f3496d
Instruction Fuzzy Hash: 61419D33E48A1286F7609B65D84477D3BA0FB5A714F924235EA0EC7680CF7ED444E70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C728C, Relevance: 9.6, APIs: 6, Instructions: 550synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6C74A6
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6C77C0
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C79D5
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C7A69

Part of subcall function 00007FF6EE6985E0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,80000002,00007FF6EE6AD91A,?,?,?,00007FF6EE69800E), ref: 00007FF6EE6985F6

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C7AA4
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C7AB5

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$CommitHeapSingleWait$AllocateFreeLog@@MemoryWrite@
String ID:
API String ID: 2534703132-0
Opcode ID: b1c0253f40eb63f2207106d9ed5a15c298f470d6fc0bb09924dad90fe44d2ccf
Instruction ID: 144b0e7ffcc45a1c0b7c734a9282f00669a1eba72b5dbd0dcdb2015604eea9e9
Opcode Fuzzy Hash: b1c0253f40eb63f2207106d9ed5a15c298f470d6fc0bb09924dad90fe44d2ccf
Instruction Fuzzy Hash: 9C428C37B08B4686EB00CB66E88066D7BB4FB58B98F120135EE4D8B764DF7AE450D705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A2E94, Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6EE6A2EC4
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6A2ED2
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6A2EDE
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6EE6A2EEA
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF6EE6A2EFA
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF6EE6A2F15

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 5a2420faf78a2611e95b285a4fdd0f065f2ee18ea06d2d75afacdf71e5ef3990
Instruction ID: 5b5f6e9c3b6af35fcff11b178a6a8d6e2de46f78d6161f060cb5432964bed5bf
Opcode Fuzzy Hash: 5a2420faf78a2611e95b285a4fdd0f065f2ee18ea06d2d75afacdf71e5ef3990
Instruction Fuzzy Hash: 18118C26A04F458AEB00DF60E8453A833A0FB29758F511A30FA6DC3754EFBDD1A48784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69B8FC, Relevance: 4.6, APIs: 3, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE69BB78: InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000248BBAAE6F0,00007FF6EE69BAB7,?,?,00000000,00007FF6EE697DA2), ref: 00007FF6EE69BB88

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69B9FD
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69BA27
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE69BA55

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CreateEvent$CountCriticalInitializeSectionSpin
String ID:
API String ID: 1354401513-0
Opcode ID: 73766af3980474a927c25c160ea3e7e355073ad924cf15d8011c94569e302796
Instruction ID: 3353d35b9f2492f1bcfab76127e1ae2ab2deed7cea5db5a712685d7ff1c05fc8
Opcode Fuzzy Hash: 73766af3980474a927c25c160ea3e7e355073ad924cf15d8011c94569e302796
Instruction Fuzzy Hash: 6A413A36A04B858BE7288F2AF45076EB7A4F750B40F54922DD7DA83B60DF79E0548708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE694E10, Relevance: 42.5, APIs: 16, Strings: 8, Instructions: 466memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE694E42
VariantInit.OLEAUT32 ref: 00007FF6EE694EFF
VariantClear.OLEAUT32 ref: 00007FF6EE69504A
SysFreeString.OLEAUT32 ref: 00007FF6EE695094
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6A711A

Strings

__CLASS, xrefs: 00007FF6EE694F33
__ClassProviderRegistration, xrefs: 00007FF6EE694FC9
__InstanceProviderRegistration, xrefs: 00007FF6EE694F5E
__MethodProviderRegistration, xrefs: 00007FF6EE6950E9
__PropertyProviderRegistration, xrefs: 00007FF6EE695169
__EventConsumerProviderRegistration, xrefs: 00007FF6EE6A7461
__EventProviderRegistration, xrefs: 00007FF6EE6A7376
Wql, xrefs: 00007FF6EE694E34

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$Variant$AllocClearFreeInit
String ID: Wql$__CLASS$__ClassProviderRegistration$__EventConsumerProviderRegistration$__EventProviderRegistration$__InstanceProviderRegistration$__MethodProviderRegistration$__PropertyProviderRegistration
API String ID: 1513835179-260539986
Opcode ID: cbbb1584397e2e213482b745d6472324ae71bd7b0c8cfb7997f40ed33c766206
Instruction ID: 2f5a642aeb62babaa7ec0ccd88f36c21b1a3a0effcc04b12c9da74917040abb4
Opcode Fuzzy Hash: cbbb1584397e2e213482b745d6472324ae71bd7b0c8cfb7997f40ed33c766206
Instruction Fuzzy Hash: B7228133A086568AE7209F20D0503FD37A0FB24B48F824136EE4D97694EFBEE555E749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69BCD4, Relevance: 30.3, APIs: 20, Instructions: 259memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BD47
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BD5F

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BD99
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BDE4
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BE3C
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BE54
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BE8E
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BED9
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BF31
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BF49
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BF83
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69BFCE
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C029
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C041
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C07B
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C0C6
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C0F9
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C10E
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C123
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69C138

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Copy$Allocate$FreeInitializeLength$Heap
String ID:
API String ID: 3030590722-0
Opcode ID: 03ab739749bbe2d38b0a7099b7feefe2b184a46a67dc48670b54e31ab210f187
Instruction ID: 3a45ba4784f4a69e1fe5d46005fe8c0d5635689cc2d3cbdcacea6b21d2732d8d
Opcode Fuzzy Hash: 03ab739749bbe2d38b0a7099b7feefe2b184a46a67dc48670b54e31ab210f187
Instruction Fuzzy Hash: 7AD17D33A15B928AD7108F20E4402B87BB0FFA9B08B169136FA4D87750DFBEE415D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A0A50, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 344memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE6A0AC9
SysAllocString.OLEAUT32 ref: 00007FF6EE6A0B07
SysAllocString.OLEAUT32 ref: 00007FF6EE6A0B19
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE6A0B5D
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A0CA5
VariantClear.OLEAUT32 ref: 00007FF6EE6AAB09
VariantClear.OLEAUT32 ref: 00007FF6EE6AAB3D

Strings

__GET_EXT_KEYS_ONLY, xrefs: 00007FF6EE6AAB8C
__GET_EXT_CLIENT_REQUEST, xrefs: 00007FF6EE6AAB20, 00007FF6EE6AAB49, 00007FF6EE6AAB72
ExecMethodAsync, xrefs: 00007FF6EE6AAC9A
__GET_EXTENSIONS, xrefs: 00007FF6EE6A0AE4, 00007FF6EE6AAB58
__GET_EXT_PROPERTIES, xrefs: 00007FF6EE6AABA0

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocVariant$ClearString$CommitHeapInitObject
String ID: ExecMethodAsync$__GET_EXTENSIONS$__GET_EXT_CLIENT_REQUEST$__GET_EXT_KEYS_ONLY$__GET_EXT_PROPERTIES
API String ID: 444761291-2842013111
Opcode ID: 6f4937fcb200931e547b8134f240165f687af337a014294fe7a7e8294dcd4bc1
Instruction ID: 8d60371725d674f2d6d24afe6484ff67ce0e2106304ab36790c92cf5df0ef3dd
Opcode Fuzzy Hash: 6f4937fcb200931e547b8134f240165f687af337a014294fe7a7e8294dcd4bc1
Instruction Fuzzy Hash: E5F19F37A08B4686EB509F15E84076977A0FB99F84F564132EE0E83364CFBEE444E709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6933F0, Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 390COMMON

Download Yara Rule

APIs

LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6A63E8
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6A6497

Strings

LocalSystemHostOrSelfHost, xrefs: 00007FF6EE693536
Decoupled:NonCom, xrefs: 00007FF6EE6934FF
WmiCoreOrSelfHost, xrefs: 00007FF6EE693455
LocalSystemHost, xrefs: 00007FF6EE693574
WmiCore, xrefs: 00007FF6EE693417
SelfHost, xrefs: 00007FF6EE69348A
NetworkServiceHostOrSelfHost, xrefs: 00007FF6EE6935B2
LocalServiceHost, xrefs: 00007FF6EE693749
Decoupled:Com, xrefs: 00007FF6EE6934BF
NetworkServiceHost, xrefs: 00007FF6EE693622

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String
String ID: Decoupled:Com$Decoupled:NonCom$LocalServiceHost$LocalSystemHost$LocalSystemHostOrSelfHost$NetworkServiceHost$NetworkServiceHostOrSelfHost$SelfHost$WmiCore$WmiCoreOrSelfHost
API String ID: 2568140703-1063480193
Opcode ID: 6995557c7da7ad3b8f8819eb5aa20e1c2201710b0ae1a009ceb6a83151656fd4
Instruction ID: 21d1193eed6938cb8dfe100d9bf32979acfa1a9bf92e2426c027518d803c34d0
Opcode Fuzzy Hash: 6995557c7da7ad3b8f8819eb5aa20e1c2201710b0ae1a009ceb6a83151656fd4
Instruction Fuzzy Hash: AAF19377E4826296E7209F1594503BD37A0FB24B88F524036FA4D876A4DFBFE454E30A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A12B0, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 312memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE6A131F
SysAllocString.OLEAUT32 ref: 00007FF6EE6A135E
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE6A1399
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A1495
VariantClear.OLEAUT32 ref: 00007FF6EE6AB0F7
VariantClear.OLEAUT32 ref: 00007FF6EE6AB12B

Strings

CreateInstanceEnumAsync, xrefs: 00007FF6EE6AB277
__GET_EXT_KEYS_ONLY, xrefs: 00007FF6EE6AB17A
__GET_EXT_CLIENT_REQUEST, xrefs: 00007FF6EE6AB10E, 00007FF6EE6AB137, 00007FF6EE6AB160
__GET_EXTENSIONS, xrefs: 00007FF6EE6A133A, 00007FF6EE6AB146
__GET_EXT_PROPERTIES, xrefs: 00007FF6EE6AB18E

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$AllocClear$CommitHeapInitObjectString
String ID: CreateInstanceEnumAsync$__GET_EXTENSIONS$__GET_EXT_CLIENT_REQUEST$__GET_EXT_KEYS_ONLY$__GET_EXT_PROPERTIES
API String ID: 461702680-1040527617
Opcode ID: 687cc5f9d246874947e7b3fcec245eb77291b6a0a44ce2616fa293540fd25461
Instruction ID: 795cd9554d2c5a904d4ee38bb5b30669c279768f028133b9f4603e07f7a119d6
Opcode Fuzzy Hash: 687cc5f9d246874947e7b3fcec245eb77291b6a0a44ce2616fa293540fd25461
Instruction Fuzzy Hash: 18E18D37A08B4682EB109F15E8443A877A0FB99F90F564132EE0E83760DFBEE405D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A02F0, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE6A0367
VariantClear.OLEAUT32 ref: 00007FF6EE6A039B
VariantClear.OLEAUT32 ref: 00007FF6EE6A03D3
SysAllocString.OLEAUT32 ref: 00007FF6EE6A0405
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE6A0440
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A053A

Strings

__GET_EXT_KEYS_ONLY, xrefs: 00007FF6EE6AA72A
__GET_EXT_CLIENT_REQUEST, xrefs: 00007FF6EE6A03B2, 00007FF6EE6A03DF, 00007FF6EE6AA710
GetObjectAsync, xrefs: 00007FF6EE6AA810
__GET_EXTENSIONS, xrefs: 00007FF6EE6A0382, 00007FF6EE6AA6F6
__GET_EXT_PROPERTIES, xrefs: 00007FF6EE6AA73E

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$AllocClear$CommitHeapInitObjectString
String ID: GetObjectAsync$__GET_EXTENSIONS$__GET_EXT_CLIENT_REQUEST$__GET_EXT_KEYS_ONLY$__GET_EXT_PROPERTIES
API String ID: 461702680-2040179058
Opcode ID: 6c2c97ec7de86791dcb095eae594e29e156491c513dd4c4c57c78e9c48c69fe6
Instruction ID: b73d6acda9975cb317307864eab029fd40561f19afb043b216a06f6f2109944e
Opcode Fuzzy Hash: 6c2c97ec7de86791dcb095eae594e29e156491c513dd4c4c57c78e9c48c69fe6
Instruction Fuzzy Hash: 3AE1BD3BA08B5686EB509F15E84076877A0FB59F94F564132EE1D83364CFBEE404E709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE694028, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 158registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE694C00: SysAllocStringLen.OLEAUT32 ref: 00007FF6EE694C62

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE69410B
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE694158
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE694176
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6941A3
SysFreeString.OLEAUT32 ref: 00007FF6EE6941C8
SysFreeString.OLEAUT32 ref: 00007FF6EE6941D9
SysFreeString.OLEAUT32 ref: 00007FF6EE6A69CD
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6A69EF
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6A4C
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6A6A

Strings

LocalServer32, xrefs: 00007FF6EE69409A
InProcServer32, xrefs: 00007FF6EE69405C

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$Free$CloseOpenQueryValue$AllocErrorLast
String ID: InProcServer32$LocalServer32
API String ID: 258664285-2351252009
Opcode ID: ee40bded5c41926ad234f1d253eebe2a5d935485b63d4743606c268aae2d87d0
Instruction ID: bdcbe4dcca1a3836071b513d975f7ae1c7927387a30b27dd4f310013b6e9d57d
Opcode Fuzzy Hash: ee40bded5c41926ad234f1d253eebe2a5d935485b63d4743606c268aae2d87d0
Instruction Fuzzy Hash: 2271C137618B82C6E7108F21F84026AB7A0FB99790F565231FA8E83B64DF7ED444DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6CF1F4, Relevance: 22.6, APIs: 15, Instructions: 139threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF221
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF23B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF249
MapGenericMask.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CF297
AccessCheck.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CF2D6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6CF2F0
AccessCheck.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CF34B
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF37D
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF393
ImpersonateLoggedOnUser.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF3AB
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF3BB
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF3D5
RevertToSelf.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF3E7
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF6EE6CF3FC
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE6CF41B

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Thread$CurrentOpenToken$AccessCheckCloseErrorHandleLastProcess$GenericImpersonateLoggedMaskRevertSelfUser
String ID:
API String ID: 282326827-0
Opcode ID: 3414c39c8ea25c814f9514623a0cb6eb8b00d31c7dd253a3c190a834e5d46ea1
Instruction ID: 00fcffabf6977f7938f7b722bf3a2946101f01e967bc5553b803ed6e9353df8d
Opcode Fuzzy Hash: 3414c39c8ea25c814f9514623a0cb6eb8b00d31c7dd253a3c190a834e5d46ea1
Instruction Fuzzy Hash: D9517B37A04A46CAEB509F20E8403BC7BA0FB99B49F528131EA0E87754DF7DD548DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6D3C60, Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 351COMMON

Download Yara Rule

APIs

LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D3CFC
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D3D58
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D3E33
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D3E8D
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D3F60
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D3FBA
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D408D
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6D40E7

Strings

__CLASS, xrefs: 00007FF6EE6D3F05
__DYNASTY, xrefs: 00007FF6EE6D4032
__SUPERCLASS, xrefs: 00007FF6EE6D3CA2
__THIS, xrefs: 00007FF6EE6D3DD8

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String
String ID: __CLASS$__DYNASTY$__SUPERCLASS$__THIS
API String ID: 2568140703-2708593128
Opcode ID: 8d4e8f3067fca903dd4a3d0046d0f4a23d307d36fb342896b0fad77c92e6bc16
Instruction ID: 10467507b6bde86502a392030632f8be14c1d6036d1c2fc1076a5c3394e553c2
Opcode Fuzzy Hash: 8d4e8f3067fca903dd4a3d0046d0f4a23d307d36fb342896b0fad77c92e6bc16
Instruction Fuzzy Hash: 29E19037A087458AE724AF11D4002B977A1FB68B94FA20135EE5E93BD4DF7ED840DB06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE694D54, Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 342registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE694DBC

Strings

Synchronization, xrefs: 00007FF6EE694DB2

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: QueryValue
String ID: Synchronization
API String ID: 3660427363-37155492
Opcode ID: 85868e097440b1bd5597135b64a604e621270a31bb6588addbe712a19502bd7d
Instruction ID: 52c6bcc35616ae6b62dc715d893e65b34ab321b1890c95504d505ca8b0d15ced
Opcode Fuzzy Hash: 85868e097440b1bd5597135b64a604e621270a31bb6588addbe712a19502bd7d
Instruction Fuzzy Hash: 04F1B873A0C69286E7645B00F0403BEB7A1FB94B54F925136FA8E83A94DF7ED444DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69539C, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE6953DB
VariantClear.OLEAUT32 ref: 00007FF6EE695414
VariantInit.OLEAUT32 ref: 00007FF6EE6A7934
VariantClear.OLEAUT32 ref: 00007FF6EE6A7A03
_CxxThrowException.MSVCRT ref: 00007FF6EE6A7A38
_CxxThrowException.MSVCRT ref: 00007FF6EE6A7A69

Strings

__RequiredArchitecture, xrefs: 00007FF6EE6A794B
__ProviderArchitecture, xrefs: 00007FF6EE6953F2

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$ClearExceptionInitThrow
String ID: __ProviderArchitecture$__RequiredArchitecture
API String ID: 734493686-1330146419
Opcode ID: b25b577c57c7b0cd0ba27e70574f4356025bf2492df432fc51754060a12563ea
Instruction ID: 523d2f39bdba1620e8838e4b9d24576ab4e7d452f90b4b06c0f4859699d030c6
Opcode Fuzzy Hash: b25b577c57c7b0cd0ba27e70574f4356025bf2492df432fc51754060a12563ea
Instruction Fuzzy Hash: C3514133A44A42D9E7109F30D8803B87760FB69748B525232FA1DD3694EFBEE548D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6D00B0, Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 326COMMON

Download Yara Rule

APIs

LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,000006A9,00000690,00000000,000000FF,000000FF,0000000D,?,00007FF6EE6A62F1), ref: 00007FF6EE6D01AF
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,000006A9,00000690,00000000,000000FF,000000FF,0000000D,?,00007FF6EE6A62F1), ref: 00007FF6EE6D01FF
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,000006A9,00000690,00000000,000000FF,000000FF), ref: 00007FF6EE6D0319
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,000006A9,00000690,00000000,000000FF,000000FF), ref: 00007FF6EE6D0374
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,000006A9,00000690,00000000,000000FF,000000FF), ref: 00007FF6EE6D0411
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,000006A9,00000690,00000000,000000FF,000000FF), ref: 00007FF6EE6D046C

Strings

FALSE, xrefs: 00007FF6EE6D03B6
Decoupled:Com:, xrefs: 00007FF6EE6D00EC
FoldIdentity, xrefs: 00007FF6EE6D0158
Decoupled:Com, xrefs: 00007FF6EE6D00CC
TRUE, xrefs: 00007FF6EE6D02B8

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String
String ID: Decoupled:Com$Decoupled:Com:$FALSE$FoldIdentity$TRUE
API String ID: 2568140703-1285790333
Opcode ID: 6856c338c5d9170a21334616a3a3e6d71e207dc82491f4269d13878af3fbea1c
Instruction ID: 18ac99994e7004f0c00c7efdb8f5a7545382aabb99fd3b6e2dc77d3c9f2b809b
Opcode Fuzzy Hash: 6856c338c5d9170a21334616a3a3e6d71e207dc82491f4269d13878af3fbea1c
Instruction Fuzzy Hash: 92E1B137A087428AEB60AF61D4402FD37A5FB24748F910835EE4D93A88EFB9D544DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6911B8, Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE69133F
VariantClear.OLEAUT32 ref: 00007FF6EE6913A0
VariantInit.OLEAUT32 ref: 00007FF6EE6913B8
VariantClear.OLEAUT32 ref: 00007FF6EE691419
VariantInit.OLEAUT32 ref: 00007FF6EE69142D
VariantClear.OLEAUT32 ref: 00007FF6EE69148E

Strings

ThreadsPerHost, xrefs: 00007FF6EE691368
ProcessLimitAllHosts, xrefs: 00007FF6EE691456
HandlesPerHost, xrefs: 00007FF6EE6913E1
MemoryAllHosts, xrefs: 00007FF6EE691253
MemoryPerHost, xrefs: 00007FF6EE6912EC

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$ClearInit
String ID: HandlesPerHost$MemoryAllHosts$MemoryPerHost$ProcessLimitAllHosts$ThreadsPerHost
API String ID: 2610073882-2981524028
Opcode ID: 7bb02f7dc466ed871794d6f94c2bf4b25c52553094067eae3fff1c9d57c74385
Instruction ID: 3bb082de7cba11f717d3947bfb47eeecc67de19d451a27957b5948cbc9fb262f
Opcode Fuzzy Hash: 7bb02f7dc466ed871794d6f94c2bf4b25c52553094067eae3fff1c9d57c74385
Instruction Fuzzy Hash: F7A16A37A04B52DAEB208F64D4802AC3BB4FB18798F624135EB4D53B58CFBAD194D745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE691940, Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 352COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6EE691AB9

Strings

references of {__Win32Provider.Name=", xrefs: 00007FF6EE691A8A

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: FreeString
String ID: references of {__Win32Provider.Name="
API String ID: 3341692771-1092576982
Opcode ID: 6d22c10e7795f9ca2b27066fb0eabee3c60c9694f69baa0bb49d70562c45ddc2
Instruction ID: f5e67f21f52e5db00da755e948447f643f6090adfde644e29e9a32abc6717da2
Opcode Fuzzy Hash: 6d22c10e7795f9ca2b27066fb0eabee3c60c9694f69baa0bb49d70562c45ddc2
Instruction Fuzzy Hash: A8F18D23E08A4286EB149F21D4403BC37A1FB69B58F620135EA0D87795DFBFE445E74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69517C, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 285registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6951ED
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FF6EE6A7586

Strings

ThreadingModel, xrefs: 00007FF6EE6951D7

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: QueryStringValue
String ID: ThreadingModel
API String ID: 260547354-3156129679
Opcode ID: 1667176baefd8360ca57ca6a79d8bab75f34931a6a0204572f98f951f274f16e
Instruction ID: 1094966e192d9c467e1e54527ba434c9c5d5317133fec6142ef745234ef35584
Opcode Fuzzy Hash: 1667176baefd8360ca57ca6a79d8bab75f34931a6a0204572f98f951f274f16e
Instruction Fuzzy Hash: 18D1D833A1C692C2D7609F10E0403BAB7A1FB94754F924136FA8E87A94EF7ED444EB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69C9DC, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,00007FF6EE69C74D), ref: 00007FF6EE69C9FC
wcstok.MSVCRT ref: 00007FF6EE69CA1B
wcstok.MSVCRT ref: 00007FF6EE69CA30
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,00007FF6EE69C74D), ref: 00007FF6EE69CA6D
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,00007FF6EE69C74D), ref: 00007FF6EE69CAA0
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,00007FF6EE69C74D), ref: 00007FF6EE69CACF
wcstok.MSVCRT ref: 00007FF6EE69CAEB

Strings

/RegServer, xrefs: 00007FF6EE69CA4F
-secured, xrefs: 00007FF6EE69CAB1
/UnRegServer, xrefs: 00007FF6EE69CA82

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CompareStringwcstok$CommandLine
String ID: -secured$/RegServer$/UnRegServer
API String ID: 1457712244-2803500518
Opcode ID: cb3b6356c2ce7b379cb3b66b209affcd9f0ed59be34cc83b808fb9b7c3fd8d83
Instruction ID: 9c7038ac25f75e1190c2d988f4242b83cc040e5335b2017608468b55e5738508
Opcode Fuzzy Hash: cb3b6356c2ce7b379cb3b66b209affcd9f0ed59be34cc83b808fb9b7c3fd8d83
Instruction Fuzzy Hash: 5531EB37A08B8186D710AF01A440239BBE4FB6DB84FA65138EA4D93395CFBDE404DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE693998, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118registrymemoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE6939CE
SysAllocString.OLEAUT32 ref: 00007FF6EE6939FC
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693A8D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693AD3
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693AFE
SysFreeString.OLEAUT32 ref: 00007FF6EE693B0E
SysFreeString.OLEAUT32 ref: 00007FF6EE6A67E0

Strings

CLSID\, xrefs: 00007FF6EE693A1A

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocFree$CloseOpenQueryValue
String ID: CLSID\
API String ID: 686035130-4114017780
Opcode ID: 1dfba9ebfe4470b1a2672402d5000eb6a32e1f87a6bd10db6385ebed478e4a77
Instruction ID: e9ebb978d21e80779d290c2159a2b67a17d382f0849dc0e359773146ea7dc8b0
Opcode Fuzzy Hash: 1dfba9ebfe4470b1a2672402d5000eb6a32e1f87a6bd10db6385ebed478e4a77
Instruction Fuzzy Hash: 58516C33A04B5286EB108F25E4003B97BA0FB68B98F164231EE0E87758DFBED045D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B262C, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE6B015C: _vsnwprintf.MSVCRT ref: 00007FF6EE6B019C

RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B26DE
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B2724
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B2760
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B277A

Strings

CLSID\, xrefs: 00007FF6EE6B2681
NotInsertable, xrefs: 00007FF6EE6B26A7
APPID\, xrefs: 00007FF6EE6B26EA
LocalServer32, xrefs: 00007FF6EE6B2730
%s\%s, xrefs: 00007FF6EE6B26BA, 00007FF6EE6B2743

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Delete$_vsnwprintf
String ID: %s\%s$APPID\$CLSID\$LocalServer32$NotInsertable
API String ID: 331555913-4016042841
Opcode ID: 2cbf56834e45818300e5e3609c17da9fc37e8f713c1e1ac735820fadc5988bd5
Instruction ID: 47aac664ef75b2fc8b85d1e73fc5eca868cfae13368a6ca4b4a48cc58971571e
Opcode Fuzzy Hash: 2cbf56834e45818300e5e3609c17da9fc37e8f713c1e1ac735820fadc5988bd5
Instruction Fuzzy Hash: B241CE77A18A81D6E720DF24E8007E93760FBA9344F955132FA0E87B59DF7AD608CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE698B80, Relevance: 15.4, APIs: 10, Instructions: 379COMMON

Download Yara Rule

APIs

?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z.WBEMCOMN ref: 00007FF6EE698D17
?_Free@CMUILocale@@SAHPEAX@Z.WBEMCOMN ref: 00007FF6EE698D2B

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Locale@@$Free@Languages@Preferred
String ID:
API String ID: 314991416-0
Opcode ID: b7879feb6440b492c9511d42d4fea967490f7bdc8b0c492f849fca2b523f5392
Instruction ID: bcbac267cd230ea5b0bf2644246f69f701c22066f4d2ccd72d77448a9758d7e7
Opcode Fuzzy Hash: b7879feb6440b492c9511d42d4fea967490f7bdc8b0c492f849fca2b523f5392
Instruction Fuzzy Hash: 06028137A08A528AEB109F65E4407BC37A1FB68B98F524035EE0E93754CF7EE805D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BF6E0, Relevance: 15.4, APIs: 10, Instructions: 365memoryCOMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BF801
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BF813
SysAllocString.OLEAUT32 ref: 00007FF6EE6BF85B
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BF873
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BF88B
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BF91B
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BF933
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BFBC7
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BFBD9

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

SysFreeString.OLEAUT32 ref: 00007FF6EE6BFC66

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$String$AllocAllocateFreeHeap
String ID:
API String ID: 1514251789-0
Opcode ID: 7cd74076afa0e93269df8ecfbc6881c1a00e0492867c5ce08bd94f34be6d4970
Instruction ID: 1cf077713750ebecbcf24427aef56166fc396cb5fe2a5f72cad7559bd4728e37
Opcode Fuzzy Hash: 7cd74076afa0e93269df8ecfbc6881c1a00e0492867c5ce08bd94f34be6d4970
Instruction Fuzzy Hash: 7C029E37B04B4686EB008F25D8443A83BA1FB59B98F564136EE0D97768CF7EE449D309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE695788, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 310COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE695450: WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6955B4

WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6959E4
?Init@CPublishWMIOperationEvent@@SAJXZ.WBEMCOMN ref: 00007FF6EE6959F9
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE695A13
?PublishProviderStarted@CPublishWMIOperationEvent@@SAJPEAGJ0K0@Z.WBEMCOMN ref: 00007FF6EE695A33

Strings

wmiprvse.exe, xrefs: 00007FF6EE695A27

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Publish$CommitEvent@@ObjectOperation$CurrentInit@ProcessProviderStarted@
String ID: wmiprvse.exe
API String ID: 2732922947-74504709
Opcode ID: a973c233ae91b68df89df6fb90387143c5410c077a51ae4b3c4784a47057e9c2
Instruction ID: 2b086e50734c2de4899f6440f0f4b2c308f6c9af7944f76a0f4ee11815c4407e
Opcode Fuzzy Hash: a973c233ae91b68df89df6fb90387143c5410c077a51ae4b3c4784a47057e9c2
Instruction Fuzzy Hash: D1D1B033A08B818AE7108F21E8402AD77A0FB98B98F560135EF4E87B54DF7EE440D708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C54FC, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE6C5659
SysFreeString.OLEAUT32 ref: 00007FF6EE6C5692
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C56D9
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C56EA

Part of subcall function 00007FF6EE6C5AD0: EtwTraceMessage.NTDLL ref: 00007FF6EE6C5B9D

Strings

Provider, xrefs: 00007FF6EE6C559F
StatusCode, xrefs: 00007FF6EE6C5619
Operation, xrefs: 00007FF6EE6C55C7
Provider Subsystem Error Report, xrefs: 00007FF6EE6C5652

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocFreeLog@@MemoryMessageObjectTraceWrite@
String ID: Operation$Provider$Provider Subsystem Error Report$StatusCode
API String ID: 2484744183-2493281790
Opcode ID: 215be966765b909de5af54e42640fd8d8bf9c6cfec3fdb4df1658414b4e82768
Instruction ID: 263d5c27dbf563bab5ed44b742f1dc1f0bb3563bca9e6e6bc3b8c7aa19ba122f
Opcode Fuzzy Hash: 215be966765b909de5af54e42640fd8d8bf9c6cfec3fdb4df1658414b4e82768
Instruction Fuzzy Hash: 2651A067B08B8682EB10DB16E8403A93BA1FB98B88F564032EE4D87764CF7ED445D745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69D300, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF6EE69D326
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF6EE6ACAF4
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF6EE6ACB17
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF6EE6ACB37

Strings

mscoree.dll, xrefs: 00007FF6EE69D31D
CoEEShutDownCOM, xrefs: 00007FF6EE6ACAEA
CorExitProcess, xrefs: 00007FF6EE6ACB0B

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AddressProc$FreeHandleLibraryModule
String ID: CoEEShutDownCOM$CorExitProcess$mscoree.dll
API String ID: 3351650562-694248032
Opcode ID: 14eb53aa9a79fb759ec5829e2dba5280ea3b761f375d835a89dd01a652d64903
Instruction ID: d3ddd2b0b81e985b98c44b448bfa024d79a9851d534774db171717ea1967111b
Opcode Fuzzy Hash: 14eb53aa9a79fb759ec5829e2dba5280ea3b761f375d835a89dd01a652d64903
Instruction Fuzzy Hash: AA218833908B46C6EB015B10E404378BBA0FF6AB65F569230E55E83394DFBED044D70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE696AC0, Relevance: 13.8, APIs: 9, Instructions: 287COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE696C39
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE696D71
SysFreeString.OLEAUT32 ref: 00007FF6EE696D8A
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE696E1D

Part of subcall function 00007FF6EE696EF0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EE696A62), ref: 00007FF6EE696F95
Part of subcall function 00007FF6EE696EF0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EE696A62), ref: 00007FF6EE696FD9
Part of subcall function 00007FF6EE696EF0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EE696A62), ref: 00007FF6EE697010

DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE696E44
DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE696E7C

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Free$Heap$CriticalDeleteSection$CloseCommitEventHandleObjectString
String ID:
API String ID: 3665358772-0
Opcode ID: 7f3645eedcf729e4a4069026ad875a1c95e078b3b4551d10bb60da006ebb0a44
Instruction ID: 52273680b63b3b0c156d29a0f1cf9e24c83aa9023101489afaa6f61f0a359dda
Opcode Fuzzy Hash: 7f3645eedcf729e4a4069026ad875a1c95e078b3b4551d10bb60da006ebb0a44
Instruction Fuzzy Hash: 24E15937A0AB4585EB009F24E4843B833A4FB69F54F664232EA1D87360DFBED455E309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6970EC, Relevance: 13.7, APIs: 9, Instructions: 185COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6EE6972B2

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 2fd2df3b91e5e9ed2ac48686d74b9f85ab357a12b60df736f6df7b819e678569
Instruction ID: 621d0218932c903390b11f0caf342e8f18c5b1871d299d2a234d31adb548ec09
Opcode Fuzzy Hash: 2fd2df3b91e5e9ed2ac48686d74b9f85ab357a12b60df736f6df7b819e678569
Instruction Fuzzy Hash: 4A818D27A09A06C6EF549F25C4547782760FFA6F55F1A4231EA1E8B3A0CF6EE044E309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6D19F0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE6D1A1E
VariantClear.OLEAUT32 ref: 00007FF6EE6D1A99
VariantInit.OLEAUT32 ref: 00007FF6EE6D1AB1
VariantClear.OLEAUT32 ref: 00007FF6EE6D1B28

Strings

SupportsPut, xrefs: 00007FF6EE6D1A46
__PropertyProviderRegistration, xrefs: 00007FF6EE6D19FC
SupportsGet, xrefs: 00007FF6EE6D1AD9

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$ClearInit
String ID: SupportsGet$SupportsPut$__PropertyProviderRegistration
API String ID: 2610073882-4249854961
Opcode ID: e79b0278d4a8ecd8b90a0c0a57098967b1855ad5228e26dcb0ca639a173e39a6
Instruction ID: d9d505bed6891e25b9f061ac5a9031c399233918b830d2fb92e4089588f8aede
Opcode Fuzzy Hash: e79b0278d4a8ecd8b90a0c0a57098967b1855ad5228e26dcb0ca639a173e39a6
Instruction Fuzzy Hash: D3417227B14752DAEB209F60D8401FC7BB0F758748BA54136EA0E83A54DFBDD085DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE699800, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE69982E
?GetPreferredLanguages@CMUILocale@@SAJKPEAPEAGPEAK@Z.WBEMCOMN ref: 00007FF6EE699888
?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z.WBEMCOMN ref: 00007FF6EE6998CB
VariantClear.OLEAUT32 ref: 00007FF6EE6998DE
?_Free@CMUILocale@@SAHPEAX@Z.WBEMCOMN ref: 00007FF6EE6AB304

Strings

__ClientPreferredLanguages, xrefs: 00007FF6EE699846

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Locale@@$Languages@PreferredVariant$ClearFree@Init
String ID: __ClientPreferredLanguages
API String ID: 2422115333-2977330997
Opcode ID: 6f93cda2942f151eaedac31c5242271109309bc5771efa59e48beb4076b91054
Instruction ID: ce1a81aafb1414ad848a51e8eba089d6c0d53b6836e4981bcb51784b218b717b
Opcode Fuzzy Hash: 6f93cda2942f151eaedac31c5242271109309bc5771efa59e48beb4076b91054
Instruction Fuzzy Hash: B841C623A08B8682EB009B15E4403797770FBA9BA0F528236EA5E83394DFBED444D705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BB990, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6EE6BB9A7
VariantClear.OLEAUT32 ref: 00007FF6EE6BB9DF
VariantClear.OLEAUT32 ref: 00007FF6EE6BBA13

Strings

__GET_EXT_KEYS_ONLY, xrefs: 00007FF6EE6BBA5F
__GET_EXT_CLIENT_REQUEST, xrefs: 00007FF6EE6BB9F6, 00007FF6EE6BBA1F, 00007FF6EE6BBA45
__GET_EXTENSIONS, xrefs: 00007FF6EE6BB9BE, 00007FF6EE6BBA2B
__GET_EXT_PROPERTIES, xrefs: 00007FF6EE6BBA76

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$Clear$Init
String ID: __GET_EXTENSIONS$__GET_EXT_CLIENT_REQUEST$__GET_EXT_KEYS_ONLY$__GET_EXT_PROPERTIES
API String ID: 3740757921-352387391
Opcode ID: cce55f2b1b314aa8b76d5c4f5252492b4a7399fad03d3c49524b8fbde8a306e6
Instruction ID: 0d1f27746b68e03842736283a723884e375b872d42ef988330e9a8c7d3aec53c
Opcode Fuzzy Hash: cce55f2b1b314aa8b76d5c4f5252492b4a7399fad03d3c49524b8fbde8a306e6
Instruction Fuzzy Hash: EE212167B24A0BC2EB00AF19D8547692760FF69F84BD75131E91D87724DFAED004DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A00F0, Relevance: 12.3, APIs: 8, Instructions: 306COMMON

Download Yara Rule

APIs

?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z.WBEMCOMN ref: 00007FF6EE6A0275
?_Free@CMUILocale@@SAHPEAX@Z.WBEMCOMN ref: 00007FF6EE6A0289

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Locale@@$Free@Languages@Preferred
String ID:
API String ID: 314991416-0
Opcode ID: 44d050ba2db44fcdefed2c67fd314677c91c6c93517920e34569b568ea8da4d7
Instruction ID: 2917a845cce6b924b28bcc07abfdb77d859d81f0c6fcb7e2ba2849f3fb21bb1d
Opcode Fuzzy Hash: 44d050ba2db44fcdefed2c67fd314677c91c6c93517920e34569b568ea8da4d7
Instruction Fuzzy Hash: 2CD18F33E08B518AEB548F55E4447B83BA1FB58B88F514036EE0D93799CFBAD841D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A10C0, Relevance: 12.3, APIs: 8, Instructions: 294COMMON

Download Yara Rule

APIs

?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z.WBEMCOMN ref: 00007FF6EE6A123F
?_Free@CMUILocale@@SAHPEAX@Z.WBEMCOMN ref: 00007FF6EE6A1253

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Locale@@$Free@Languages@Preferred
String ID:
API String ID: 314991416-0
Opcode ID: 981f5c00646a2cec581503dd0f93660e6db7ef51936ae42243d40c68fd3145e3
Instruction ID: 5e483caef431b9adc43d8a0a7ce120760ce65f7baa0ccd0b6987524bba9a2e01
Opcode Fuzzy Hash: 981f5c00646a2cec581503dd0f93660e6db7ef51936ae42243d40c68fd3145e3
Instruction Fuzzy Hash: 64D1A273E086A286E7108B25D4007BC3BA1FB68B98F564531EE0D87B94CF7ED841E749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A07A0, Relevance: 12.3, APIs: 8, Instructions: 288COMMON

Download Yara Rule

APIs

?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z.WBEMCOMN ref: 00007FF6EE6A0933
?_Free@CMUILocale@@SAHPEAX@Z.WBEMCOMN ref: 00007FF6EE6A0947

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Locale@@$Free@Languages@Preferred
String ID:
API String ID: 314991416-0
Opcode ID: 3a8fa17648dc10cf8e70daee5ea723314f194b0c335b30220b8cdb3263b89141
Instruction ID: acf8a8b7b7518461017e5360ae2eb813a043f3d2849e8ec01ccaa1a4fc04ab86
Opcode Fuzzy Hash: 3a8fa17648dc10cf8e70daee5ea723314f194b0c335b30220b8cdb3263b89141
Instruction Fuzzy Hash: ECD19033F08A518AEB548F65D4407B837A0FB58788F524136EE4D83B98CFBAE815D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B2818, Relevance: 12.1, APIs: 8, Instructions: 112threadCOMMON

Download Yara Rule

APIs

?New@CWbemCallSecurity@@SAPEAV1@XZ.FASTPROX ref: 00007FF6EE6B288E
?AddRef@CWbemCallSecurity@@UEAAKXZ.FASTPROX ref: 00007FF6EE6B28A9
?GetThreadSecurity@CWbemCallSecurity@@UEAAJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PEAPEAU_IWmiThreadSecHandle@@@Z.FASTPROX ref: 00007FF6EE6B28C9
?SetThreadSecurity@CWbemCallSecurity@@UEAAJPEAU_IWmiThreadSecHandle@@@Z.FASTPROX ref: 00007FF6EE6B28E4
?QueryInterface@CWbemCallSecurity@@UEAAJAEBU_GUID@@PEAPEAX@Z.FASTPROX ref: 00007FF6EE6B2903
?Release@CWbemCallSecurity@@UEAAKXZ.FASTPROX ref: 00007FF6EE6B2941
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6B2968
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6B2979

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CallSecurity@@Wbem$Thread$Handle@@@Security@$Interface@Log@@MemoryNew@ObjectQueryRef@Release@W4tag_Write@
String ID:
API String ID: 4067766105-0
Opcode ID: 9a3730f2b8dec10cd371938ded017e3c399ddac8d6ab94b803d61171a510583a
Instruction ID: 26dc7f1be130cf56bc7b42b74db9322a2b16ed4d97e9bce001170470cf1d3575
Opcode Fuzzy Hash: 9a3730f2b8dec10cd371938ded017e3c399ddac8d6ab94b803d61171a510583a
Instruction Fuzzy Hash: F7517E27A08B4686EB009F56E444378BBA0FB99F94F964131EE1D83364CFBED445D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6AB08F, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE6A135E
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE6A1399
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A1495
VariantClear.OLEAUT32 ref: 00007FF6EE6AB0F7
VariantClear.OLEAUT32 ref: 00007FF6EE6AB12B

Strings

__GET_EXT_CLIENT_REQUEST, xrefs: 00007FF6EE6AB10E, 00007FF6EE6AB137

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocClearVariant$CommitHeapObjectString
String ID: __GET_EXT_CLIENT_REQUEST
API String ID: 4148425054-2781797842
Opcode ID: bcac05a344e53ad4ceef163fc8969cbc4573e2cf06fb6769150e0fcf326c011f
Instruction ID: d4bce48798875888d712a424604c3379bdfba8163a74e903841d7b46550b4e6c
Opcode Fuzzy Hash: bcac05a344e53ad4ceef163fc8969cbc4573e2cf06fb6769150e0fcf326c011f
Instruction Fuzzy Hash: 30A18B37A09B8686DB518F25D8443A83BA0FB99F94F564132DE4D83320EFBED841D705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C07B4, Relevance: 9.2, APIs: 6, Instructions: 199COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C084B
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C0A20
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C0A3D
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C0A4E
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C0A95
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C0AAB

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$CommitLog@@MemoryWrite@
String ID:
API String ID: 4114940835-0
Opcode ID: 2c99aff10ec46ac91fbbb96e00b94ab9c317819813eaa8bd502ca308216ee1df
Instruction ID: 1139a2d18e40f4e6fff1babcd829f19d2ab37fd79ef40c497f7db59685c6802d
Opcode Fuzzy Hash: 2c99aff10ec46ac91fbbb96e00b94ab9c317819813eaa8bd502ca308216ee1df
Instruction Fuzzy Hash: 92A18A37A09B818AEB508F51E4403A977A4FB88B88F110136EE8C87B68DF7AD441D705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C9368, Relevance: 9.2, APIs: 6, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE6C93A2
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C93BA
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C93D0
SysAllocString.OLEAUT32 ref: 00007FF6EE6C941F
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C9609
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C961A

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocLog@@MemoryObjectStringWrite@
String ID:
API String ID: 2684555511-0
Opcode ID: 788f6b69d235acf8708357cb7d0b5ba60219b38b931f8117cc341e7725cd56cc
Instruction ID: ea2ce80bedc3bea2f702075821f6c143cf508a0291a4f7d6abf9deebb00fc85f
Opcode Fuzzy Hash: 788f6b69d235acf8708357cb7d0b5ba60219b38b931f8117cc341e7725cd56cc
Instruction Fuzzy Hash: 6E81C233708B8286EB249B16E4403B97790FB68B84F124035EE4D87791DFBEE441E70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C1404, Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C1493
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C15D8
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C15E8
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C15F9
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C1640
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C1656

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$CommitLog@@MemoryWrite@
String ID:
API String ID: 4114940835-0
Opcode ID: 815967cda5116546826925d6346c0cd66273780f2d2343888630418cdb107ec8
Instruction ID: 6e74c6fa225115a353d8c1f8394bde5d4144f6466e553c52f756292da9645a1f
Opcode Fuzzy Hash: 815967cda5116546826925d6346c0cd66273780f2d2343888630418cdb107ec8
Instruction Fuzzy Hash: 9A71BC3B605B818ADB008F12E4443A93BB4FB98B88F660136EE4D87765CF7ED442D705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C16C8, Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C1745
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C1878
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C1888
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C1899
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C18E0
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C18F6

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$CommitLog@@MemoryWrite@
String ID:
API String ID: 4114940835-0
Opcode ID: db9ad04930285b553243c293cd12145595f214928d812a00b208a26575ecfe31
Instruction ID: a8f9f86032018893597cbb967316ae90a30c7929ee1708c8b233fa99c0cd1b67
Opcode Fuzzy Hash: db9ad04930285b553243c293cd12145595f214928d812a00b208a26575ecfe31
Instruction Fuzzy Hash: 0671BD37609B829ADB008F11E4443A93BB0FB98B98F664136EE4D8B764CF7ED442D745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C0B18, Relevance: 9.1, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C0B93
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6C0CC2
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C0CD2
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C0CE3
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C0D2A
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C0D40

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$CommitLog@@MemoryWrite@
String ID:
API String ID: 4114940835-0
Opcode ID: 62ee7cd588e01a84bd5f7cf72b355cd3cdbcbbb7a53bedb2e889662375be7e41
Instruction ID: 9192cdbf83a8e96b0b24980d1a740cabbdb0e0abda38668e8bcedc7ceb3b0986
Opcode Fuzzy Hash: 62ee7cd588e01a84bd5f7cf72b355cd3cdbcbbb7a53bedb2e889662375be7e41
Instruction Fuzzy Hash: 8171BD37605B818ADB408F15E4843A93BA4FB98B88F660132FE4D87728CF7EE442D745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C5930, Relevance: 9.1, APIs: 6, Instructions: 96synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6C59D0
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C59E3
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C59F9
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6C5A38
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C5A61
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C5A72

Part of subcall function 00007FF6EE6B51EC: EtwTraceMessage.NTDLL ref: 00007FF6EE6B5225

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$Log@@MemorySingleWaitWrite@$MessageTrace
String ID:
API String ID: 1897939771-0
Opcode ID: c64ea0a0f27fba676473c6bfda9af18f691fad1b1490c81571fb4de91cc0e725
Instruction ID: 40562f065c55d1443e348b2fa97d80c529a562946ed34eced5d9fc58bcae5b85
Opcode Fuzzy Hash: c64ea0a0f27fba676473c6bfda9af18f691fad1b1490c81571fb4de91cc0e725
Instruction Fuzzy Hash: B141D923B08E8286EB149B41D8443787B91FB94B4CFA65031EA0DC7395CFBFE845974A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B44E8, Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6EE6B4511
SysAllocString.OLEAUT32 ref: 00007FF6EE6B4526
_CxxThrowException.MSVCRT ref: 00007FF6EE6B454B
SysFreeString.OLEAUT32 ref: 00007FF6EE6B455F
SysAllocString.OLEAUT32 ref: 00007FF6EE6B4574
_CxxThrowException.MSVCRT ref: 00007FF6EE6B4599

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocExceptionFreeThrow
String ID:
API String ID: 929037355-0
Opcode ID: f15c8e607f52712143e6815d0f54941b9d40640eca7326c5dac5a90b4f2ecaaf
Instruction ID: 0ac7e2c882d9a620e7c278817f9c5d35e2e236ee72f75a748b2007a9fce3f8c5
Opcode Fuzzy Hash: f15c8e607f52712143e6815d0f54941b9d40640eca7326c5dac5a90b4f2ecaaf
Instruction Fuzzy Hash: 57214A73A19A4187EB44CF14E05037977A0FF68B48F194134EA1E82705EF7EE455D745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BEC94, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE6BECFE
SysFreeString.OLEAUT32 ref: 00007FF6EE6BEF4C
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BEF81
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BEF92

Strings

CreateClassEnumAsync, xrefs: 00007FF6EE6BEF28

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocFreeLog@@MemoryObjectWrite@
String ID: CreateClassEnumAsync
API String ID: 2678036425-1192769357
Opcode ID: 914ce6173a95391daeefe2d5cf02f9d84f007b8d8f92727875eeb25e4753741c
Instruction ID: ac118ee4baa69551c94454bd70a3855a069036da168bfd7ff727273cdeacad43
Opcode Fuzzy Hash: 914ce6173a95391daeefe2d5cf02f9d84f007b8d8f92727875eeb25e4753741c
Instruction Fuzzy Hash: F5A1A037A18B4A82EB148B55E84036977A4FB58F90F124135FE1D837A4DFBEE445D309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BF00C, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE6BF076
SysFreeString.OLEAUT32 ref: 00007FF6EE6BF2BD
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BF2E9
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BF2FA

Strings

DeleteClassAsync, xrefs: 00007FF6EE6BF299

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocFreeLog@@MemoryObjectWrite@
String ID: DeleteClassAsync
API String ID: 2678036425-1059552648
Opcode ID: bf33a8664787e9ce858bd960fa1efffb44f2af2a7f7c5cad65aaf9fcaf212f4b
Instruction ID: a2c451d3a346959062b3ed2306e26fc2b5cf33eff67203b00a123d89fe79ab19
Opcode Fuzzy Hash: bf33a8664787e9ce858bd960fa1efffb44f2af2a7f7c5cad65aaf9fcaf212f4b
Instruction Fuzzy Hash: F1919F37A08B4686EB108B55D84436877A0FB69F94F164232EE1D837A8CFBEE444D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BF374, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE6BF3DE
SysFreeString.OLEAUT32 ref: 00007FF6EE6BF62B
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BF657
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BF668

Strings

DeleteInstanceAsync, xrefs: 00007FF6EE6BF607

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocFreeLog@@MemoryObjectWrite@
String ID: DeleteInstanceAsync
API String ID: 2678036425-991506802
Opcode ID: a91dc0644f1b5f83f1c8b91cc6050f151764c7bd20ffd3fe5f5cb05ce361df39
Instruction ID: a51c6a25be94c28b9e1c0bede9eff92592f776e324659ed6f4c0c90561921bcc
Opcode Fuzzy Hash: a91dc0644f1b5f83f1c8b91cc6050f151764c7bd20ffd3fe5f5cb05ce361df39
Instruction Fuzzy Hash: 8E91BF27B08B4686DB108F15E84436977A4FB68F94F524231EE0D83764DFBEE444D30A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6AF324, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6AF45B
char_traits.LIBCPMT ref: 00007FF6EE6AF493
char_traits.LIBCPMT ref: 00007FF6EE6AF4B8
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6AF4FB

Strings

SOFTWARE\Classes\CLSID\%s\InprocServer32, xrefs: 00007FF6EE6AF418

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: char_traits$CloseOpen
String ID: SOFTWARE\Classes\CLSID\%s\InprocServer32
API String ID: 3362776682-450560693
Opcode ID: 29acf3eb0573ddf26fbda36ef0c8853dae8c41bdbe71e73077e6c589b71569d4
Instruction ID: 07146a08e516f0ac7f7e79ced8f161f6d10cffc34b3b3819fd9c53b0000c051f
Opcode Fuzzy Hash: 29acf3eb0573ddf26fbda36ef0c8853dae8c41bdbe71e73077e6c589b71569d4
Instruction Fuzzy Hash: 8F518233A58B8681EB109F15E4403A97760FBA9B90F524232FE8D837A5CF7EE405D706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6AF4CE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6AF45B
char_traits.LIBCPMT ref: 00007FF6EE6AF493
char_traits.LIBCPMT ref: 00007FF6EE6AF4B8
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6AF4FB

Strings

SOFTWARE\Classes\CLSID\%s\InprocServer32, xrefs: 00007FF6EE6AF418

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: char_traits$CloseOpen
String ID: SOFTWARE\Classes\CLSID\%s\InprocServer32
API String ID: 3362776682-450560693
Opcode ID: 17d41ade73b41a8a74fcaf6e51cebeac4352bdb9556afd2bfed58afa0467aa0c
Instruction ID: e2e4f95f3b2fd54897298d438bc3a290f774cc280af6540656f451ec5050b84a
Opcode Fuzzy Hash: 17d41ade73b41a8a74fcaf6e51cebeac4352bdb9556afd2bfed58afa0467aa0c
Instruction Fuzzy Hash: D3418323A5CB8681EB509B11E4403B9A760FFA5B80F515136FE4D837AADFBEE404D706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE693CDC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE694C00: SysAllocStringLen.OLEAUT32 ref: 00007FF6EE694C62

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693D4C
SysFreeString.OLEAUT32 ref: 00007FF6EE693DD5

Part of subcall function 00007FF6EE69517C: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6951ED

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693DB5
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693DC5

Part of subcall function 00007FF6EE694D54: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE694DBC

Strings

InProcServer32, xrefs: 00007FF6EE693CF3

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: QueryValue$String$AllocCloseFreeOpen
String ID: InProcServer32
API String ID: 3901537117-1075336519
Opcode ID: 30908204a4333dc8729670f87b3c2b915aa414cde3c108a553ee345983fe658a
Instruction ID: d861baab5af9ca60858d9778d9f472d6e5b23a19f3af230d476e9aabb28108d8
Opcode Fuzzy Hash: 30908204a4333dc8729670f87b3c2b915aa414cde3c108a553ee345983fe658a
Instruction Fuzzy Hash: EC31AC76B04B418AEB109F65E8403AD7BA0FB88788F415231EE5D83B59DFBAD154CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE693DFC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE694C00: SysAllocStringLen.OLEAUT32 ref: 00007FF6EE694C62

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693E64
SysFreeString.OLEAUT32 ref: 00007FF6EE693E7D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A690F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6A6920

Strings

LocalServer32, xrefs: 00007FF6EE693E0C

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocCloseFreeOpenQueryValue
String ID: LocalServer32
API String ID: 3575068234-1789907217
Opcode ID: 468aa7a1cc40b3be54658a8c4271c35bed7547b43f7f0357f6ca78d20b078a09
Instruction ID: aac236c658f9dfe6477c3716386bd2f1e01602ca50b3cc23d4dc02ddd75651e6
Opcode Fuzzy Hash: 468aa7a1cc40b3be54658a8c4271c35bed7547b43f7f0357f6ca78d20b078a09
Instruction Fuzzy Hash: 1D219F33618B8186E7408F24F4407AABBA0F789784F459231FA8E83B59CF7DD044CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B1CF0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE6B1DC0: GetMemLogObject.WBEMCOMN(?,?,?,?,00000001,00007FF6EE6B1CFB,?,?,?,?,?,?,00000001,00007FF6EE6AC93D), ref: 00007FF6EE6B1DFA
Part of subcall function 00007FF6EE6B1DC0: ?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN(?,?,?,?,00000001,00007FF6EE6B1CFB,?,?,?,?,?,?,00000001,00007FF6EE6AC93D), ref: 00007FF6EE6B1E0B

Part of subcall function 00007FF6EE6B1E60: GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF6EE6B1ECE

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6B1D5C
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6B1D6D

Strings

Microsoft WMI Provider Subsystem Secured Host, xrefs: 00007FF6EE6B1D3A
Microsoft WMI Provider Subsystem Host, xrefs: 00007FF6EE6B1D07
-secured, xrefs: 00007FF6EE6B1D2B

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$FileModuleName
String ID: -secured$Microsoft WMI Provider Subsystem Host$Microsoft WMI Provider Subsystem Secured Host
API String ID: 3559867509-268285720
Opcode ID: cbb24e1e2d1be36817a5d8481ba71177f6808da234c0d9390555971857b2a8f6
Instruction ID: 0dd66986fd2bf4fff238d404653f1690aa81b6651f44746efa37eb8849f43ce4
Opcode Fuzzy Hash: cbb24e1e2d1be36817a5d8481ba71177f6808da234c0d9390555971857b2a8f6
Instruction Fuzzy Hash: 5C11D563D18B8691E7009B14D4407F52770FF68348F911231F98DC22A9DFBEE245D74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A1700, Relevance: 7.7, APIs: 5, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE6A17EC
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6A187B
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A1997

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocCommitCriticalHeapLeaveObjectSection
String ID:
API String ID: 3139073153-0
Opcode ID: a2e0228be2a5fc1cc3770ef0a7a9ccb78e03be7365dd7c633c897a387a4e60ac
Instruction ID: b5b44db683b9f46cc1a259927bef74f299847eed5936705f7fcb2c29710ffa85
Opcode Fuzzy Hash: a2e0228be2a5fc1cc3770ef0a7a9ccb78e03be7365dd7c633c897a387a4e60ac
Instruction Fuzzy Hash: C3B1CF37A08B8286EA609F11E4403B977A0FB98B94F554136EF8D83795CFBEE440D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6D0848, Relevance: 7.7, APIs: 5, Instructions: 169COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32 ref: 00007FF6EE6D0880
SafeArrayGetLBound.OLEAUT32 ref: 00007FF6EE6D08A0
SafeArrayGetUBound.OLEAUT32 ref: 00007FF6EE6D08B5

Part of subcall function 00007FF6EE6D1C50: _CxxThrowException.MSVCRT ref: 00007FF6EE6D1C87
Part of subcall function 00007FF6EE6D1C50: _CxxThrowException.MSVCRT ref: 00007FF6EE6D1CAB

Part of subcall function 00007FF6EE6D1C08: _CxxThrowException.MSVCRT ref: 00007FF6EE6D1C39

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

SafeArrayGetElement.OLEAUT32 ref: 00007FF6EE6D0939
SysFreeString.OLEAUT32 ref: 00007FF6EE6D0A04

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: ArraySafe$ExceptionThrow$Bound$AllocateElementFreeHeapString
String ID:
API String ID: 2782141072-0
Opcode ID: a6274680ac7c826ef8a7f438ce81a426cfd96eba8f9a7fb1c4ccac3d89416ed8
Instruction ID: 761c0cc10a377917b8d0b71be5b02aea06d380f3b14906b8516b0a59ea19b3a4
Opcode Fuzzy Hash: a6274680ac7c826ef8a7f438ce81a426cfd96eba8f9a7fb1c4ccac3d89416ed8
Instruction Fuzzy Hash: 4B718B37B04A128AEB00DF65D4806AC37B1FB58B98FA64131EE0D93758DFBAD845DB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6AFA94, Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6AFAD8
_itow.MSVCRT ref: 00007FF6EE6AFAF2
_itow.MSVCRT ref: 00007FF6EE6AFB0A
_itow.MSVCRT ref: 00007FF6EE6AFB22
EventWrite.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF6EE6AFC05

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: _itow$CurrentEventProcessWrite
String ID:
API String ID: 1710260688-0
Opcode ID: c2c806ffa203979300d4b8677ba4fa662c067851a353b9c2c78873bb6e61951f
Instruction ID: 42e571333bca33b3597e9abe73dcba55251115e910ae8d13db23b966cee37608
Opcode Fuzzy Hash: c2c806ffa203979300d4b8677ba4fa662c067851a353b9c2c78873bb6e61951f
Instruction Fuzzy Hash: 8841AF33A04B958AE710DF69E8442ADBBB0F798754F414236EA4D837A4EF79D144CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6CFDC4, Relevance: 7.6, APIs: 5, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6CFDED
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6CFE09

Part of subcall function 00007FF6EE6CF708: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF753
Part of subcall function 00007FF6EE6CF708: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF767
Part of subcall function 00007FF6EE6CF708: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF7A7
Part of subcall function 00007FF6EE6CF708: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF7BA
Part of subcall function 00007FF6EE6CF708: memmove.MSVCRT(?,?,?,00000000,00000020), ref: 00007FF6EE6CF7E3

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6CFE32
OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6CFE4A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE6CFED4

Part of subcall function 00007FF6EE6CF4B8: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF503
Part of subcall function 00007FF6EE6CF4B8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF517
Part of subcall function 00007FF6EE6CF4B8: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF557
Part of subcall function 00007FF6EE6CF4B8: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF56A
Part of subcall function 00007FF6EE6CF4B8: memmove.MSVCRT(?,?,?,00000000,00000020), ref: 00007FF6EE6CF593

Part of subcall function 00007FF6EE6CE9E8: MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEA9E
Part of subcall function 00007FF6EE6CE9E8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6CEAB2
Part of subcall function 00007FF6EE6CE9E8: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEACA
Part of subcall function 00007FF6EE6CE9E8: InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6CEB5C

Part of subcall function 00007FF6EE694A40: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE694A6A

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Token$Information$ErrorLastLength$CurrentOpenProcessThreadmemmove$AbsoluteCloseDescriptorFreeHandleHeapInitializeMakeSecurity
String ID:
API String ID: 2044367899-0
Opcode ID: 54d943f914f2c009aaafbd5cb2ee283b67a1a13d10a8a6774a74cafa9f01d686
Instruction ID: 1c776a7c2070d502da387b4d2b5465edb3a1b7f260e87b3b4eb6c87a708158dd
Opcode Fuzzy Hash: 54d943f914f2c009aaafbd5cb2ee283b67a1a13d10a8a6774a74cafa9f01d686
Instruction Fuzzy Hash: A0315E33B04A469AEB009F61D4443FC2BA0FB59B89F415131FA0E8B745DFBAD489D74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6CF708, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF753
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF767

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF7A7
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF7BA
memmove.MSVCRT(?,?,?,00000000,00000020), ref: 00007FF6EE6CF7E3

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: InformationToken$AllocateErrorHeapLastLengthmemmove
String ID:
API String ID: 3400817826-0
Opcode ID: 6e25c720302c5f9004fa330389e28d3bf97986e9dc598e71dc1d40826a534365
Instruction ID: fb2b5bab171758769d0fb642bcdf446a2b19a0c65d02f6d37cc76fe0758ca9e9
Opcode Fuzzy Hash: 6e25c720302c5f9004fa330389e28d3bf97986e9dc598e71dc1d40826a534365
Instruction Fuzzy Hash: 2731A437B0A78286EB508B11A440379ABE0FF98B94F528134EE0D8B745DFFEE4409709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6CF4B8, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF503
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF517

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF557
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,00000000,00000020), ref: 00007FF6EE6CF56A
memmove.MSVCRT(?,?,?,00000000,00000020), ref: 00007FF6EE6CF593

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: InformationToken$AllocateErrorHeapLastLengthmemmove
String ID:
API String ID: 3400817826-0
Opcode ID: 04160e9d5f0925990a4e7652c0b3491b054e5ffbde9a94aaab3af255483f5e06
Instruction ID: 4c77e80aa7ae60977e595defb2865fa8025b4db8374f874ec163ce17bda0d6dc
Opcode Fuzzy Hash: 04160e9d5f0925990a4e7652c0b3491b054e5ffbde9a94aaab3af255483f5e06
Instruction Fuzzy Hash: 1C316123B0874287EA508F11A440379ABD1FFA8B85F468534EA0D8B746DFBEE4519709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B29D8, Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

SetThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE6B2A0C
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE6B2A42

Part of subcall function 00007FF6EE6B2818: ?New@CWbemCallSecurity@@SAPEAV1@XZ.FASTPROX ref: 00007FF6EE6B288E
Part of subcall function 00007FF6EE6B2818: ?AddRef@CWbemCallSecurity@@UEAAKXZ.FASTPROX ref: 00007FF6EE6B28A9
Part of subcall function 00007FF6EE6B2818: ?GetThreadSecurity@CWbemCallSecurity@@UEAAJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PEAPEAU_IWmiThreadSecHandle@@@Z.FASTPROX ref: 00007FF6EE6B28C9
Part of subcall function 00007FF6EE6B2818: ?SetThreadSecurity@CWbemCallSecurity@@UEAAJPEAU_IWmiThreadSecHandle@@@Z.FASTPROX ref: 00007FF6EE6B28E4
Part of subcall function 00007FF6EE6B2818: ?QueryInterface@CWbemCallSecurity@@UEAAJAEBU_GUID@@PEAPEAX@Z.FASTPROX ref: 00007FF6EE6B2903
Part of subcall function 00007FF6EE6B2818: ?Release@CWbemCallSecurity@@UEAAKXZ.FASTPROX ref: 00007FF6EE6B2941
Part of subcall function 00007FF6EE6B2818: GetMemLogObject.WBEMCOMN ref: 00007FF6EE6B2968
Part of subcall function 00007FF6EE6B2818: ?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6B2979

RevertToSelf.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE6B2A2C
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6B2A52
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6B2A63

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CallSecurity@@Wbem$Thread$Handle@@@Log@@MemoryObjectSecurity@Write@$CloseHandleInterface@New@QueryRef@Release@RevertSelfTokenW4tag_
String ID:
API String ID: 1192238532-0
Opcode ID: 3ae73fbb3e58bdca401a35a3749b955422922a0fc1110c9842808d53282ec410
Instruction ID: c6b692bbbb48a444f9f61982b4ff3549d12ff1f97910e6abfbeb7bf9c4b4a045
Opcode Fuzzy Hash: 3ae73fbb3e58bdca401a35a3749b955422922a0fc1110c9842808d53282ec410
Instruction Fuzzy Hash: 0121B222A08B8186EB145F11A4443787BA1FBA9F84F569035FE0E83759CFBEE8419709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE698834, Relevance: 7.6, APIs: 5, Instructions: 56threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE698844
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EE698863
GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0 ref: 00007FF6EE69889C
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EE6988AF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EE6A9C24

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: ThreadToken$CloseCurrentErrorHandleInformationLastOpen
String ID:
API String ID: 1364139418-0
Opcode ID: a31c0bc1aa53b0a9607fad20e53c2ef41cc794bb3fdc3fc28ba85568d9e48ee6
Instruction ID: 8a962435f466d1166e8e87e94be2d236e2b970741df8fe5dcafdc80758b067d8
Opcode Fuzzy Hash: a31c0bc1aa53b0a9607fad20e53c2ef41cc794bb3fdc3fc28ba85568d9e48ee6
Instruction Fuzzy Hash: B521B037A08A8287E7109B14E00437DB7B0FB99721F664635EB4E83644DFBEE818DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6B1A14, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B1B26
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B1B69
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE6B1B7E

Strings

?, xrefs: 00007FF6EE6B1B10

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: 63ef8a6b0bff02c34b0014a29d1129975237a091ab5aa8fbd785978a58773ae8
Instruction ID: ca855f9abc05b246308e294bd70662924e9730c4b7b794f307b31a96a7f4f38c
Opcode Fuzzy Hash: 63ef8a6b0bff02c34b0014a29d1129975237a091ab5aa8fbd785978a58773ae8
Instruction Fuzzy Hash: DE41C433A0878596EA208F11E4147BA73A0FBA4B90F554231FE4D83798DFBDE504D704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE693B40, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registrymemoryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EE693B9D
SysFreeString.OLEAUT32 ref: 00007FF6EE6A683B
SysAllocString.OLEAUT32 ref: 00007FF6EE6A684C

Strings

AppId, xrefs: 00007FF6EE693B93

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocFreeQueryValue
String ID: AppId
API String ID: 106098572-4145749797
Opcode ID: 45f5ca1bf6ebd63fbf83d86286dc755a5d887a80e2d2f9541f6b239f58b0afde
Instruction ID: 343a9b357727e17c5fc11e02c56c8f708630e28b39889c5c56a516da57a9504c
Opcode Fuzzy Hash: 45f5ca1bf6ebd63fbf83d86286dc755a5d887a80e2d2f9541f6b239f58b0afde
Instruction Fuzzy Hash: 6B118232619A8186EB508F10F49437AB7A0FB98B44F955135EA8E83B44DF7DD018DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE693844, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE693878

Strings

DefaultLocalSystemHost, xrefs: 00007FF6EE6938AE
DefaultNetworkServiceHost, xrefs: 00007FF6EE693871
DefaultLocalServiceHost, xrefs: 00007FF6EE6938A5

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocString
String ID: DefaultLocalServiceHost$DefaultLocalSystemHost$DefaultNetworkServiceHost
API String ID: 2525500382-1257024311
Opcode ID: 1945fbb44870ce32ba293760b83dc0664e50085646f0ddb8a81a280794e106c0
Instruction ID: cd0b2cca36acb83adf83750312d93610f1c0a2329aacb6e93a25582a5f191da3
Opcode Fuzzy Hash: 1945fbb44870ce32ba293760b83dc0664e50085646f0ddb8a81a280794e106c0
Instruction Fuzzy Hash: 90014822E4854295FA684B0CA6D137C2360EF79360B664039F20FC19B0CE9FE845A20F

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C7BD0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

?Init@CPublishWMIOperationEvent@@SAJXZ.WBEMCOMN(?,?,?,?,00000001,00007FF6EE6C7A7F), ref: 00007FF6EE6C7BF1
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00000001,00007FF6EE6C7A7F), ref: 00007FF6EE6C7C1C
?PublishProviderStarted@CPublishWMIOperationEvent@@SAJPEAGJ0K0@Z.WBEMCOMN(?,?,?,?,00000001,00007FF6EE6C7A7F), ref: 00007FF6EE6C7C3C

Strings

wmiprvse.exe, xrefs: 00007FF6EE6C7C28

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Publish$Event@@Operation$CurrentInit@ProcessProviderStarted@
String ID: wmiprvse.exe
API String ID: 1806684630-74504709
Opcode ID: c8a05661b24f71906888f126ff5b315d75aab4d765c054f1a6dd361c2fa26a37
Instruction ID: b7c6e6d937b9e0c719fbf196847a1fc135135ed038616ce52151e15c62e9a987
Opcode Fuzzy Hash: c8a05661b24f71906888f126ff5b315d75aab4d765c054f1a6dd361c2fa26a37
Instruction Fuzzy Hash: 21014C37608B82CBD7109F21F400169BBB0F799B95F9A4231EA4D87618CF7AE454DB89

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE695C10, Relevance: 6.4, APIs: 4, Instructions: 433COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE695CCC
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE695E9A

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID:
API String ID: 2593887523-0
Opcode ID: 103e698838d4783133e8ab57ed6fc67efa90a96f92c0a0c115118dd03acd5bd0
Instruction ID: d952b325e8d76916eb4cfddc40f352151276f8bc5a552ec66160de9251402633
Opcode Fuzzy Hash: 103e698838d4783133e8ab57ed6fc67efa90a96f92c0a0c115118dd03acd5bd0
Instruction Fuzzy Hash: 6A32A537A08B8691EB198F14E8443A833A4FB14744FA64136DB5CC3360DFBEE565E34A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69806C, Relevance: 6.3, APIs: 4, Instructions: 298synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EE698440: RtlAllocateHeap.NTDLL(?,?,00000001,00007FF6EE697D16), ref: 00007FF6EE698462

Part of subcall function 00007FF6EE695C10: InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE695CCC

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6982F9
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6EE6983D4

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocateCountCriticalEventHeapInitializeObjectSectionSingleSpinWait
String ID:
API String ID: 2274017952-0
Opcode ID: 5972031a824bd58df97bc30504874612a3bb94a0eaec471de29083395307b6b1
Instruction ID: 2897cde27db4c53d79f550f72106bf7f0a39db711b52031bf69b5bafc1e6c7c7
Opcode Fuzzy Hash: 5972031a824bd58df97bc30504874612a3bb94a0eaec471de29083395307b6b1
Instruction Fuzzy Hash: 98D19E23B08B4685EB10CB55E8403A837B0FB68B98F524135EE4D937A4DFBEE455E349

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A921A, Relevance: 6.3, APIs: 4, Instructions: 269synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6A92D2
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A9357
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A93C6

Part of subcall function 00007FF6EE6B11F0: EtwTraceMessage.NTDLL ref: 00007FF6EE6B1219

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$Commit$MessageSingleTraceWait
String ID:
API String ID: 863467152-0
Opcode ID: 085e2b40ce4db8a582ba844f9fe6aaa482a3c231ea880c274a24ff9105fdfffe
Instruction ID: ba0150da16d229c37714d34e4bfebff549aabe24ddea2d9162fd12ded0e199aa
Opcode Fuzzy Hash: 085e2b40ce4db8a582ba844f9fe6aaa482a3c231ea880c274a24ff9105fdfffe
Instruction Fuzzy Hash: 8FD16037A08B8586DB20CF15E4403AAB7A1FB99B94F524136EA8D83764CF7EE444DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A9136, Relevance: 6.3, APIs: 4, Instructions: 256synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE697AF0
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6A92D2
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A9357
WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6A93C6

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Object$CommitSingleWait
String ID:
API String ID: 4292635895-0
Opcode ID: 68c7015d70dcf6a8a9ac2df2c902623aaa7a99c3e1312ae9217d4cc73a4659f0
Instruction ID: ba9eff92a1fd97bc197ef8f65c4edf63d7e814cfd9aa1d5552fa70800e6c32d1
Opcode Fuzzy Hash: 68c7015d70dcf6a8a9ac2df2c902623aaa7a99c3e1312ae9217d4cc73a4659f0
Instruction Fuzzy Hash: 70C18F37A08B8586DB20CF25F4403AAB7A1FB99B94F524135EA8D83764CF7EE444DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C9020, Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C9296
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C92A7
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C92DC
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C92F2

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: 35bbbf6fdbc0fc93a11726737f5210e78b3b9eb4ceb6b5381b84e71a279d6954
Instruction ID: 7d9a7d7f35d27cc5c103e541f81b240edf9823c07e83bf33fefcdb3d3799573b
Opcode Fuzzy Hash: 35bbbf6fdbc0fc93a11726737f5210e78b3b9eb4ceb6b5381b84e71a279d6954
Instruction Fuzzy Hash: B6A19037B04B4686EF009B25D8447A83BA0FB68B98F524131EE0D97794CFBEE445D349

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE695450, Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

WmiSetAndCommitObject.NCOBJAPI ref: 00007FF6EE6955B4

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CommitObject
String ID:
API String ID: 3211880563-0
Opcode ID: f732a343c48e7b11243f61ded7714248e099107d70f59c62a0df40da8f7503fa
Instruction ID: d0e5d4668acfc76ec89f6553073ccbe77f4e417879253016f6aa247743b35ac9
Opcode Fuzzy Hash: f732a343c48e7b11243f61ded7714248e099107d70f59c62a0df40da8f7503fa
Instruction Fuzzy Hash: D591DF33A08B9296E7248F14E4403B977A0FB99748F620035FB4D87A54DFBEE455EB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C03A4, Relevance: 6.2, APIs: 4, Instructions: 196memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE6C04F2

Part of subcall function 00007FF6EE6BB990: VariantInit.OLEAUT32 ref: 00007FF6EE6BB9A7
Part of subcall function 00007FF6EE6BB990: VariantClear.OLEAUT32 ref: 00007FF6EE6BB9DF
Part of subcall function 00007FF6EE6BB990: VariantClear.OLEAUT32 ref: 00007FF6EE6BBA13

SysFreeString.OLEAUT32 ref: 00007FF6EE6C05E0
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C0652
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C0663

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Variant$ClearString$AllocFreeInitLog@@MemoryObjectWrite@
String ID:
API String ID: 1320563993-0
Opcode ID: b0803d70df9f59eb6b0daff46c6f25258699d94609ce6ec8d3822e052b348449
Instruction ID: a2fef137aa52d8d8a84e1956a6a7e7dd7a2484ec66c76216bc047954b92a1988
Opcode Fuzzy Hash: b0803d70df9f59eb6b0daff46c6f25258699d94609ce6ec8d3822e052b348449
Instruction Fuzzy Hash: 2291AC26708B8682EF548F16E84476977A0FB98F94F524132EE5E83364CF7ED844E309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C0DAC, Relevance: 6.2, APIs: 4, Instructions: 185COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C0FD6
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C0FE7
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C101C
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C1032

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: 5e32123197f6e530974f3510dce1545b72dc838ecea19686561a075dfb4d6fe1
Instruction ID: 28b8b62842163f85f6e227cbc58d24912a9df0ed90a8587449895830e68dc9f0
Opcode Fuzzy Hash: 5e32123197f6e530974f3510dce1545b72dc838ecea19686561a075dfb4d6fe1
Instruction Fuzzy Hash: 7C819A37B08B4689EB009F21D4403A937A4FB68B84F524136EE1D877A4CFBEE455D349

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE697650, Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7d2f9f4a68e732c691666ae4fd9053836372c8aa7ac14c8b7ace85bec2e9be
Instruction ID: 29433c67a3e8b905bb24848ff5089f2ce77f66c4209dea36ecc33d423ab4b378
Opcode Fuzzy Hash: bf7d2f9f4a68e732c691666ae4fd9053836372c8aa7ac14c8b7ace85bec2e9be
Instruction Fuzzy Hash: B9619273A08B4285EB108F14E44437837A0FB64B58F664135EA0D8B3A5DFBEE405E74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BC6B0, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BC7A9
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BC7BA
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BC85D
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BC86E

Part of subcall function 00007FF6EE6B4E10: EtwTraceMessage.NTDLL ref: 00007FF6EE6B4E9E

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: eab87c3bad040ad802c281fef4e361afbb57e457ddf1b92fb592e04907438328
Instruction ID: 303dd756b8ad0753de92587632a786f6d9909ce484eff1cdd8ff4f118dd194fe
Opcode Fuzzy Hash: eab87c3bad040ad802c281fef4e361afbb57e457ddf1b92fb592e04907438328
Instruction Fuzzy Hash: 2D519C23F04B8185EB008B55E4407A83BA0FB58B98F520136FE1D937A9DFBED946D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BCF80, Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BD079
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BD08A
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BD124
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BD135

Part of subcall function 00007FF6EE6B4E10: EtwTraceMessage.NTDLL ref: 00007FF6EE6B4E9E

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: f4bda622b49ff7b567f0ba347fa6ace6c08819afad384714299f307bfe04f714
Instruction ID: fd0cae2f8bb5ed8f15351a316867184f05c11ea770f0d579aff9a0514208e310
Opcode Fuzzy Hash: f4bda622b49ff7b567f0ba347fa6ace6c08819afad384714299f307bfe04f714
Instruction Fuzzy Hash: 00519B23E04B8195EB008B51E8447E937A0FB58788F510136FE1D937A8DF7AD846D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C4980, Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C4A79
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C4A8A
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C4B24
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C4B35

Part of subcall function 00007FF6EE6B5240: EtwTraceMessage.NTDLL ref: 00007FF6EE6B5293

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: c311cc8ec44482173f8d08097f57f27c6aaf5cf7db08d842f1c4f08fdc9c6452
Instruction ID: ecdfd3590d09d3625eb8ab0c570bef366372437af773d9677aae46d681e6afff
Opcode Fuzzy Hash: c311cc8ec44482173f8d08097f57f27c6aaf5cf7db08d842f1c4f08fdc9c6452
Instruction Fuzzy Hash: 7451BE23B08B8185EB10CB51E8447A937A0FB58788F520136FE0D877A8DF7ED846D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BD220, Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BD319
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BD32A
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BD3C4
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BD3D5

Part of subcall function 00007FF6EE6B4E10: EtwTraceMessage.NTDLL ref: 00007FF6EE6B4E9E

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: 87606d565abb5e6a61d5d1776bba3100824d694806c2794bd5bb397a515d5732
Instruction ID: ece304eef80288659118ca6a3aefd5b671eb6bb8c55b1a04bf6e26cff6b98645
Opcode Fuzzy Hash: 87606d565abb5e6a61d5d1776bba3100824d694806c2794bd5bb397a515d5732
Instruction Fuzzy Hash: 03516B23A08B8195EB008B51E8447ED3BA0FB58B98F510136FE0D877A9DF7ED846D745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C9860, Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C9989
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C999A
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C99CF
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C99E5

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: d1581bb2d07d681c703d765d1fd79811265a85ddaf34115b547db56586f6fdc6
Instruction ID: 6c6a28c278b7d6e091a02681548d521d279e78cde55788a3cf52d04c5fed83af
Opcode Fuzzy Hash: d1581bb2d07d681c703d765d1fd79811265a85ddaf34115b547db56586f6fdc6
Instruction Fuzzy Hash: 2851E523B14B4286EF00DB62D4447B82BA1FB58B88F524032EE0D97765CFBED446D74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6CB430, Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6CB56B
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6CB57C
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6CB5B1
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6CB5C7

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: c369cc625ac875f3ecfe1ada6e639a2f348d7cfdbf1d3c3eb36365db132ff09c
Instruction ID: 7933a7af4e3f973c4583d7ee7ebdfc9a368ee2a0973e49b6afbf2947d121a9d5
Opcode Fuzzy Hash: c369cc625ac875f3ecfe1ada6e639a2f348d7cfdbf1d3c3eb36365db132ff09c
Instruction Fuzzy Hash: 05519623B04B828AEB009F21D4443B82BA0FB58B88FA24531EE0DC7795DFBED445D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BCB60, Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BCC97
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BCCA8
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BCCDD
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BCCF3

Part of subcall function 00007FF6EE6C5D0C: EtwTraceMessage.NTDLL ref: 00007FF6EE6C5D7A

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: 120453ed8565f9170379614e1c23dc1fa0df144c57dd4348117b4b7b8c593000
Instruction ID: 4f4a2440ee953e377996a679d1ae76e6bfa271a3ac4ed348383f0751a2e9fbb3
Opcode Fuzzy Hash: 120453ed8565f9170379614e1c23dc1fa0df144c57dd4348117b4b7b8c593000
Instruction Fuzzy Hash: 1051E537A08B8185EB108F01E4443A97BA0FB98B98F664035FE4D83768CFBED945D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BC960, Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BCA97
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BCAA8
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BCADD
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BCAF3

Part of subcall function 00007FF6EE6C5BC8: EtwTraceMessage.NTDLL ref: 00007FF6EE6C5C85

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: c87b8af0dccdcf6436963b262aacb2411b31c331e2a5da98012570fa9dc51990
Instruction ID: 51b29870f6d4a8b383285baf1a986c2a5403d86a7cc72e7157da88e8b6e09586
Opcode Fuzzy Hash: c87b8af0dccdcf6436963b262aacb2411b31c331e2a5da98012570fa9dc51990
Instruction Fuzzy Hash: 2351B233A08B8185EB108F01E4443A97BA0FB98B98F664135FE4D83768CFBED945D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C5330, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C5437
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C5448
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C547D
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C5493

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: a59ea228039d7c57f5712d4268c7cf3f08d321d9601c8235f5e6601fc8803a69
Instruction ID: a866c3031b62016aaf8d48ccd0988e1460c72b2a21272bfcffcb369965b8a4ce
Opcode Fuzzy Hash: a59ea228039d7c57f5712d4268c7cf3f08d321d9601c8235f5e6601fc8803a69
Instruction Fuzzy Hash: 92519233704F8299EB008F25D8443A83BA0FB58B58F524135EE0D8B7A5DF7AD906D349

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C1964, Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C1A5F
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C1A70
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C1AA5
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C1ABB

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: 32a1ed84f5ff6cbdc2a317871747e08a171478058c974250e4bec75c059b9008
Instruction ID: a72d495b287d884903b355aaa80cff1e4c510412cb47c60313b2341df863ea22
Opcode Fuzzy Hash: 32a1ed84f5ff6cbdc2a317871747e08a171478058c974250e4bec75c059b9008
Instruction Fuzzy Hash: EF518D37708B8299EB008F25D4443A83BB4FB59B48F524136EE0D87765DFBAE906D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C10AC, Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C119B
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C11AC
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C11E1
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C11F7

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: 36f3afe447136b35d089f693db5f1fd95007cb702d5374ba03df116596bdf58a
Instruction ID: fb0cbe2809c4c1fe977b857769c1056832a4f936a0fdbc970367a589771ae074
Opcode Fuzzy Hash: 36f3afe447136b35d089f693db5f1fd95007cb702d5374ba03df116596bdf58a
Instruction Fuzzy Hash: 91519D3B704A8189EB008F21D4487A837B4FB59B88F924136EE0C87765DF7ED946D345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C1264, Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C133B
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C134C
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C1381
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C1397

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: 9a7fdebb5e505ab30a9a369da8f58cf5266b4c208e3af23792f22d0cef4c584a
Instruction ID: 6371411b20ed25d8044f296156651fad5b32ea85a2cac270df40739f908b0d92
Opcode Fuzzy Hash: 9a7fdebb5e505ab30a9a369da8f58cf5266b4c208e3af23792f22d0cef4c584a
Instruction Fuzzy Hash: 3241BF37704B8189EB009F22D4443A837B4FB68B88F924136EE0C87B65DFBAD806D345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C4DC0, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C4EC0
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C4ED1
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C4EFF
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C4F15

Part of subcall function 00007FF6EE6B4EB8: EtwTraceMessage.NTDLL ref: 00007FF6EE6B4FF4

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: fbaf0ee92341f8a343643b57a91a2d6d7147022d8b5929b28ee5d70d63715117
Instruction ID: 12ccc3e1cfb5cdc2231c3d43177098dd0abdc76eeb42bbc9629a19fb9f48a265
Opcode Fuzzy Hash: fbaf0ee92341f8a343643b57a91a2d6d7147022d8b5929b28ee5d70d63715117
Instruction Fuzzy Hash: F8418D33A08B8181EB10CB05E4443697BA1FB98F48F669035EE9D87765CFBED446D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BEA40, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BEB40
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BEB51
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BEB7F
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BEB95

Part of subcall function 00007FF6EE6B4EB8: EtwTraceMessage.NTDLL ref: 00007FF6EE6B4FF4

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: 65cebe7e85fad68869923de45a1c6dc6a0f4c5b3f76930934af5fb1638d3b41a
Instruction ID: cea28e2164573d8839dfb203b5ac9ec230d361ca5a031a9475394e9e588b30d7
Opcode Fuzzy Hash: 65cebe7e85fad68869923de45a1c6dc6a0f4c5b3f76930934af5fb1638d3b41a
Instruction Fuzzy Hash: 9E41A637A08B8981EB148F15D4443697BA1FB94F88F664036EE4D837A4CFBED846D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE699490, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE699532
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EE6995DC

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID:
API String ID: 2593887523-0
Opcode ID: d7aa9d9d91f2968b06b34865b7045171936ca24d0ca30d8338882ad14f34feec
Instruction ID: 843b60d23e78e0d20343b44f79697f3b135f30a949014db330f4fceb9a9cd864
Opcode Fuzzy Hash: d7aa9d9d91f2968b06b34865b7045171936ca24d0ca30d8338882ad14f34feec
Instruction Fuzzy Hash: CC41CD37508B81C6E7009F20E8803A977A8FB59F58F6A8235DE8C87364DFBAD055E705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C5740, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C582D
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C583E
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C586C
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C5882

Part of subcall function 00007FF6EE6C5CA0: EtwTraceMessage.NTDLL ref: 00007FF6EE6C5CF3

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: b9584f33f77f9a0242073e873dc57cd1895468bc8952d8b3ee4b9bbb62dd554c
Instruction ID: 573e0f2ff7c9faf4f69f895541c61118ffb05092478499ec18a261cf29f60802
Opcode Fuzzy Hash: b9584f33f77f9a0242073e873dc57cd1895468bc8952d8b3ee4b9bbb62dd554c
Instruction Fuzzy Hash: DB41B533B18B8186EB009B15E8443783BA1FB94B98F564035EE0E87365CFBEE445D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BCD60, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BCE55
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BCE66
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BCE94
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BCEAA

Part of subcall function 00007FF6EE6B51EC: EtwTraceMessage.NTDLL ref: 00007FF6EE6B5225

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@$MessageTrace
String ID:
API String ID: 1039912245-0
Opcode ID: f54738b4bd6dca041b2f7ccdaa5b674992994fcee8825440e4cc6399d0f7bc35
Instruction ID: 45ad0142e023ce24f5bc063ad338a42e7bef63aad294647949ced3c27ab1ca0a
Opcode Fuzzy Hash: f54738b4bd6dca041b2f7ccdaa5b674992994fcee8825440e4cc6399d0f7bc35
Instruction Fuzzy Hash: 1041A323B1878281EB408B15E4043B97BA1FB94B88F565036FA0DC3769CFBED546D749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C4F80, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C504F
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C5060
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C5095
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C50AB

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: 82b6bd87c5e26977d627544220043590db6c70db7cb7b7f997689c44a75a2913
Instruction ID: 1ae17924de56664ccc517136b822955bd1f01b4bc5ee6d78cedff41a5744f3f4
Opcode Fuzzy Hash: 82b6bd87c5e26977d627544220043590db6c70db7cb7b7f997689c44a75a2913
Instruction Fuzzy Hash: 5A418033B08B8186EB008B15E8443687BA1FB98B88F664135EF0D87365CFBED445D789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BE8B0, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BE97D
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BE98E
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BE9C3
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BE9D9

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: a3d27f32a61aaecdb2da364fff48e179799047b258311492f119fc53fa5d80c6
Instruction ID: 8764da829e7ef37e728e89607a333a6e5fb9ed3b82ca9b7f9ebd6c5abfbdf7cf
Opcode Fuzzy Hash: a3d27f32a61aaecdb2da364fff48e179799047b258311492f119fc53fa5d80c6
Instruction Fuzzy Hash: FD41A036B08B8586EB109F05D4443687BA1FB99B88F564035EB0D83364CFBED845D74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A2800, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF6EE6A2993
RtlLookupFunctionEntry.NTDLL ref: 00007FF6EE6A29B2
RtlVirtualUnwind.NTDLL ref: 00007FF6EE6A29FF
__raise_securityfailure.LIBCMT ref: 00007FF6EE6A2AE4

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 25084a94eda34ceb58a96aa41ff3d75a5d4f91fcbd2360c73a9ff6b0fb80a6b2
Instruction ID: 865098c7f736e535c4e0d2b0d3af0a23d10a792ec73302b88c950414a9fb4dc8
Opcode Fuzzy Hash: 25084a94eda34ceb58a96aa41ff3d75a5d4f91fcbd2360c73a9ff6b0fb80a6b2
Instruction Fuzzy Hash: C541FB36A09F0181EB508F18F85036977A4FBA8744FA24136E98EC3764DFBEE454E745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69F700, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6ADA7A
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6ADA8B
GetMemLogObject.WBEMCOMN ref: 00007FF6EE6ADAB1
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6ADAC7

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID:
API String ID: 1886302522-0
Opcode ID: b6be3c73b150356a5de3958f2034a5cc5b3df8ffb96b64e79e5247703eb538fd
Instruction ID: 5723e5b140c19db641d364a3dff3ae1999aadefe587f69c5347cb88f6e6fe48b
Opcode Fuzzy Hash: b6be3c73b150356a5de3958f2034a5cc5b3df8ffb96b64e79e5247703eb538fd
Instruction Fuzzy Hash: 3C21A162E08A4785EB045B10A4143742F91FB69B4CFA75035E90DC73A5CFBFE84AA34E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6A2AF8, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF6EE6A2B03
RtlLookupFunctionEntry.NTDLL ref: 00007FF6EE6A2B22
RtlVirtualUnwind.NTDLL ref: 00007FF6EE6A2B6F
__raise_securityfailure.LIBCMT ref: 00007FF6EE6A2BE5

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: ed9aa5777f077f932c6f5dfef7427ec80e47ebf03f84b8b7e05b7ca09bc337f4
Instruction ID: f145abd573521b08aed5f3c3225976cbde62c441522af41675b66faec0a42cd4
Opcode Fuzzy Hash: ed9aa5777f077f932c6f5dfef7427ec80e47ebf03f84b8b7e05b7ca09bc337f4
Instruction Fuzzy Hash: 2621C636909F4582E7109F04F84036977A4FBA4754FA20136EA8D83B64DFBEE454EB49

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6C0058, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6C0319
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6C032A

Strings

PutInstanceAsync, xrefs: 00007FF6EE6C02D3

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID: PutInstanceAsync
API String ID: 1886302522-2231458413
Opcode ID: cb329892b50c7dd1b75d8d6c9d43bf590197f44c31818c2dac67b19bf86aa5b9
Instruction ID: 82a1b08c87a6be8cfd353dbe8385479b904afba6f2f5d09a9c4f37a6132815f1
Opcode Fuzzy Hash: cb329892b50c7dd1b75d8d6c9d43bf590197f44c31818c2dac67b19bf86aa5b9
Instruction Fuzzy Hash: 46919D33B08B4686DF508B15D84476867A0FB69F94F124232EE5D877A4CFBEE444D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE6BFD0C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetMemLogObject.WBEMCOMN ref: 00007FF6EE6BFFCD
?Write@CMemoryLog@@QEAAXJ@Z.WBEMCOMN ref: 00007FF6EE6BFFDE

Strings

PutClassAsync, xrefs: 00007FF6EE6BFF87

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: Log@@MemoryObjectWrite@
String ID: PutClassAsync
API String ID: 1886302522-532489750
Opcode ID: 5b6dfe48c10d60401f5cfe640d6128cdde0c2decd5e9d383c9bdbab7f64732f4
Instruction ID: 1bd97d9f529f62b310257507763ceafe41279b98500a777a9d8500350a574bb1
Opcode Fuzzy Hash: 5b6dfe48c10d60401f5cfe640d6128cdde0c2decd5e9d383c9bdbab7f64732f4
Instruction Fuzzy Hash: 98919C23A08B4685DB108F16E84476877A4FB69F90F124236FE1D833A8CFBEE444D709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE691100, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6EE69111E
SysFreeString.OLEAUT32 ref: 00007FF6EE691191

Part of subcall function 00007FF6EE6911B8: VariantInit.OLEAUT32 ref: 00007FF6EE69133F

Strings

__ProviderHostQuotaConfiguration=@, xrefs: 00007FF6EE691117

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: String$AllocFreeInitVariant
String ID: __ProviderHostQuotaConfiguration=@
API String ID: 1116590889-1272038474
Opcode ID: 7f7d2ff75970b7b0ff9a2af5b82b4020cbbf2af5ba14761ce883350a10001d16
Instruction ID: 4cc4f67a2ad3fa186b8daba1f8bf6fcbb876bd0cf154ca14241e99617f422e02
Opcode Fuzzy Hash: 7f7d2ff75970b7b0ff9a2af5b82b4020cbbf2af5ba14761ce883350a10001d16
Instruction Fuzzy Hash: C7115B36608B8682DB008B16E494379B7A0FB99BD4F564131EA4D83B28DFBED444CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EE69ECC4, Relevance: 5.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE69ED20
memcmp.MSVCRT ref: 00007FF6EE69ED9E
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EE69EDDE

Memory Dump Source

Source File: 00000000.00000002.492404494.00007FF6EE691000.00000020.00020000.sdmp, Offset: 00007FF6EE690000, based on PE: true

Associated: 00000000.00000002.492396887.00007FF6EE690000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492457989.00007FF6EE6D9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.492487671.00007FF6EE6F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.492495750.00007FF6EE6F8000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ee690000_c541a313a0492231a3_wmiprvse.jbxd

Similarity

API ID: AllocHeap$memcmp
String ID:
API String ID: 3670907648-0
Opcode ID: 0a8a6846dda54ae822ce6bed8b7c24ae876c38b75295f3b90ec5680744d688de
Instruction ID: 7c9a4b1f291c5da2f8f69b6243d9ce3efd39486dd7eaf826a424f6cfd0ea4d4c
Opcode Fuzzy Hash: 0a8a6846dda54ae822ce6bed8b7c24ae876c38b75295f3b90ec5680744d688de
Instruction Fuzzy Hash: 7B918033A08B8182EB60CB51E44036977E4FB58B84F168235EF9D87B40DFBAE564E705

Uniqueness

Uniqueness Score: -1.00%

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report c541a313a0492231a3_wmiprvse.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: c541a313a0492231a3_wmiprvse.exe PID: 6960 Parent PID: 5704

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: c541a313a0492231a3_wmiprvse.exe PID: 6960 Parent PID: 5704 c541a313a0492231a3_wmiprvse.exeCOMMON

Execution Graph

Graph

Executed Functions

Function 00007FF6EE69C334, Relevance: 96.8, APIs: 54, Strings: 1, Instructions: 556memoryCOMMON

Control-flow Graph

Function 00007FF6EE69AC50, Relevance: 18.2, APIs: 12, Instructions: 238sleepCOMMON

Control-flow Graph

Function 00007FF6EE698490, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139nativeCOMMON

Function 00007FF6EE69C334, Relevance: 96.8, APIs: 54, Strings: 1, Instructions: 556
memoryCOMMON

Function 00007FF6EE69AC50, Relevance: 18.2, APIs: 12, Instructions: 238
sleepCOMMON

Function 00007FF6EE698490, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139
nativeCOMMON

Function 00007FF6EE69B4D0, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 248
memorysynchronizationCOMMON

Function 00007FF6EE69C890, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66
windowregistryCOMMON

Function 00007FF6EE69A940, Relevance: 15.3, APIs: 10, Instructions: 321
COMMON

Function 00007FF6EE69C260, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105
fileCOMMON

Function 00007FF6EE6A2580, Relevance: 12.1, APIs: 8, Instructions: 136
sleepCOMMON

Function 00007FF6EE697C2C, Relevance: 10.9, APIs: 7, Instructions: 361
memoryCOMMON

Function 00007FF6EE69DBEC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
memoryCOMMON

Function 00007FF6EE69DA94, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84
memoryCOMMON

Function 00007FF6EE69C69C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80
registrymemoryCOMMON

Function 00007FF6EE69C174, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71
COMMON

Function 00007FF6EE69F884, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
registryCOMMON

Function 00007FF6EE69F978, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
registryCOMMON