Edit tour

Windows Analysis Report
AMSilence.exe

Overview

General Information

Sample name:	AMSilence.exe
Analysis ID:	1523566
MD5:	c1dc0bfe65e66a2822986bf30d93c6c5
SHA1:	2cb4013675c2de31bbe4acdd4e568c39709c900c
SHA256:	df3b8aeae03934ed902a40e32e7974c9cbd1480f7cf869413d24824f0efd5ee1
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found direct / indirect Syscall (likely to bypass EDR)

Tries to delay execution (extensive OutputDebugStringW loop)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64native

AMSilence.exe (PID: 8496 cmdline: "C:\Users\user\Desktop\AMSilence.exe" MD5: C1DC0BFE65E66A2822986BF30D93C6C5)

conhost.exe (PID: 8524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AMSilence.exe PID: 8496	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3273100 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,		0_2_00007FF6B3273100
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3273220 SystemFunction036,BCryptGenRandom,memcmp,		0_2_00007FF6B3273220

Source: AMSilence.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: kernel32.pdbUGP source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdbGCTL source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\9\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AMSilence.exe, 00000000.00000002.869833791.000001D9E54B0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbUGP source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdbUGP source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: AMSilence.pdb source: AMSilence.exe
Source:	Binary string: msvcp_win.pdb source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdbUGP source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325CBC0 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,FindFirstFileW,memmove,HeapFree,GetLastError,HeapFree,HeapFree,memmove,memmove,FindClose,memmove,FindClose,memcmp,HeapFree,HeapFree,HeapFree,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,FindClose,		0_2_00007FF6B325CBC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3283A70 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,		0_2_00007FF6B3283A70

Source: AMSilence.exe

String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportinternal_codedescriptionunknown_codeos_errorUnknow

Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_9414f9d0-e

Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_57a49ad2-5

Source: Yara match	File source: 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AMSilence.exe PID: 8496, type: MEMORYSTR

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3253250 OutputDebugStringW,memset,OutputDebugStringW,GetModuleFileNameW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,CreateToolhelp32Snapshot,GetLastError,HeapFree,memset,ProcessPrng,Module32FirstW,HeapFree,GetLastError,GetLastError,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,Module32NextW,memcmp,memcmp,memset,HeapFree,memset,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,GetModuleHandleW,HeapFree,GetModuleFileNameW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,GetLastError,HeapFree,OutputDebugStringW,HeapFree,GetErrorInfo,HeapFree,memset,OutputDebugStringW,HeapFree,NtOpenFile,memset,memset,OutputDebugStringW,HeapFree,GetErrorInfo,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,NtCreateSection,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,GetLastError,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,Module32NextW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,GetCurrentProcess,NtMapViewOfSection,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,OutputDebugStringW,HeapFree,HeapFree,memset,HeapFree,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,memset,OutputDebugStringW,HeapFree,memmove,memset,OutputDebugStringW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,NtUnmapViewOfSection,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,memcmp,HeapFree,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,GetLastError,HeapFree,CloseHandle,GetLastError,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,		0_2_00007FF6B3253250
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327B520 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,		0_2_00007FF6B327B520

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325DD20	0_2_00007FF6B325DD20
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325C3B0	0_2_00007FF6B325C3B0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32583F0	0_2_00007FF6B32583F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325CBC0	0_2_00007FF6B325CBC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3253250	0_2_00007FF6B3253250
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325B9F0	0_2_00007FF6B325B9F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32521E0	0_2_00007FF6B32521E0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32588B0	0_2_00007FF6B32588B0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3269D70	0_2_00007FF6B3269D70
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328C450	0_2_00007FF6B328C450
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326E450	0_2_00007FF6B326E450
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32984E0	0_2_00007FF6B32984E0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3281D30	0_2_00007FF6B3281D30
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3270390	0_2_00007FF6B3270390
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327F3F0	0_2_00007FF6B327F3F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3262C30	0_2_00007FF6B3262C30
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3276C20	0_2_00007FF6B3276C20
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3264A60	0_2_00007FF6B3264A60
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327EAA0	0_2_00007FF6B327EAA0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3292A90	0_2_00007FF6B3292A90
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326B2F0	0_2_00007FF6B326B2F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32742F0	0_2_00007FF6B32742F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32972D0	0_2_00007FF6B32972D0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32662C0	0_2_00007FF6B32662C0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3251150	0_2_00007FF6B3251150
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32651A0	0_2_00007FF6B32651A0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328C190	0_2_00007FF6B328C190
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3273220	0_2_00007FF6B3273220
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326C210	0_2_00007FF6B326C210
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3294060	0_2_00007FF6B3294060
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3266890	0_2_00007FF6B3266890
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3271080	0_2_00007FF6B3271080
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32678B6	0_2_00007FF6B32678B6
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326D130	0_2_00007FF6B326D130
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327B900	0_2_00007FF6B327B900
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328E740	0_2_00007FF6B328E740
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327BFA0	0_2_00007FF6B327BFA0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327CF80	0_2_00007FF6B327CF80
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328DFC0	0_2_00007FF6B328DFC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3267800	0_2_00007FF6B3267800
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3283EA0	0_2_00007FF6B3283EA0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3264EC0	0_2_00007FF6B3264EC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328CF30	0_2_00007FF6B328CF30
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B329A720	0_2_00007FF6B329A720
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327FF10	0_2_00007FF6B327FF10
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3295700	0_2_00007FF6B3295700
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3264D50	0_2_00007FF6B3264D50
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3284D40	0_2_00007FF6B3284D40
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326B5B0	0_2_00007FF6B326B5B0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326C5A0	0_2_00007FF6B326C5A0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327E5A0	0_2_00007FF6B327E5A0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326ADE0	0_2_00007FF6B326ADE0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3251620	0_2_00007FF6B3251620

Source: C:\Users\user\Desktop\AMSilence.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\AMSilence.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: String function: 00007FF6B326E9D0 appears 59 times

Source: AMSilence.exe, 00000000.00000002.865229613.000001D9E4330000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868879395.000001D9E5090000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcrt.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.866289703.000001D9E46A0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebcryptprimitives.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868593632.000001D9E4FC0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerpcrt4.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: {18A8B5B2-9D2F-4DB2-8307-196B5CC0CE6B}{9DE6F12F-0CB2-45E3-BAF1-FB0978255646}{22624CAC-FE50-451E-9261-E7F22AAB93EC}{5F72496A-514E-45FD-BF6C-21D75296EB78}{63C7DCCD-B53C-4A01-A9E3-30F6C38D793E}{8F5A098F-FE98-46EB-B2F6-859078D5E2F7}{E1236381-9522-4BB0-B0AB-AEF2CAB1205F}{10C4200A-0E69-40EA-8153-5F6ABB003C08}{E6B77E90-C966-4BC5-A29B-3EF9B2ADFFD1}{D2F983A5-5880-4964-B98F-67319C3625C4}{6E71D560-6E08-49E6-BF04-F94C85B54355}{3BE690E1-0665-430A-8F6D-89DDD4857989}{AB0BCAAD-7CC5-4CDA-A544-F858E7FF5B8D}{8AEE3B6E-E9A4-40B1-96EC-042F74EB8DCC}{0E7910B7-47A1-4EA8-AC71-63BD4126BF30}{59723693-A1CD-43FC-B4EC-CB48BDACF030}{73A8CA94-C105-4027-90FE-648F9D7B00ED}{9BD0B321-F521-46FA-9B06-0A5E6B0461C8}{A0B2DCF2-CBA3-4534-8EE2-D12D26ABB17B}{852EA32A-1D7A-49CC-8166-77B9DAEFBF7D}{9E248A91-7917-4105-BD0D-31E4965EC06E}{CCF7A2DD-43C3-4C6F-AB68-AF441163D0A0}{097A5E89-584D-4C58-B374-F31A68CA381D}{F83A0FCD-6D48-4714-8A38-D06D376AA7A0}{CECAF199-3F16-46C9-9F81-2905C16E0042}{8FFCB6B3-B3FF-401A-AD20-A5390AAA62B7}{A9C0CE5E-9A1A-47C9-82B6-538C880FDFF0}{8E412EFC-5B34-4C46-9BB4-71F7290EFE3F}FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyrightAcGenral.dllAcLayers.dllAcRes.dllAcSpecfc.dllAcWinRT.dllacwow64.dllAcXtrnal.dllKeyboardFilterShim.dllMasterShim.dlldepdetctuacdetctluadgmgt.dllluapriv.dllEMET.dllEMET64.dllLogExts.dllLogShim.dllInstallerDetectionSetupLayer.exeDXGUseWarpRenderingEntry.exeContainer32bitCompatModeEntry.exeNTDLL.DLLVERIFIER.DLLETW0 vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868091100.000001D9E4DD0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebcrypt.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.866482949.000001D9E4720000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868760246.000001D9E5040000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadvapi32.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.867484560.000001D9E4B60000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp_win.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869759728.000001D9E5480000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesechost.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.870048646.000001D9E5550000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecryptbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869946835.000001D9E54F0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865661302.000001D9E44E0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865371563.000001D9E43A0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameApphelpj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869345089.000001D9E52F0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMBASE.DLLj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.864922036.000001D9E4200000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865939840.000001D9E45B0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOLEAUT32.DLLj% vs AMSilence.exe

Source: classification engine

Classification label: mal48.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B327CF80 memset,GetModuleHandleW,FormatMessageW,memmove,GetLastError,HeapFree,HeapFree,

0_2_00007FF6B327CF80

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B325DD20 GetCurrentProcess,OpenProcessToken,memmove,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,HeapFree,memset,GetLastError,HeapFree,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,ProcessPrng,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,WriteProcessMemory,HeapFree,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,HeapFree,memset,HeapFree,HeapFree,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,

0_2_00007FF6B325DD20

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3253250 OutputDebugStringW,memset,OutputDebugStringW,GetModuleFileNameW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,CreateToolhelp32Snapshot,GetLastError,HeapFree,memset,ProcessPrng,Module32FirstW,HeapFree,GetLastError,GetLastError,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,Module32NextW,memcmp,memcmp,memset,HeapFree,memset,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,GetModuleHandleW,HeapFree,GetModuleFileNameW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,GetLastError,HeapFree,OutputDebugStringW,HeapFree,GetErrorInfo,HeapFree,memset,OutputDebugStringW,HeapFree,NtOpenFile,memset,memset,OutputDebugStringW,HeapFree,GetErrorInfo,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,NtCreateSection,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,GetLastError,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,Module32NextW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,GetCurrentProcess,NtMapViewOfSection,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,OutputDebugStringW,HeapFree,HeapFree,memset,HeapFree,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,memset,OutputDebugStringW,HeapFree,memmove,memset,OutputDebugStringW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,NtUnmapViewOfSection,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,memcmp,HeapFree,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,GetLastError,HeapFree,CloseHandle,GetLastError,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,

0_2_00007FF6B3253250

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8524:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8524:120:WilError_03

Source: AMSilence.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AMSilence.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AMSilence.exe "C:\Users\user\Desktop\AMSilence.exe"
Source: C:\Users\user\Desktop\AMSilence.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: AMSilence.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: AMSilence.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: AMSilence.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kernel32.pdbUGP source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdbGCTL source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\9\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AMSilence.exe, 00000000.00000002.869833791.000001D9E54B0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbUGP source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdbUGP source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: AMSilence.pdb source: AMSilence.exe
Source:	Binary string: msvcp_win.pdb source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdbUGP source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3292A90 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,HeapFree,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,HeapFree,HeapFree,HeapFree,

0_2_00007FF6B3292A90

Source: C:\Users\user\Desktop\AMSilence.exe

0_2_00007FF6B3292A90

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\AMSilence.exe

Section loaded: OutputDebugStringW count: 1984

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325CBC0 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,FindFirstFileW,memmove,HeapFree,GetLastError,HeapFree,HeapFree,memmove,memmove,FindClose,memmove,FindClose,memcmp,HeapFree,HeapFree,HeapFree,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,FindClose,		0_2_00007FF6B325CBC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3283A70 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,		0_2_00007FF6B3283A70

Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B325C3B0 OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,memset,OutputDebugStringW,LdrLoadDll,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,

0_2_00007FF6B325C3B0

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3297E60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6B3297E60

Source: C:\Users\user\Desktop\AMSilence.exe

0_2_00007FF6B325DD20

Source: C:\Users\user\Desktop\AMSilence.exe

0_2_00007FF6B3292A90

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3292A60 HeapAlloc,GetProcessHeap,HeapAlloc,

0_2_00007FF6B3292A60

Source: C:\Users\user\Desktop\AMSilence.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3298004 SetUnhandledExceptionFilter,		0_2_00007FF6B3298004
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3297E60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF6B3297E60

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\AMSilence.exe

NtUnmapViewOfSection: Indirect: 0x7FF6B3257AF9

Jump to behavior

Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpOAV.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpOAV.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B328E740 ProcessPrng,GetCurrentProcessId,ProcessPrng,HeapFree,ProcessPrng,CreateNamedPipeW,GetLastError,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,ProcessPrng,HeapFree,

0_2_00007FF6B328E740

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3297D38 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6B3297D38

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 LSASS Driver	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	2 Process Injection	1 Access Token Manipulation	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	2 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 LSASS Driver	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	Source	Malicious	Antivirus Detection	Reputation
https://docs.rs/getrandom#nodejs-es-module-supportinternal_codedescriptionunknown_codeos_errorUnknow	AMSilence.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523566
Start date and time:	2024-10-01 19:29:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AMSilence.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 18 Number of non-executed functions: 79
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: AMSilence.exe

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.3723334444952595
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AMSilence.exe
File size:	380'928 bytes
MD5:	c1dc0bfe65e66a2822986bf30d93c6c5
SHA1:	2cb4013675c2de31bbe4acdd4e568c39709c900c
SHA256:	df3b8aeae03934ed902a40e32e7974c9cbd1480f7cf869413d24824f0efd5ee1
SHA512:	de3a8500a39b80d3f173219dc5200bd690edd1f05e7fa3f05d93451a5f03c36130ecc17349e6d963ccdef27c9c18adfa8603e65d2d308cfd85ebaf4a19695b7d
SSDEEP:	6144:J96K4oWCpn8Tn3khs4K9ywkV6M4WxZvB/ROpKuLLiy8bvmhnCFB2PahzqWwd:J96K4oWCpEn3khsEQcLPOLR+2GqW
TLSH:	CA843A16FA55A8FCD05AC074C35AA6737A327C891B35BDFB12C856343F65AE06A3CB04
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.o.>...>...>...7...2....&..<....&..=....&..7....&..)...>.......>...+...v'..?...Rich>...........................PE..d....0.f...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140047adc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FC30F6 [Tue Oct 1 17:27:18 2024 UTC]
TLS Callbacks:	0x4002c730, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4641514754548e870c8697239bced05e

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F18048D28D8h
dec eax
add esp, 28h
jmp 00007F18048D24F7h
int3
int3
jmp 00007F18048D2C78h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F18048D2F40h
test eax, eax
je 00007F18048D26A3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F18048D2687h
dec eax
cmp ecx, eax
je 00007F18048D2696h
xor eax, eax
dec eax
cmpxchg dword ptr [000146B4h], ecx
jne 00007F18048D2670h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F18048D2679h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F18048D2689h
mov byte ptr [0001469Dh], 00000001h
call 00007F18048D2C2Dh
call 00007F18048D2940h
test al, al
jne 00007F18048D2686h
xor al, al
jmp 00007F18048D2696h
call 00007F18048D2933h
test al, al
jne 00007F18048D268Bh
xor ecx, ecx
call 00007F18048D2928h
jmp 00007F18048D266Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00014664h], 00000000h
mov ebx, ecx
jne 00007F18048D26E9h
cmp ecx, 01h
jnbe 00007F18048D26ECh
call 00007F18048D2EB6h
test eax, eax
je 00007F18048D26AAh
test ebx, ebx
jne 00007F18048D26A6h
dec eax
lea ecx, dword ptr [0001464Eh]
call 00007F18048D2F5Eh
test eax, eax
jne 00007F18048D2692h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a45c	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5d000	0x1e90	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f000	0x584	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x55750	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x55800	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x55610	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b000	0x458	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49da3	0x49e00	dc29cf1fd2a57960651f8d0fbafd29c2	False	0.48717414868866327	data	6.329665812914689	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x10514	0x10600	6771a5cb3519441c06af93163579c529	False	0.3880456822519084	data	5.628015629850922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5c000	0x260	0x200	40fa3f513bda18808a1f247a421f5545	False	0.216796875	data	1.4582419783356335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x5d000	0x1e90	0x2000	7f91fe75228a988bd052bacbcbcf046b	False	0.49609375	data	5.506768558176253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5f000	0x584	0x600	df4bac8055ab5d0ff68e76d88cc7b0b9	False	0.6256510416666666	data	5.200238501935515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
bcryptprimitives.dll	ProcessPrng
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
kernel32.dll	SetThreadStackGuarantee, GetCurrentThread, WriteFileEx, SleepEx, ReadFileEx, WaitForMultipleObjects, GetOverlappedResult, GetExitCodeProcess, GetCurrentProcessId, CancelIo, ReadFile, HeapAlloc, GetProcessHeap, GetCurrentDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, ReleaseMutex, RtlVirtualUnwind, WideCharToMultiByte, LoadLibraryExA, DeleteProcThreadAttributeList, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, QueryPerformanceCounter, UpdateProcThreadAttribute, InitializeProcThreadAttributeList, CreateThread, DuplicateHandle, GetFileAttributesW, CreateProcessW, GetWindowsDirectoryW, GetSystemDirectoryW, CompareStringOrdinal, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetFileInformationByHandleEx, GetFileInformationByHandle, GetFullPathNameW, IsDebuggerPresent, SetFileInformationByHandle, CreateFileW, GetEnvironmentVariableW, lstrlenW, FormatMessageW, SetLastError, GetProcAddress, WriteConsoleW, MultiByteToWideChar, UnhandledExceptionFilter, WaitForSingleObject, SetUnhandledExceptionFilter, GetConsoleMode, GetStdHandle, HeapReAlloc, FindNextFileW, FindClose, FindFirstFileW, GetModuleHandleA, GetCurrentProcess, GetModuleHandleW, Module32NextW, Module32FirstW, CreateToolhelp32Snapshot, GetModuleFileNameW, OutputDebugStringW, GetLastError, CloseHandle, HeapFree, CreateNamedPipeW, CreateEventW, IsProcessorFeaturePresent
oleaut32.dll	SysStringLen, GetErrorInfo, SysFreeString
advapi32.dll	AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SystemFunction036
bcrypt.dll	BCryptGenRandom
ntdll.dll	NtWriteFile, RtlNtStatusToDosError, NtReadFile
api-ms-win-core-winrt-error-l1-1-0.dll	RoOriginateErrorW
VCRUNTIME140.dll	memmove, memcmp, memset, __C_specific_handler, memcpy, __current_exception_context, __current_exception, __CxxFrameHandler3
api-ms-win-crt-string-l1-1-0.dll	strlen
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, __p___argc, terminate, _exit, _cexit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, exit, _set_app_type, _seh_filter_exe, _register_thread_local_exe_atexit_callback, _crt_atexit, _initialize_onexit_table, _register_onexit_function, __p___argv
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, free

Target ID:	0
Start time:	13:35:31
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\AMSilence.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\AMSilence.exe"
Imagebase:	0x7ff6b3250000
File size:	380'928 bytes
MD5 hash:	C1DC0BFE65E66A2822986BF30D93C6C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:35:31
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff793500000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	79.8%
Total number of Nodes:	1238
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF6B3253250 Relevance: 329.6, APIs: 166, Strings: 20, Instructions: 4074memoryprocessCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6B32532A9
OutputDebugStringW.KERNEL32 ref: 00007FF6B3253321
GetModuleFileNameW.KERNEL32 ref: 00007FF6B325334D
HeapFree.KERNEL32 ref: 00007FF6B32533A9
HeapFree.KERNEL32 ref: 00007FF6B32533E9
memset.VCRUNTIME140 ref: 00007FF6B32534B2
OutputDebugStringW.KERNEL32 ref: 00007FF6B325358C
HeapFree.KERNEL32 ref: 00007FF6B32535A3
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6B32535B0
GetLastError.KERNEL32 ref: 00007FF6B32535C2
memset.VCRUNTIME140 ref: 00007FF6B325361B
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF6B325367E
Module32FirstW.KERNEL32 ref: 00007FF6B3253709
GetLastError.KERNEL32 ref: 00007FF6B3253742
GetLastError.KERNEL32 ref: 00007FF6B3253744
HeapFree.KERNEL32 ref: 00007FF6B3253816
HeapFree.KERNEL32 ref: 00007FF6B3253850
HeapFree.KERNEL32 ref: 00007FF6B3253600

Part of subcall function 00007FF6B3264A60: memmove.VCRUNTIME140 ref: 00007FF6B3264CB6

memcmp.VCRUNTIME140 ref: 00007FF6B32539AB

Strings

NtMapViewOfSection failedNtCreateSection failed for module: , xrefs: 00007FF6B325667C
@, xrefs: 00007FF6B3255103
KO_S, xrefs: 00007FF6B3254C6E
Failed to resolve NtCreateSectionFailed to resolve NtMapViewOfSection for module: , xrefs: 00007FF6B3255C75
KO_S, xrefs: 00007FF6B3253756
Failed to resolve NtUnmapViewOfSectionCurrent executable path: , xrefs: 00007FF6B32579DC
KO_S, xrefs: 00007FF6B3255668
KO_S, xrefs: 00007FF6B3255D6F
KO_S, xrefs: 00007FF6B32535D8
, xrefs: 00007FF6B32574DD
`, xrefs: 00007FF6B32552A1
0, xrefs: 00007FF6B32550DC
Failed to resolve NtMapViewOfSectionFailed to resolve NtUnmapViewOfSection for module: , xrefs: 00007FF6B3256587
Failed to resolve NtOpenFileFailed to resolve NtCreateSection for module: , xrefs: 00007FF6B3254D85
KO_S, xrefs: 00007FF6B32556A3
NtCreateSection failedNtOpenFile failed for , xrefs: 00007FF6B3255D60
Invalid DOS signatureNtMapViewOfSection failed for module: with status: , xrefs: 00007FF6B325812F
@, xrefs: 00007FF6B3256BCE
NtCreateSectionNtMapViewOfSectionNtUnmapViewOfSectionNtOpenFileStarting remapping of module: , xrefs: 00007FF6B32557A7, 00007FF6B32557EF
Invalid NT signatureInvalid DOS signature for module: , xrefs: 00007FF6B3257ABC

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$ErrorLastmemset$DebugOutputString$CreateFileFirstModuleModule32NamePrngProcessSnapshotToolhelp32memcmpmemmove
String ID: $0$@$@$Failed to resolve NtCreateSectionFailed to resolve NtMapViewOfSection for module: $Failed to resolve NtMapViewOfSectionFailed to resolve NtUnmapViewOfSection for module: $Failed to resolve NtOpenFileFailed to resolve NtCreateSection for module: $Failed to resolve NtUnmapViewOfSectionCurrent executable path: $Invalid DOS signatureNtMapViewOfSection failed for module: with status: $Invalid NT signatureInvalid DOS signature for module: $KO_S$KO_S$KO_S$KO_S$KO_S$KO_S$NtCreateSection failedNtOpenFile failed for $NtCreateSectionNtMapViewOfSectionNtUnmapViewOfSectionNtOpenFileStarting remapping of module: $NtMapViewOfSection failedNtCreateSection failed for module: $`
API String ID: 2058080900-3317569693
Opcode ID: 2e082a84c7a31cb715ee0b8fc4753af9e37760f65bc9d791b657649b7cf78f27
Instruction ID: 7ae74904423b75b2fd7c4d4a4011d5ceb6f699922031f63ed29f0b2a8934ecad
Opcode Fuzzy Hash: 2e082a84c7a31cb715ee0b8fc4753af9e37760f65bc9d791b657649b7cf78f27
Instruction Fuzzy Hash: 6393C672B19BC181EB218B18E5453EAB3A1FB85784F418235DB8DA7B99EF7CD244C740

Function 00007FF6B325DD20 Relevance: 302.7, APIs: 139, Strings: 32, Instructions: 3474memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B3273100: BCryptGenRandom.BCRYPT(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B325DDC3), ref: 00007FF6B3273153
Part of subcall function 00007FF6B3273100: SystemFunction036.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B325DDC3), ref: 00007FF6B3273165

GetCurrentProcess.KERNEL32 ref: 00007FF6B325DE24
OpenProcessToken.ADVAPI32 ref: 00007FF6B325DE39
memmove.VCRUNTIME140 ref: 00007FF6B325DE7F
GetLastError.KERNEL32 ref: 00007FF6B325DEC0
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF6B325DFAE
AdjustTokenPrivileges.KERNELBASE ref: 00007FF6B325DFF3
HeapFree.KERNEL32 ref: 00007FF6B325E016
memset.VCRUNTIME140 ref: 00007FF6B325E0A1
memset.VCRUNTIME140 ref: 00007FF6B325E1DB
OutputDebugStringW.KERNEL32 ref: 00007FF6B325E2B7
HeapFree.KERNEL32 ref: 00007FF6B325E2CE
OutputDebugStringW.KERNEL32 ref: 00007FF6B325E387
HeapFree.KERNEL32 ref: 00007FF6B325E3A2

Strings

Failed to open service.Successfully opened service: , xrefs: 00007FF6B3261E30
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6B32621A0, 00007FF6B32621EA
kernel32.dllVirtualAllocEx, xrefs: 00007FF6B325EBBE
MpWDEnable, xrefs: 00007FF6B325EB4A
Failed to patch Windows Defender functionsFailed to unregister MpOAV.dll: , xrefs: 00007FF6B326035C
Failed to resolve OpenSCManagerAOpenServiceA, xrefs: 00007FF6B3261D3F
MpThreatAction, xrefs: 00007FF6B325EB60
Failed to unregister MpOAV.dllFailed to query antivirus service name: , xrefs: 00007FF6B3260ADD
Failed to load MpOAV.dllDllUnregisterServer, xrefs: 00007FF6B3260737
Failed to resolve DeleteServiceOpening Service Control Manager...Failed to open Service Control Manager.Successfully opened Service Control Manager.Opening service: , xrefs: 00007FF6B3261D69
nown, xrefs: 00007FF6B326174E
aths, xrefs: 00007FF6B3260143
Failed to get Defender module pathsAttempting to patch function at address: , xrefs: 00007FF6B32608FD
mpoav.dllFailed to resolve DllUnregisterServer.DllUnregisterServer failed, xrefs: 00007FF6B3260642
Attempting to stop the service...Failed to stop service or service was not running.Service stopped successfully.Attempting to delete the service...Failed to delete service.Service deleted successfully.Number of names in export directory: , xrefs: 00007FF6B3261D04
KO_S, xrefs: 00007FF6B325DED6
Process module remapping failedFailed to patch Windows Defender functions: , xrefs: 00007FF6B325E8BF
mpclient.dllWDEnable, xrefs: 00007FF6B325EA83
Service interaction completed successfully./rustc/100fde5246bf56f22fb5cc85374dd841296fce0e\library\core\src\slice\sort\stable\quicksort.rsmid > len, xrefs: 00007FF6B3261E7B
MpScanStart, xrefs: 00007FF6B325EB55
ServiceName not found in JSON output.Set-MpPreference -DisableRealtimeMonitoring $true } Failed to disable real-time monitoring: , xrefs: 00007FF6B32610F5
#, xrefs: 00007FF6B3260904
-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct, xrefs: 00007FF6B3260CB8, 00007FF6B32622DC
advapi32.dll, xrefs: 00007FF6B32619C6
WriteProcessMemory, xrefs: 00007FF6B325F8FE
Failed to resolve OpenServiceAControlService, xrefs: 00007FF6B3261D4B
OpenSCManagerA, xrefs: 00007FF6B3261AB9
KO_S, xrefs: 00007FF6B325E106
Failed to resolve ControlServiceDeleteService, xrefs: 00007FF6B3261D5D
&, xrefs: 00007FF6B3260913
Failed to write to process memory.VirtualProtectLoadLibraryA, xrefs: 00007FF6B32604A5
CString::new failedsrc\token.rs, xrefs: 00007FF6B32611B7

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$DebugOutputProcessStringTokenmemset$AdjustCryptCurrentErrorFunction036LastLookupOpenPrivilegePrivilegesRandomSystemValuememmove
String ID: #$&$-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct$Attempting to stop the service...Failed to stop service or service was not running.Service stopped successfully.Attempting to delete the service...Failed to delete service.Service deleted successfully.Number of names in export directory: $CString::new failedsrc\token.rs$Failed to get Defender module pathsAttempting to patch function at address: $Failed to load MpOAV.dllDllUnregisterServer$Failed to open service.Successfully opened service: $Failed to patch Windows Defender functionsFailed to unregister MpOAV.dll: $Failed to resolve ControlServiceDeleteService$Failed to resolve DeleteServiceOpening Service Control Manager...Failed to open Service Control Manager.Successfully opened Service Control Manager.Opening service: $Failed to resolve OpenSCManagerAOpenServiceA$Failed to resolve OpenServiceAControlService$Failed to unregister MpOAV.dllFailed to query antivirus service name: $Failed to write to process memory.VirtualProtectLoadLibraryA$KO_S$KO_S$MpScanStart$MpThreatAction$MpWDEnable$OpenSCManagerA$Process module remapping failedFailed to patch Windows Defender functions: $Service interaction completed successfully./rustc/100fde5246bf56f22fb5cc85374dd841296fce0e\library\core\src\slice\sort\stable\quicksort.rsmid > len$ServiceName not found in JSON output.Set-MpPreference -DisableRealtimeMonitoring $true } Failed to disable real-time monitoring: $WriteProcessMemory$advapi32.dll$aths$called `Result::unwrap()` on an `Err` value$kernel32.dllVirtualAllocEx$mpclient.dllWDEnable$mpoav.dllFailed to resolve DllUnregisterServer.DllUnregisterServer failed$nown
API String ID: 51783063-3113947615
Opcode ID: 8030f5f093471952398372fca96803d005588d6cdcd2b6b791d5233ed7e40f49
Instruction ID: 69eb90676cb56fe6dddcab7cb4b0ef6a3d8e301ece1f24881d33951c5a12852f
Opcode Fuzzy Hash: 8030f5f093471952398372fca96803d005588d6cdcd2b6b791d5233ed7e40f49
Instruction Fuzzy Hash: BB835F32B08BC689E7368F29D9463F96364FF49B48F444235DB4DAAB59EF389245C340

Function 00007FF6B32588B0 Relevance: 95.5, APIs: 39, Strings: 14, Instructions: 2784memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6B3258A11
OutputDebugStringW.KERNEL32 ref: 00007FF6B3258AE7
HeapFree.KERNEL32 ref: 00007FF6B3258AFB

Strings

c, xrefs: 00007FF6B325B56F
advapi32.dll, xrefs: 00007FF6B32588FA
mpoav.dll, xrefs: 00007FF6B3258936
l, xrefs: 00007FF6B3259033
gdi32.dll, xrefs: 00007FF6B3258918
d, xrefs: 00007FF6B325B0D5
l, xrefs: 00007FF6B325B3CD
kernel32.dll, xrefs: 00007FF6B32588EB
a Display implementation returned an error unexpectedly, xrefs: 00007FF6B325B9B6
8, xrefs: 00007FF6B325B490
Unpad ErrorBorrowMutErroralready borrowed: , xrefs: 00007FF6B325B11C
user32.dll, xrefs: 00007FF6B3258909
., xrefs: 00007FF6B325903E
mpclient.dll, xrefs: 00007FF6B3258927

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: DebugFreeHeapOutputStringmemset
String ID: .$8$Unpad ErrorBorrowMutErroralready borrowed: $a Display implementation returned an error unexpectedly$advapi32.dll$c$d$gdi32.dll$kernel32.dll$l$l$mpclient.dll$mpoav.dll$user32.dll
API String ID: 3278678782-3081676239
Opcode ID: 0f919f5dd305049b0aec777d161ebbb8f567a9ad1c6fb871c919d15f965d4b26
Instruction ID: 27eb18865cde7b5dba7929c90e83781d79010160998c788a07c11e9a7ae394d5
Opcode Fuzzy Hash: 0f919f5dd305049b0aec777d161ebbb8f567a9ad1c6fb871c919d15f965d4b26
Instruction Fuzzy Hash: B333B162718BD481F6218FA5A9617EBA3A1FB89BC4F04A135DF8D67B19DF3CD2418700

Function 00007FF6B325CBC0 Relevance: 63.6, APIs: 32, Strings: 4, Instructions: 647memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B3283830: HeapFree.KERNEL32 ref: 00007FF6B328390D
Part of subcall function 00007FF6B3283830: HeapFree.KERNEL32 ref: 00007FF6B3283920

HeapFree.KERNEL32 ref: 00007FF6B325CC7A
HeapFree.KERNEL32 ref: 00007FF6B325CC8C
HeapFree.KERNEL32 ref: 00007FF6B325CE10
HeapFree.KERNEL32 ref: 00007FF6B325CE22
HeapFree.KERNEL32 ref: 00007FF6B325CE68
HeapFree.KERNEL32 ref: 00007FF6B325CE7A
memset.VCRUNTIME140 ref: 00007FF6B325CEE1
FindFirstFileW.KERNELBASE ref: 00007FF6B325CEEC
memmove.VCRUNTIME140 ref: 00007FF6B325CF60
HeapFree.KERNEL32 ref: 00007FF6B325CF76
GetLastError.KERNEL32 ref: 00007FF6B325CF9B
HeapFree.KERNEL32 ref: 00007FF6B325D008
HeapFree.KERNEL32 ref: 00007FF6B325D035
memmove.VCRUNTIME140 ref: 00007FF6B325D052
memmove.VCRUNTIME140 ref: 00007FF6B325D064
FindClose.KERNEL32 ref: 00007FF6B325D093
memmove.VCRUNTIME140 ref: 00007FF6B325D124
FindClose.KERNEL32 ref: 00007FF6B325D1C4
HeapFree.KERNEL32 ref: 00007FF6B325D7A1

Strings

*fatal runtime error: I/O error: operation failed to complete synchronously, xrefs: 00007FF6B325CD37
, xrefs: 00007FF6B325D12E
, xrefs: 00007FF6B325D194
C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d, xrefs: 00007FF6B325CC00

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$memmove$Find$Close$ErrorFileFirstLastmemset
String ID: $ $*fatal runtime error: I/O error: operation failed to complete synchronously$C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d
API String ID: 602248511-964431083
Opcode ID: 34c515e589215cb5021155b7f41b4c74f2f3027839a635186590c8004865ca34
Instruction ID: 5feb0f58acf3a066896ea5b053b4a96d45cfd62191d6d55c519be411e157447a
Opcode Fuzzy Hash: 34c515e589215cb5021155b7f41b4c74f2f3027839a635186590c8004865ca34
Instruction Fuzzy Hash: C8628322B09BC585F7209F29DA463E92361FB89B98F054135CF4DAB79ADF39E245C340

Function 00007FF6B325B9F0 Relevance: 42.5, APIs: 21, Strings: 3, Instructions: 487
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF6B325BA8F
OutputDebugStringW.KERNEL32 ref: 00007FF6B325BB6C
HeapFree.KERNEL32 ref: 00007FF6B325BB86
GetModuleHandleA.KERNEL32 ref: 00007FF6B325BB93
memset.VCRUNTIME140 ref: 00007FF6B325BBB8
OutputDebugStringW.KERNEL32 ref: 00007FF6B325BC1E
memset.VCRUNTIME140 ref: 00007FF6B325BD16
GetLastError.KERNEL32 ref: 00007FF6B325BD59
memset.VCRUNTIME140 ref: 00007FF6B325BD71
memset.VCRUNTIME140 ref: 00007FF6B325BDC4

Part of subcall function 00007FF6B326DC80: HeapFree.KERNEL32 ref: 00007FF6B326DE15

OutputDebugStringW.KERNEL32 ref: 00007FF6B325BE19
memset.VCRUNTIME140 ref: 00007FF6B325BEB5
OutputDebugStringW.KERNEL32 ref: 00007FF6B325BF8F
HeapFree.KERNEL32 ref: 00007FF6B325BFA9
memset.VCRUNTIME140 ref: 00007FF6B325C06B
memset.VCRUNTIME140 ref: 00007FF6B325C11F
OutputDebugStringW.KERNEL32 ref: 00007FF6B325C1FC
OutputDebugStringW.KERNEL32 ref: 00007FF6B325C2AC
HeapFree.KERNEL32 ref: 00007FF6B325C2CA
OutputDebugStringW.KERNEL32 ref: 00007FF6B325C37C
HeapFree.KERNEL32 ref: 00007FF6B325C396

Strings

., xrefs: 00007FF6B325BDA5
ntdll.dll, xrefs: 00007FF6B325BB8C
y, xrefs: 00007FF6B325BBFE

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memset$DebugOutputString$FreeHeap$ErrorHandleLastModule
String ID: .$ntdll.dll$y
API String ID: 823618834-3542015323
Opcode ID: c93186c017a53872e5cc2556b513e53ea9fde6ce147ce243dda8cba5de63c6ca
Instruction ID: 913b1c9865f85ac122ea6592f6680d381f3c64223287704d6275b5337a9543f5
Opcode Fuzzy Hash: c93186c017a53872e5cc2556b513e53ea9fde6ce147ce243dda8cba5de63c6ca
Instruction Fuzzy Hash: 4832C422B18BC585EB208F28E5067EAB361FB85784F504235DB8DA3B5AEF7DD244C740

Function 00007FF6B32521E0 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 375
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNEL32 ref: 00007FF6B3252267
memmove.VCRUNTIME140 ref: 00007FF6B32522FD
memmove.VCRUNTIME140 ref: 00007FF6B3252313
memmove.VCRUNTIME140 ref: 00007FF6B325233E
memmove.VCRUNTIME140 ref: 00007FF6B325237B
memmove.VCRUNTIME140 ref: 00007FF6B3252396
memmove.VCRUNTIME140 ref: 00007FF6B32523CB
memset.VCRUNTIME140 ref: 00007FF6B32523E9
memset.VCRUNTIME140 ref: 00007FF6B32527F6
OutputDebugStringW.KERNEL32 ref: 00007FF6B3252841

Part of subcall function 00007FF6B326B8D0: memset.VCRUNTIME140 ref: 00007FF6B326B91C

memset.VCRUNTIME140 ref: 00007FF6B325286F
OutputDebugStringW.KERNEL32 ref: 00007FF6B32528A8
HeapFree.KERNEL32 ref: 00007FF6B325291C

Strings

l, xrefs: 00007FF6B3252824
Padding errorpanic_abort\src\lib.rs, xrefs: 00007FF6B32528D2
a Display implementation returned an error unexpectedly, xrefs: 00007FF6B325296D
d, xrefs: 00007FF6B325288B

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmove$memset$DebugOutputString$FreeHeap
String ID: Padding errorpanic_abort\src\lib.rs$a Display implementation returned an error unexpectedly$d$l
API String ID: 3510560538-2343619681
Opcode ID: 41839048031a02e994525cb3a55117a3c680d722307805600272efcd588ba607
Instruction ID: dedc8e6bd1fcf40f527ab9198a20f658e27e3a676cb3c942515a56f458d9e08c
Opcode Fuzzy Hash: 41839048031a02e994525cb3a55117a3c680d722307805600272efcd588ba607
Instruction Fuzzy Hash: 1012872261CBC591E6218B18E5423FAA361FFD9794F405231EFCDA2A99EF7CD245C740

Function 00007FF6B3269D70 Relevance: 27.4, APIs: 18, Instructions: 427
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF6B3269DFC
HeapFree.KERNEL32 ref: 00007FF6B3269E11
memset.VCRUNTIME140 ref: 00007FF6B3269E7B
FindNextFileW.KERNELBASE ref: 00007FF6B3269E86
memmove.VCRUNTIME140 ref: 00007FF6B3269F47
memmove.VCRUNTIME140 ref: 00007FF6B3269FDB

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeapmemmove$FileFindNextmemset
String ID:
API String ID: 2993505563-0
Opcode ID: 73e5ca03f287d926c50cce0658fbfb12d1e76ff9363dfc559147fdd638cf248c
Instruction ID: ca7efa84aba0feafc2676b58bb9bbe8a68eb59a81936639350337a3279485d78
Opcode Fuzzy Hash: 73e5ca03f287d926c50cce0658fbfb12d1e76ff9363dfc559147fdd638cf248c
Instruction Fuzzy Hash: 43229F62B08AC589F7718F29D9463E923A1FF84B48F444232DF4DAB794DF39A695C340

Function 00007FF6B325C3B0 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 437
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF6B325C456
OutputDebugStringW.KERNEL32 ref: 00007FF6B325C52C
HeapFree.KERNEL32 ref: 00007FF6B325C549
memset.VCRUNTIME140 ref: 00007FF6B325C583
memset.VCRUNTIME140 ref: 00007FF6B325C677
OutputDebugStringW.KERNEL32 ref: 00007FF6B325C6D0

Strings

LdrLoadDllSuccessfully loaded module: , xrefs: 00007FF6B325C54F
., xrefs: 00007FF6B325C6BD

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memset$DebugOutputString$FreeHeap
String ID: .$LdrLoadDllSuccessfully loaded module:
API String ID: 3592316530-2807338173
Opcode ID: 054d23b4d0b6147ab1f49bd6791a5ae085e6e3d9f8e5396f416cf7630cfd953c
Instruction ID: db7ba3cc10c40bf0a8342906f302398de3e7ba3bf55a936eb9b38b42af0309c5
Opcode Fuzzy Hash: 054d23b4d0b6147ab1f49bd6791a5ae085e6e3d9f8e5396f416cf7630cfd953c
Instruction Fuzzy Hash: 12123C62B2C7D544FB218B28E6067BAA751FB85784F415231DB8EA2B99FF7CD244C700

Function 00007FF6B3283A70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileInformationByHandle.KERNELBASE ref: 00007FF6B3283BD0
GetFileInformationByHandleEx.KERNEL32 ref: 00007FF6B3283C0B
GetLastError.KERNEL32 ref: 00007FF6B3283C91
CloseHandle.KERNELBASE ref: 00007FF6B3283CAD
memset.VCRUNTIME140 ref: 00007FF6B3283CD5
FindFirstFileW.KERNEL32 ref: 00007FF6B3283CE0
FindClose.KERNEL32 ref: 00007FF6B3283CEF
HeapFree.KERNEL32 ref: 00007FF6B3283D86

Strings

C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d, xrefs: 00007FF6B3283A79

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FileHandle$CloseFindInformation$ErrorFirstFreeHeapLastmemset
String ID: C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d
API String ID: 3630007247-3956315604
Opcode ID: 4e8a1b2d10a225d123cbf721959aeb28e9c09cf50922a60d6ddf97f86c70f01f
Instruction ID: 77c224e9200c9b84f05009e887b28784dbd6a39b7a561d07daf59d60035d235f
Opcode Fuzzy Hash: 4e8a1b2d10a225d123cbf721959aeb28e9c09cf50922a60d6ddf97f86c70f01f
Instruction Fuzzy Hash: 83815076B04B818AE730CF69E9853ED73B1FB44798F104225CF996BB94DF78A5858340

Function 00007FF6B32583F0 Relevance: 15.3, APIs: 10, Instructions: 254
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF6B32584A8
OutputDebugStringW.KERNEL32 ref: 00007FF6B325858C
HeapFree.KERNEL32 ref: 00007FF6B32585A6
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6B32585FB
memcmp.VCRUNTIME140 ref: 00007FF6B325864B
memset.VCRUNTIME140 ref: 00007FF6B3258704

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memset$DebugFreeHeapOutputStringmemcmpstrlen
String ID:
API String ID: 4219306441-0
Opcode ID: e389823bde405b2553d5e318f7b12db211a2a61345ee09fd1dc239043fa29a77
Instruction ID: 141f0b873f17349f37f3092c97d44b84b4465e4d7259ea952b4588d03fd2bfa6
Opcode Fuzzy Hash: e389823bde405b2553d5e318f7b12db211a2a61345ee09fd1dc239043fa29a77
Instruction Fuzzy Hash: 41C19322B18B8585EB21CF19E5467AAB7A0FB85784F414235DB8D93B5AEF7CE144CB00

Function 00007FF6B3273100 Relevance: 3.1, APIs: 2, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

BCryptGenRandom.BCRYPT(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B325DDC3), ref: 00007FF6B3273153
SystemFunction036.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B325DDC3), ref: 00007FF6B3273165

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: CryptFunction036RandomSystem
String ID:
API String ID: 1232939966-0
Opcode ID: 9d79e033ac7da55fbe28373dac1f9e455cf96f572624f6d5591a3b0ae4e418ce
Instruction ID: bf8ee614e1af583055fef2e964881b6a5d269921039232dd5ff0303207fee6e4
Opcode Fuzzy Hash: 9d79e033ac7da55fbe28373dac1f9e455cf96f572624f6d5591a3b0ae4e418ce
Instruction Fuzzy Hash: D621A632709B8195EB508B19FA41366A3A4BB44BA4F204335EF6D97BE5DF3CD841C700

Function 00007FF6B32816A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B3280550: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B329929E,?,00007FF6B327FF42), ref: 00007FF6B3280698

HeapFree.KERNEL32 ref: 00007FF6B3281875
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d,?), ref: 00007FF6B32818A1
GetLastError.KERNEL32 ref: 00007FF6B32818BF
GetLastError.KERNEL32 ref: 00007FF6B32818DB
CloseHandle.KERNEL32 ref: 00007FF6B32818EF
HeapFree.KERNEL32 ref: 00007FF6B3281906

Strings

C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d, xrefs: 00007FF6B32816A1

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$ErrorLast$CloseHandle
String ID: C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d
API String ID: 4241441966-3956315604
Opcode ID: cefcb5b5c96e1bfa0a47cf439e9620a7754f982c45f8131112b6e9e0a1cfc760
Instruction ID: 4e8c038a8ebddc41fd9d78b76c2a92d5a11156d5d5e2d5705ea1fcf4d704be25
Opcode Fuzzy Hash: cefcb5b5c96e1bfa0a47cf439e9620a7754f982c45f8131112b6e9e0a1cfc760
Instruction Fuzzy Hash: C971F061F0C25656FB258B6AA7063B926A1BF48B84F044A35DF4DA3BC5DF7CF4A58300

Function 00007FF6B3252A90 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 118
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FF6B3252BB6
HeapFree.KERNEL32 ref: 00007FF6B3252BCD

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6B3252C06
KO_S, xrefs: 00007FF6B3252D42
kernel32.dllVirtualAllocEx, xrefs: 00007FF6B3252AAE
@, xrefs: 00007FF6B3252BA0
KO_S, xrefs: 00007FF6B3252E2E
KO_S, xrefs: 00007FF6B3252DDE

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: AllocFreeHeapVirtual
String ID: @$KO_S$KO_S$KO_S$called `Result::unwrap()` on an `Err` value$kernel32.dllVirtualAllocEx
API String ID: 345646332-848511136
Opcode ID: 0f4065cc1be6debeb0d7b414320f2bec4ca54b7f44859b1f7bcfcb66e0a15afd
Instruction ID: bf10745e1bd967f69190667449b35d27185e383404ae23582f4663cb69bcb403
Opcode Fuzzy Hash: 0f4065cc1be6debeb0d7b414320f2bec4ca54b7f44859b1f7bcfcb66e0a15afd
Instruction Fuzzy Hash: 6F414A62B1C79641E7258B1AB90297AAB51FB84784F044135EF4E67BE9DE3DD241C700

Function 00007FF6B3297960 Relevance: 9.1, APIs: 6, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6B3297A45
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6B3297A4A
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6B3297A52
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6B3297A5A
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6B3297A7C
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6B3297AD6

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: __p___argc__p___argv_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1089653751-0
Opcode ID: 0215f48e05ad82a86c5b183879bce28ba03f5ccec45f2958d7f0f2f728e13d42
Instruction ID: 19992f13bd126c4d4a96d6f4c4c3e29f9dacb0d1c1c9a19ca888cb438b5dc63c
Opcode Fuzzy Hash: 0215f48e05ad82a86c5b183879bce28ba03f5ccec45f2958d7f0f2f728e13d42
Instruction Fuzzy Hash: AB311829F0824385FA14AF2CD6633B91291AF45B84F886235EB4DF73D7DE3DA9448351

Function 00007FF6B3252E70 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FF6B3252F7C
HeapFree.KERNEL32 ref: 00007FF6B3252F92

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6B3252FC9
kernel32.dllVirtualAllocEx, xrefs: 00007FF6B3252E89
LoadLibraryA, xrefs: 00007FF6B3252F31

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeapLibraryLoad
String ID: LoadLibraryA$called `Result::unwrap()` on an `Err` value$kernel32.dllVirtualAllocEx
API String ID: 2932443226-1281825251
Opcode ID: ccb115fb11406008533b1f937926a8c8607c7383fb1e2873d1ca90bbaa75eac6
Instruction ID: 9ef3d6632d75873e80497fe80f8c33d712ba2765859a64e88e24d1d4b0b5514c
Opcode Fuzzy Hash: ccb115fb11406008533b1f937926a8c8607c7383fb1e2873d1ca90bbaa75eac6
Instruction Fuzzy Hash: 13316B22B1C6A242F6158B1DB506979AB50BF85790F414231EF4EA2BE9DF3DD201C700

Function 00007FF6B32521A0 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FF6B32521A4
GetLastError.KERNEL32 ref: 00007FF6B32521B7

Strings

KO_S, xrefs: 00007FF6B32521CD

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: KO_S
API String ID: 918212764-3654716168
Opcode ID: eff81f20dafe75383aa25dd4bfaf4f4de9740d88f376226847d92467dbcefce0
Instruction ID: 97585b06316fac3881528c075b8a69641cf72377b573aced3e106e20b2cf48c4
Opcode Fuzzy Hash: eff81f20dafe75383aa25dd4bfaf4f4de9740d88f376226847d92467dbcefce0
Instruction Fuzzy Hash: 27D05E2DF0670383EB0CA73E1DB327A10D02F88A01FC0013EDA0BC1251ED2CC9550614

Function 00007FF6B3252990 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF6B32529AC
OutputDebugStringW.KERNEL32 ref: 00007FF6B3252A76

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: DebugOutputStringmemset
String ID:
API String ID: 1084755268-0
Opcode ID: 5fd0b6d7b5296ddcbbe80992f5240d8299e511567c437ad367ea059e068d3b59
Instruction ID: 98733ce32bdda27153e182b37718be03e28de5281f36262afdf4171150f79907
Opcode Fuzzy Hash: 5fd0b6d7b5296ddcbbe80992f5240d8299e511567c437ad367ea059e068d3b59
Instruction Fuzzy Hash: F8210712F1979541EB208728E2157B95221DB96BD0F619331DB4EA2F9AEF2CD3858704

Function 00007FF6B3283830 Relevance: 2.6, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B3283A70: memset.VCRUNTIME140 ref: 00007FF6B3283CD5
Part of subcall function 00007FF6B3283A70: FindFirstFileW.KERNEL32 ref: 00007FF6B3283CE0
Part of subcall function 00007FF6B3283A70: FindClose.KERNEL32 ref: 00007FF6B3283CEF
Part of subcall function 00007FF6B3283A70: HeapFree.KERNEL32 ref: 00007FF6B3283D86

HeapFree.KERNEL32 ref: 00007FF6B328390D
HeapFree.KERNEL32 ref: 00007FF6B3283920

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$Find$CloseFileFirstmemset
String ID:
API String ID: 2317575439-0
Opcode ID: 38e8540ba571c1abcbeda11fcce5213aae6636239dfca8e7adb032cfaf30fc0b
Instruction ID: d0d2c9720017b47b825425bf5031d371ba4f988044bf0b1038679f7930b138d0
Opcode Fuzzy Hash: 38e8540ba571c1abcbeda11fcce5213aae6636239dfca8e7adb032cfaf30fc0b
Instruction Fuzzy Hash: AE514026E18B818AE720CF39DA413AD6760FB98758F059225DF9D62B55DF38E1C5C300

Non-executed Functions

Function 00007FF6B3284D40 Relevance: 181.5, APIs: 93, Strings: 9, Instructions: 3011memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B328D432,00000001,?,?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3286AA1), ref: 00007FF6B3284E3C
HeapFree.KERNEL32(?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B328D432,00000001,?,?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3286AA1), ref: 00007FF6B3284F34
HeapFree.KERNEL32(?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B328D432,00000001,?,?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3286AA1), ref: 00007FF6B3285062
HeapFree.KERNEL32(?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B328D432,00000001,?,?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3286AA1), ref: 00007FF6B328508F
GetEnvironmentStringsW.KERNEL32 ref: 00007FF6B3285157

Strings

-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac, xrefs: 00007FF6B3284D41, 00007FF6B32850B6, 00007FF6B32850D1
.exeprogram not found, xrefs: 00007FF6B3285FDA
\?\\, xrefs: 00007FF6B3285E17
assertion failed: self.height > 0, xrefs: 00007FF6B32889B1
]?\\, xrefs: 00007FF6B3285E1F
-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct, xrefs: 00007FF6B32850D7
assertion failed: is_code_point_boundary(self, new_len), xrefs: 00007FF6B328685F, 00007FF6B3286967
PATHstd\src\sys_common\process.rs, xrefs: 00007FF6B3287CD6
-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe , xrefs: 00007FF6B32850D3

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$EnvironmentStrings
String ID: -Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac$-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct$-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe $.exeprogram not found$PATHstd\src\sys_common\process.rs$\?\\$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0
API String ID: 2767186067-543456789
Opcode ID: f978a7e04e0595aae90ef8e11fed2de98dd1bdbe66447d85d2403bb8c85de68a
Instruction ID: 5e0b0000cbd1b81604053aed705ee1bedaae5ef464b078e5c778c648279d62ee
Opcode Fuzzy Hash: f978a7e04e0595aae90ef8e11fed2de98dd1bdbe66447d85d2403bb8c85de68a
Instruction Fuzzy Hash: 0A637066B18AD289EB708F29DD463F923A0FF44B99F444136CB5DABB95DF389244C300

Function 00007FF6B3292A90 Relevance: 102.3, APIs: 44, Strings: 14, Instructions: 826memorylibraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6B3292BA8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B3292BB4
GetLastError.KERNEL32 ref: 00007FF6B3292BC0
GetLastError.KERNEL32 ref: 00007FF6B3292BDA
HeapFree.KERNEL32 ref: 00007FF6B3292C5B
GetLastError.KERNEL32 ref: 00007FF6B3292C7C
HeapFree.KERNEL32 ref: 00007FF6B3292CA2
HeapFree.KERNEL32 ref: 00007FF6B3292D1B
HeapFree.KERNEL32 ref: 00007FF6B3292D31
memset.VCRUNTIME140(?), ref: 00007FF6B3292DFD
RtlCaptureContext.KERNEL32(?), ref: 00007FF6B3292E05
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6B3292E2A
WaitForSingleObjectEx.KERNEL32 ref: 00007FF6B3292F58
LoadLibraryA.KERNEL32 ref: 00007FF6B3292F71
GetProcAddress.KERNEL32 ref: 00007FF6B3292FB1

Strings

note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 00007FF6B32939AE
EnumerateLoadedModulesW64, xrefs: 00007FF6B3293338
SymGetLineFromInlineContextW, xrefs: 00007FF6B32934A1
SymGetOptions, xrefs: 00007FF6B3292FAA
SymAddrIncludeInlineTrace, xrefs: 00007FF6B3293506
SymSetSearchPathW, xrefs: 00007FF6B32933BA
dbghelp.dll, xrefs: 00007FF6B3292F6A
SymQueryInlineTrace, xrefs: 00007FF6B3293539
SymSetOptions, xrefs: 00007FF6B3292FE3
SymGetSearchPathW, xrefs: 00007FF6B32930E9
stack backtrace:, xrefs: 00007FF6B3292D6F
SymFromInlineContextW, xrefs: 00007FF6B3293467
assertion failed: len >= 0, xrefs: 00007FF6B3293A64
SymInitializeW, xrefs: 00007FF6B329301A

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: ErrorFreeHeapLast$AddressCaptureContextCurrentDirectoryEntryFunctionLibraryLoadLookupObjectProcSingleWaitmemset
String ID: EnumerateLoadedModulesW64$SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymQueryInlineTrace$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll$note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
API String ID: 914564095-3821163066
Opcode ID: 5e6e6d3852320d46eb42f78ed0d08fc31ca6206378f1530506b02126da95cfc2
Instruction ID: 5f83e0a496a91eb23fb092f06af30f476eb9470ba73ea1839f253b45dd3929cb
Opcode Fuzzy Hash: 5e6e6d3852320d46eb42f78ed0d08fc31ca6206378f1530506b02126da95cfc2
Instruction Fuzzy Hash: 4D924F35B09BC199EB318F29ED463E923A0FB48B98F040235DB4DAB7A5DF399645C340

Function 00007FF6B32651A0 Relevance: 38.3, APIs: 23, Strings: 2, Instructions: 828memoryCOMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6B3265240
HeapFree.KERNEL32 ref: 00007FF6B32652C5

Strings

assertion failed: edge.height == self.height - 1, xrefs: 00007FF6B32661E6
assertion failed: edge.height == self.node.height - 1, xrefs: 00007FF6B326619F

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeapmemcmp
String ID: assertion failed: edge.height == self.height - 1$assertion failed: edge.height == self.node.height - 1
API String ID: 2929263700-554432098
Opcode ID: 62033d92b08aa74efdc786a67b73630a5d9dc7658e6334c9caeeaa658f8ffb0b
Instruction ID: 5b901b4681747e84e06e0e9ee06e2cc84618acfdfc77a4caf7a89fff0f10c872
Opcode Fuzzy Hash: 62033d92b08aa74efdc786a67b73630a5d9dc7658e6334c9caeeaa658f8ffb0b
Instruction Fuzzy Hash: D1A29E22A08BC581EB218F28E5463E9B374FF98758F449325DB9D577A5EF38E295C300

Function 00007FF6B328C190 Relevance: 36.6, APIs: 24, Instructions: 568COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6B32900A0
GetFullPathNameW.KERNEL32 ref: 00007FF6B32900B6
GetLastError.KERNEL32 ref: 00007FF6B32900C2
GetLastError.KERNEL32 ref: 00007FF6B32900DC

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID:
API String ID: 2482867836-0
Opcode ID: 11fb09efb1bbff8c811b7ac656f5dc3cae9260b7df149f493a4e14bb923b95cc
Instruction ID: a40e8b6ab5844cea42ed48586daad073cec34f6f057f4a13a8f4008ea8180dfb
Opcode Fuzzy Hash: 11fb09efb1bbff8c811b7ac656f5dc3cae9260b7df149f493a4e14bb923b95cc
Instruction Fuzzy Hash: 3D42A062B08BC686E7658F29DD463E92364FB44B98F448235DF1CAB796CF7C9285C300

Function 00007FF6B3281D30 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 424COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6B3281F04
GetFullPathNameW.KERNEL32 ref: 00007FF6B3281F21
GetLastError.KERNEL32 ref: 00007FF6B3281F2D
GetLastError.KERNEL32 ref: 00007FF6B3281F47

Strings

\\?\\\?\UNC\, xrefs: 00007FF6B3282069
C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d, xrefs: 00007FF6B3281D31

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: C:\ProgramData\Microsoft\Windows Defender\PlatformNo valid Defender Platform versions found.Failed to read Defender Platform directoryDefender Platform path does not exist.MpClient.dllMpOAV.dllOne or both of the required Defender modules (MpClient.dll, MpOAV.d$\\?\\\?\UNC\
API String ID: 2482867836-3069012770
Opcode ID: 9cc2b39c59a3f6c2e62481a4753102996afeb163eab45e648855f9e5c6e30f55
Instruction ID: 0b2cfb438c188ff7df2c39e60c39191f923f36a5eefb685df3389130cf67e6df
Opcode Fuzzy Hash: 9cc2b39c59a3f6c2e62481a4753102996afeb163eab45e648855f9e5c6e30f55
Instruction Fuzzy Hash: FD029062B0879685EB708F69DA463B923A4FF14B98F448132DB5DA77D4CF78E681C300

Function 00007FF6B3251620 Relevance: 21.7, APIs: 17, Instructions: 476memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B3251646
HeapFree.KERNEL32 ref: 00007FF6B325168C
HeapFree.KERNEL32 ref: 00007FF6B32516A5

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f278e9c2044bb250a14bc00e20e76fe7fe070117f7d29a739d0c28a03c214796
Instruction ID: 62230a8ebddb2dabdb27bac2c92a36c77a34aca29125e361005b7d7f588503d6
Opcode Fuzzy Hash: f278e9c2044bb250a14bc00e20e76fe7fe070117f7d29a739d0c28a03c214796
Instruction Fuzzy Hash: 38028D25B1964682EE558B1EA6663B92750BF49FE4F460232CF1EE73D8DE3CF6418304

Function 00007FF6B327FF10 Relevance: 19.7, APIs: 13, Instructions: 244memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B3280550: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B329929E,?,00007FF6B327FF42), ref: 00007FF6B3280698

HeapFree.KERNEL32 ref: 00007FF6B327FFBB
HeapFree.KERNEL32 ref: 00007FF6B327FFD1
SetLastError.KERNEL32 ref: 00007FF6B32800D9
GetEnvironmentVariableW.KERNEL32 ref: 00007FF6B32800EC
GetLastError.KERNEL32 ref: 00007FF6B32800F8
GetLastError.KERNEL32 ref: 00007FF6B3280112
HeapFree.KERNEL32 ref: 00007FF6B3280193
HeapFree.KERNEL32 ref: 00007FF6B328029E

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$ErrorLast$EnvironmentVariable
String ID:
API String ID: 4066227703-0
Opcode ID: 944232158f3fe1def3f9f36170dc35c17423085ad34aa9eec328298fe0dfe3c0
Instruction ID: ac5f6931d3a40844cc531ed2f68b801d192187019f32449094235c268f2c5eb5
Opcode Fuzzy Hash: 944232158f3fe1def3f9f36170dc35c17423085ad34aa9eec328298fe0dfe3c0
Instruction Fuzzy Hash: 54B18D66B04BC695E7648F2ADD463E92360FB88B98F008236DF1CA7795CF78D285C304

Function 00007FF6B328E740 Relevance: 18.5, APIs: 12, Instructions: 478memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF6B328E7B0
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF6B328E7DC
HeapFree.KERNEL32 ref: 00007FF6B328E895

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: Process$CurrentFreeHeapPrng
String ID:
API String ID: 2687294623-0
Opcode ID: e5eb912e600e3de9f0c4f973737d3a8ee0cbe9e38530d6e7bac4a16da6beb292
Instruction ID: 3442dfee18ce9a4f1029868f247c71f67ae71e7d2b9256a5a248793643ff4d24
Opcode Fuzzy Hash: e5eb912e600e3de9f0c4f973737d3a8ee0cbe9e38530d6e7bac4a16da6beb292
Instruction Fuzzy Hash: 1022BD62B08A8189E7648F2DD9463A937A0FF49BA8F144635EBAE977D5DF38D144C300

Function 00007FF6B3295700 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 467COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF6B3295B2E

Strings

main, xrefs: 00007FF6B3295CA3
full, xrefs: 00007FF6B3295C02
Box<dyn Any>aborting due to panic at , xrefs: 00007FF6B3295BAE
<unnamed>, xrefs: 00007FF6B32959F9, 00007FF6B3295BDA
RUST_BACKTRACEentity not foundpermission deniedconnection refusedconnection resethost unreachablenetwork unreachableconnection abortednot connectedaddress in useaddress not availablenetwork downbroken pipeentity already existsoperation would blocknot a directo, xrefs: 00007FF6B3295936

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: AddressSingleWake
String ID: <unnamed>$Box<dyn Any>aborting due to panic at $RUST_BACKTRACEentity not foundpermission deniedconnection refusedconnection resethost unreachablenetwork unreachableconnection abortednot connectedaddress in useaddress not availablenetwork downbroken pipeentity already existsoperation would blocknot a directo$full$main
API String ID: 3114109732-636500360
Opcode ID: 7decfb2134953eae2d7044aaa57751ff457841e7ac1c5eb7e7e1c4a3fd8e0b26
Instruction ID: b835a70e050293c6714af6c8c310dad1949666d2acf4f7a1d206fc136b3125f2
Opcode Fuzzy Hash: 7decfb2134953eae2d7044aaa57751ff457841e7ac1c5eb7e7e1c4a3fd8e0b26
Instruction Fuzzy Hash: C8326B22B09A428AFB10CF29D9963B837A0FB44B58F244636DB4DA77A5DF3DE545C340

Function 00007FF6B327CF80 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 372windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6B327CFC8
GetModuleHandleW.KERNEL32 ref: 00007FF6B327CFE1
FormatMessageW.KERNEL32 ref: 00007FF6B327D028

Strings

NTDLL.DLL, xrefs: 00007FF6B327CFDA
assertion failed: self.is_char_boundary(new_len)/rustc/100fde5246bf56f22fb5cc85374dd841296fce0e\library\alloc\src\string.rs, xrefs: 00007FF6B327D54E

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FormatHandleMessageModulememset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/100fde5246bf56f22fb5cc85374dd841296fce0e\library\alloc\src\string.rs
API String ID: 2302251862-173729731
Opcode ID: 151ac4e671bd1ecfa84e3858da7fc1e35fb7d4d0cc29013ce92d359b2c317ab3
Instruction ID: c558126f2e9cce2acd73ceedcc887c8cc817e7a1e0cfd528a9fe8baf541dd5f9
Opcode Fuzzy Hash: 151ac4e671bd1ecfa84e3858da7fc1e35fb7d4d0cc29013ce92d359b2c317ab3
Instruction Fuzzy Hash: 86F1B136B0A6C2C9E7318F28DA067FD27A1FB44798F444136DB4D9AAC9DF789649D300

Function 00007FF6B327B900 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 345COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6B327B986
WriteConsoleW.KERNEL32 ref: 00007FF6B327B9C6
WriteConsoleW.KERNEL32 ref: 00007FF6B327BA2E
GetLastError.KERNEL32 ref: 00007FF6B327BA38
GetLastError.KERNEL32 ref: 00007FF6B327BAAE

Strings

}0x, xrefs: 00007FF6B327BE63
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899core\src\fmt\mod.rs, xrefs: 00007FF6B327BBA5
Utf8Errorvalid_up_toerror_lenNoneSomeTryFromIntError:, xrefs: 00007FF6B327BDD2

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID: }0x$00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899core\src\fmt\mod.rs$Utf8Errorvalid_up_toerror_lenNoneSomeTryFromIntError:
API String ID: 1956605914-143158241
Opcode ID: fbb86f203d10412ed67521f3e58d94a261d6486701979abc5f467866046ff1ec
Instruction ID: b7b2f4ec1eef818521b0f2bd11f45b680a72f170160c408927342af725ef2c28
Opcode Fuzzy Hash: fbb86f203d10412ed67521f3e58d94a261d6486701979abc5f467866046ff1ec
Instruction Fuzzy Hash: B6E10076B0869686EB248B29D6063F92761FB54BA4F404231DF5DA7BE8DF3CDA45C300

Function 00007FF6B327B520 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245filenativesynchronizationCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF6B327B550
GetLastError.KERNEL32 ref: 00007FF6B327B569
GetConsoleMode.KERNEL32 ref: 00007FF6B327B5AC
NtWriteFile.NTDLL ref: 00007FF6B327B64C
WaitForSingleObject.KERNEL32 ref: 00007FF6B327B661
RtlNtStatusToDosError.NTDLL ref: 00007FF6B327B6EF
CloseHandle.KERNEL32 ref: 00007FF6B327B8EA

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6B327B86A

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: ErrorHandle$CloseConsoleFileLastModeObjectSingleStatusWaitWrite
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3090192319-2333694755
Opcode ID: f390687a06795bd9b8eb311e96a0844a9eedd5fc2ac20ab72b4c979a9aa3c5d9
Instruction ID: 3bf302a625c3fb4845b83633ca117c5325c6b52302ee223d6a36c22f91ee437f
Opcode Fuzzy Hash: f390687a06795bd9b8eb311e96a0844a9eedd5fc2ac20ab72b4c979a9aa3c5d9
Instruction Fuzzy Hash: 21B1C326B08692D9FB10CF28DA423F92761FB48798F444631EB5DA2AD5EF3CD585C340

Function 00007FF6B3267800 Relevance: 14.2, APIs: 6, Strings: 3, Instructions: 672COMMON

Download Yara Rule

Strings

-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac, xrefs: 00007FF6B3267800
-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct, xrefs: 00007FF6B3267806
-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe , xrefs: 00007FF6B3267802

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: -Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac$-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct$-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe
API String ID: 0-435359000
Opcode ID: abfde995bc0a0cbca60103fab9842ba87dfa1b3407d067a39049b2f1dce5c1e2
Instruction ID: 506ed7dac8a23d172d7a59563ccc166aa0bb47abcab090e342e7010d604584b7
Opcode Fuzzy Hash: abfde995bc0a0cbca60103fab9842ba87dfa1b3407d067a39049b2f1dce5c1e2
Instruction Fuzzy Hash: 5F52B262B0DBC581EA608B19F6523BAA391FF89B90F544135DB8DA7B99DF7CE044C700

Function 00007FF6B3262C30 Relevance: 14.2, APIs: 8, Strings: 1, Instructions: 668COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6B3262D75
memcmp.VCRUNTIME140 ref: 00007FF6B3262DF3
memcmp.VCRUNTIME140 ref: 00007FF6B32641CE
memcmp.VCRUNTIME140 ref: 00007FF6B3264257

Part of subcall function 00007FF6B3264770: memcmp.VCRUNTIME140 ref: 00007FF6B32647C5
Part of subcall function 00007FF6B3264770: memcmp.VCRUNTIME140 ref: 00007FF6B3264825
Part of subcall function 00007FF6B3264770: memcmp.VCRUNTIME140 ref: 00007FF6B32648E5

Part of subcall function 00007FF6B3264770: memcmp.VCRUNTIME140 ref: 00007FF6B3264943
Part of subcall function 00007FF6B3264770: memcmp.VCRUNTIME140 ref: 00007FF6B32649DC

Strings

, xrefs: 00007FF6B3264152

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-3916222277
Opcode ID: 7a8c0a00b423a5a0fdf549e168dc550eceb62a484a97628cf3cbc473c359e259
Instruction ID: 831cb8232b38519bde74701ab717073588053a70bad9b5dd9e2cb83dab4a3e71
Opcode Fuzzy Hash: 7a8c0a00b423a5a0fdf549e168dc550eceb62a484a97628cf3cbc473c359e259
Instruction Fuzzy Hash: 8A52D962F08BD582DA118F19A6062BAA760FF99BD4F059231DF9D67796DF3CE184C300

Function 00007FF6B328DFC0 Relevance: 13.8, APIs: 9, Instructions: 263memorythreadCOMMON

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32(?,?,?,?,?,?,?,?,00000006,?,?,?,?,00000400,00007FF6B328849F), ref: 00007FF6B328E01E
HeapReAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000006,?,?,?,?,00000400,00007FF6B328849F), ref: 00007FF6B328E08A
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6B328E3BB

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: Heap$AllocAttributeFreeInitializeListProcThread
String ID:
API String ID: 512342461-0
Opcode ID: 69e124b2cfb2ec894d4a1f1dead9b06918bd4f3f43be0820746e83a74dcd2425
Instruction ID: 0a3f25e63bb1ce24e69fa797749fc05df0ff372e23535023197e4891d87f3792
Opcode Fuzzy Hash: 69e124b2cfb2ec894d4a1f1dead9b06918bd4f3f43be0820746e83a74dcd2425
Instruction Fuzzy Hash: 97A1D036B18A5681FA148F2E9A067BA67A0FF49FA4F544631DF2DA73D4DE3CE4458300

Function 00007FF6B3297E60 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6B3297E7C
memset.VCRUNTIME140 ref: 00007FF6B3297EA0
RtlCaptureContext.KERNEL32 ref: 00007FF6B3297EA9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6B3297EC3
RtlVirtualUnwind.KERNEL32 ref: 00007FF6B3297F04
memset.VCRUNTIME140 ref: 00007FF6B3297F37
IsDebuggerPresent.KERNEL32 ref: 00007FF6B3297F58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B3297F75
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6B3297F80

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: cecece8a31eaf7c704082b0d9bb7dc46f34a76898306f41ce206f46dabe67732
Instruction ID: 0e9932f32a8b624f76d2271293ec26653b6f8c63bdb8638214c227bce0cf6cf7
Opcode Fuzzy Hash: cecece8a31eaf7c704082b0d9bb7dc46f34a76898306f41ce206f46dabe67732
Instruction Fuzzy Hash: 59315076B09B818AEB608F68E8413ED7360FB88704F44413ADB4DA7B96EF78D548C714

Function 00007FF6B328C450 Relevance: 8.2, APIs: 3, Strings: 2, Instructions: 681memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6B328C6F9
HeapFree.KERNEL32 ref: 00007FF6B328CDF9
HeapFree.KERNEL32 ref: 00007FF6B328CEA5

Strings

#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid, xrefs: 00007FF6B328C9C0
\cmd.exemaximum number of ProcThreadAttributes exceeded, xrefs: 00007FF6B328C459, 00007FF6B328CE7E

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$memmove
String ID: #$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid$\cmd.exemaximum number of ProcThreadAttributes exceeded
API String ID: 2650465384-33260680
Opcode ID: ddd2f9454c24bf918565808cb94ecca77211bff6f734973e98423ecf072c850c
Instruction ID: 1e9d220bf03a036800226d4f731d6154da175b3898c767be97350457965b91be
Opcode Fuzzy Hash: ddd2f9454c24bf918565808cb94ecca77211bff6f734973e98423ecf072c850c
Instruction Fuzzy Hash: 8942FF62F2867184FB258B68EA127BCABA0BF54798F444532DF1EA2BD5CF7C9541D300

Function 00007FF6B3266890 Relevance: 6.7, APIs: 5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430542ddff070ce3d1ae89e2e0a6d3febbb59dc0f454ec07f872afee2fab9290
Instruction ID: 896e6957708640fd68ede4446c77aec9c277f8d8355643ae25a6b36e7ccb5cbd
Opcode Fuzzy Hash: 430542ddff070ce3d1ae89e2e0a6d3febbb59dc0f454ec07f872afee2fab9290
Instruction Fuzzy Hash: 7012C562B18BC582EA60CB19A6163BAA761FF86BD0F144136DF8DA7789DF3CD041C700

Function 00007FF6B32662C0 Relevance: 6.5, APIs: 5, Instructions: 274memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00007FFC07365570,?,?,00000000,00000000,?,00000001,?), ref: 00007FF6B3266484
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00007FFC07365570,?,?,00000000,00000000,?,00000001,?), ref: 00007FF6B326663C

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: eb42a776e8a753bf2aa14174a6b5e9ac373ebc23b56478987f980b95bf9498b7
Instruction ID: 6c32681bed3e10a76084849ab581c653d6427f61d4826c352a5f8ea4a1caf94c
Opcode Fuzzy Hash: eb42a776e8a753bf2aa14174a6b5e9ac373ebc23b56478987f980b95bf9498b7
Instruction Fuzzy Hash: 0FB1C462B09A4592EE64CB1AE7463BA67A0FF86B94F144235CF5D937E4DF3CE0508340

Function 00007FF6B328CF30 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac, xrefs: 00007FF6B328D411

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: -Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac
API String ID: 0-2142436962
Opcode ID: 855d193695e295014bd20c2e8aff36f7c404687347b1311961285078a9a53d54
Instruction ID: 0a1a08cddf3bb1892aa248fc1fb0d8e4a33795f78e04025a2c71b7907594ecb4
Opcode Fuzzy Hash: 855d193695e295014bd20c2e8aff36f7c404687347b1311961285078a9a53d54
Instruction Fuzzy Hash: 4FE13362B18A5281FB258B29D60237E67A1FF50B98F445632CF5EA77D5CF3CE48D8210

Function 00007FF6B3297D38 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6B3297D64
GetCurrentThreadId.KERNEL32 ref: 00007FF6B3297D72
GetCurrentProcessId.KERNEL32 ref: 00007FF6B3297D7E
QueryPerformanceCounter.KERNEL32 ref: 00007FF6B3297D8E

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 7000aaa62cbf58ad58c0e4df5132d70c17566eb3fcd23c5d153b70769dc9ce04
Instruction ID: 8a64d596e767f43a0d7b22bf851322a7c8fb2432aabd193ebcfe588d3ec5cdfe
Opcode Fuzzy Hash: 7000aaa62cbf58ad58c0e4df5132d70c17566eb3fcd23c5d153b70769dc9ce04
Instruction Fuzzy Hash: 95113C26B18F058AEB00CF74E9562B933A4FB19B58F440E31DB6DD67A4EF78D1548380

Function 00007FF6B3283EA0 Relevance: 5.2, APIs: 4, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B32841B0
HeapFree.KERNEL32 ref: 00007FF6B32841C3

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f9e0a78af9e70a4c2346efebde548fe8033f3f41b11d169fe93150105e32ddbd
Instruction ID: 090b9691bbe7da84abdd4d0055987cb90865756e3cc9128191ae34c525ad20d5
Opcode Fuzzy Hash: f9e0a78af9e70a4c2346efebde548fe8033f3f41b11d169fe93150105e32ddbd
Instruction Fuzzy Hash: BE81C226F09B4286FB04CB5A9A023B96761FF54B94F548635DF1DA3795DF3CA582C300

Function 00007FF6B3273220 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

}0x, xrefs: 00007FF6B3273644
ParseIntError, xrefs: 00007FF6B32735DA

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: }0x$ParseIntError
API String ID: 0-2419948930
Opcode ID: d5fc10647b37f3f7d850e46846ac79e8341bcd3ac072d55a0113995e51f249d8
Instruction ID: 1057f716b89a0530baeda335ea715d27299b92edb7b442c6cda6f1258358fe56
Opcode Fuzzy Hash: d5fc10647b37f3f7d850e46846ac79e8341bcd3ac072d55a0113995e51f249d8
Instruction Fuzzy Hash: F9B1B162B18A95D5E721CF64D5025EC2BA0FB09B94F494536DF9DA3B84CF38D985C380

Function 00007FF6B3294060 Relevance: 4.2, APIs: 3, Instructions: 491COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,?,?,00000000,?,00000000,?,?,?,00000140,00007FF6B3293FD5), ref: 00007FF6B3294119
memcmp.VCRUNTIME140(?,?,?,?,?,00000000,?,00000000,?,?,?,00000140,00007FF6B3293FD5), ref: 00007FF6B3294142
memcmp.VCRUNTIME140(?,?,?,?,?,00000000,?,00000000,?,?,?,00000140,00007FF6B3293FD5), ref: 00007FF6B3294165

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 3d7d886d1f401d97bdc11b1f12906cdc75b8c1ffbfa5c8b1ea5242bc07df4c66
Instruction ID: b460229df1a3b567ae9687008ac95a032a315a9290a6db1f51f5e0f53daec2f4
Opcode Fuzzy Hash: 3d7d886d1f401d97bdc11b1f12906cdc75b8c1ffbfa5c8b1ea5242bc07df4c66
Instruction Fuzzy Hash: E812E462F18A9645FB11CF79C502AF82750BB19B98F844736EF8DB6686EF78D185C300

Function 00007FF6B329A720 Relevance: 4.1, Strings: 3, Instructions: 373COMMON

Download Yara Rule

Strings

Authenti, xrefs: 00007FF6B329ABD3
HygonGen, xrefs: 00007FF6B329ABF2
GenuineI, xrefs: 00007FF6B329AC33

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: 9911b54616b2554508ed1a2d09cc25713aaaf1104d54c7b2a5940d8749d77fb2
Instruction ID: 64381411687cd4521c58535ec97fcceb88fd1eef08c31d10d0deca45d3c55504
Opcode Fuzzy Hash: 9911b54616b2554508ed1a2d09cc25713aaaf1104d54c7b2a5940d8749d77fb2
Instruction Fuzzy Hash: 14B18CA3B35A6003FB198A55AE27BB54992B354BD8F04653DEE1FA7FC5CD7CCA108240

Function 00007FF6B32742F0 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 404COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6B327431D

Strings

punycode{-0, xrefs: 00007FF6B327483F

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memset
String ID: punycode{-0
API String ID: 2221118986-3751456247
Opcode ID: 6265388bace50724817ddf06862ff0d07df914af5ffe4793f524424d66ed0d68
Instruction ID: 0433ceb7aa4abdde54b4aafad813a0c0717d02c9a57d86018d9b137142ee3858
Opcode Fuzzy Hash: 6265388bace50724817ddf06862ff0d07df914af5ffe4793f524424d66ed0d68
Instruction Fuzzy Hash: A7E1E662F596C986EF648B29EA057F93692BB49BD4F008232CF1D57BC4DF3CA9458300

Function 00007FF6B326B5B0 Relevance: 3.2, APIs: 2, Instructions: 670COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6B326B91C
memmove.VCRUNTIME140 ref: 00007FF6B326C1D0

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 51cd3c2e82aa8e9578b83a77fdee3a8a4b73f362bb48c0b9b6e204234f816601
Instruction ID: 42d2121d95f9419f329bfb1ece15f2b528d732f105aafe953421c3ac201d1bb5
Opcode Fuzzy Hash: 51cd3c2e82aa8e9578b83a77fdee3a8a4b73f362bb48c0b9b6e204234f816601
Instruction Fuzzy Hash: A24298A6E28FD941F612973964037E79710EFE6788F11E327EEC932F46DF28A1419240

Function 00007FF6B32984E0 Relevance: 3.1, APIs: 2, Instructions: 591COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6B3298677
memmove.VCRUNTIME140 ref: 00007FF6B32988F4

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 09591727fbd26f8a1fc8b663805a626c3d195fbbbd5a1c6b1b4139d272884b43
Instruction ID: a6f49f8ef83999c3044ca0a12795f76a2a6e954531e3428df56cead81dee153f
Opcode Fuzzy Hash: 09591727fbd26f8a1fc8b663805a626c3d195fbbbd5a1c6b1b4139d272884b43
Instruction Fuzzy Hash: 03225462B19B8542EF148F2DA5122BA6751BB95BE4F448335DF6EA37D6EF3CE1018300

Function 00007FF6B32678B6 Relevance: 2.9, APIs: 2, Instructions: 375memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B3268303

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4d60d1c4c814bc7bd0d2c582f5c526bad3f19439ee714bac6e312eaa1944efe7
Instruction ID: e2665ce6c84bb1085f03d8da131dba2eca19d50ba13bf0b109916851f9f8f579
Opcode Fuzzy Hash: 4d60d1c4c814bc7bd0d2c582f5c526bad3f19439ee714bac6e312eaa1944efe7
Instruction Fuzzy Hash: 4CF1A062B0CAC581E6208B19F6463BAB7A1FF89B94F144135DB8DA7799DF7CE184C700

Function 00007FF6B326ADE0 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 00007FF6B326B09E
33333333, xrefs: 00007FF6B326B0FD

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: 33333333$UUUUUUUU
API String ID: 0-3483174168
Opcode ID: cff9d24c3fc3692150ad18937845d9fa878edfc3b39f359c130e8016678a4c49
Instruction ID: 3a81f71bb059842e67eaceedc94535e03550869ade922beb697c2acde78d5c9a
Opcode Fuzzy Hash: cff9d24c3fc3692150ad18937845d9fa878edfc3b39f359c130e8016678a4c49
Instruction Fuzzy Hash: 0591E843B681F003F7624B7D1D66566EFA25545BD370DF152EEE423A86C038CC2AE3A5

Function 00007FF6B326C210 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 00007FF6B326C245
33333333, xrefs: 00007FF6B326C2A8

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: 33333333$UUUUUUUU
API String ID: 0-3483174168
Opcode ID: 14b31b35ad291ddad897dd1f2a0e82a6c76d055b51b98b879fc08f69398a6c0a
Instruction ID: 0f8bec32a5713e29220c994287e2471ec9503f957c585ffdc4d845ef937708d5
Opcode Fuzzy Hash: 14b31b35ad291ddad897dd1f2a0e82a6c76d055b51b98b879fc08f69398a6c0a
Instruction Fuzzy Hash: 6691DA4375A3D48FAB52CB7E194498A6E90E12AFC835CF069CE8D27322D436D557C392

Function 00007FF6B327E5A0 Relevance: 2.7, APIs: 2, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00007FF6B327E65B
HeapFree.KERNEL32 ref: 00007FF6B327E93C

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeapmemmove
String ID:
API String ID: 913535592-0
Opcode ID: d10cdee3619787cea15e6549b60dd5013c0eb0e2719da2eea254b61cb837d88e
Instruction ID: 3e4d88334d79a224342053d13e2e0407172198a56b9620afdc6bb06c7f7176cd
Opcode Fuzzy Hash: d10cdee3619787cea15e6549b60dd5013c0eb0e2719da2eea254b61cb837d88e
Instruction Fuzzy Hash: A4912622F08691C9F7118B6D9A063BE2B60BB1479CF044A34DF89A67D5DF7C9585C311

Function 00007FF6B32972D0 Relevance: 1.7, APIs: 1, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8297210cba004a8d2e07849ea0a4831168f530548283382b70ef12d88847f7
Instruction ID: ebb063bed00cce20c40af09e2b9010b1d048cf8140559a7fc51e2f25f23e5035
Opcode Fuzzy Hash: 3b8297210cba004a8d2e07849ea0a4831168f530548283382b70ef12d88847f7
Instruction Fuzzy Hash: 2B61DBA3F1C59646F7694E2DA90623D7AD0BB447A0F844335EF6E9A7D7ED3CD4019200

Function 00007FF6B3271080 Relevance: 1.6, APIs: 1, Instructions: 355COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6B32710F2

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 984428218a9c228adbe6d125614df29729a9f10cb7dd52669724f844f0ae759f
Instruction ID: b26e0729e030620dd82984a53b289d705b15ba74c4fa2a043607c534850c1424
Opcode Fuzzy Hash: 984428218a9c228adbe6d125614df29729a9f10cb7dd52669724f844f0ae759f
Instruction Fuzzy Hash: 4BC12B22B2C2A582FA15CF699A16EB96655BF11BD4F408630DF0EA7BC0DF3CF9459300

Function 00007FF6B327BFA0 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899core\src\fmt\mod.rs, xrefs: 00007FF6B327BFE9, 00007FF6B327C0F5, 00007FF6B327C190

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899core\src\fmt\mod.rs
API String ID: 0-2454368799
Opcode ID: 63c44dd14bcda3bec7524203da0efde38e74e6a004a4cafd3ec91591d6bf40f9
Instruction ID: c998f877c5309f00e52c49fda72d5dc6d0b852f57520fa2d0ded9079b5677e33
Opcode Fuzzy Hash: 63c44dd14bcda3bec7524203da0efde38e74e6a004a4cafd3ec91591d6bf40f9
Instruction Fuzzy Hash: F1B14872B086A585EB208B2CD1027FC2761FB65BA4F405331DBAEA7BD1DE3D9A45C341

Function 00007FF6B3251150 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899core\src\fmt\mod.rs, xrefs: 00007FF6B3251176, 00007FF6B32513A7

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899core\src\fmt\mod.rs
API String ID: 0-2454368799
Opcode ID: 832528b178cc8b9a1463c5c0f2400c5a2bc0afedd9c367ce7f76a175325d55d4
Instruction ID: b53f5e39c10436e455572f3db66983676d5f5feb80f7cb7d19449947608db45a
Opcode Fuzzy Hash: 832528b178cc8b9a1463c5c0f2400c5a2bc0afedd9c367ce7f76a175325d55d4
Instruction Fuzzy Hash: E1B15963B0C29141EB648B1DE1127B86751EB54BA4F915331CF9AA7BD4DE3CE641C341

Function 00007FF6B3264A60 Relevance: 1.4, APIs: 1, Instructions: 192COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6B3264CB6

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: d5f4ecaaeacfff53c77d01a66d829fd4b36fcb5567296ec8db7c8349dd09f0de
Instruction ID: 6b2e047fb97dd182a55f6ab7e36cea367d5cd9d35d1a766320479a3ba0ba99e0
Opcode Fuzzy Hash: d5f4ecaaeacfff53c77d01a66d829fd4b36fcb5567296ec8db7c8349dd09f0de
Instruction Fuzzy Hash: 8C613722B5C64246FB648E1DE61237A6A90FB45784F044139EFCEA7BC6CE3CD580DB04

Function 00007FF6B3270390 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FF6B3270415, 00007FF6B32705C0

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 63ac6b73bf77b628c566cd22cb09ccbf4fcb7376b0a588039cfcab580993a599
Instruction ID: 7f08abdaee4e652faed8f722531d8b05dd2288e36c2edded88391e4d5df31d52
Opcode Fuzzy Hash: 63ac6b73bf77b628c566cd22cb09ccbf4fcb7376b0a588039cfcab580993a599
Instruction Fuzzy Hash: 08815963B196E1CAE3218B3C9901BAC7F61AB15B88F448174CBC8A7B82CF7DD549D351

Function 00007FF6B3276C20 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FF6B3276C9F, 00007FF6B3276EBE

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 18093509db6ec18421d0c5bc2c92049e30c37d757fa59a873f534fb687d85bcf
Instruction ID: 3d6e2b04a73f666c75e2370a7fabfac543f7a7092054488af7f01704095c95a9
Opcode Fuzzy Hash: 18093509db6ec18421d0c5bc2c92049e30c37d757fa59a873f534fb687d85bcf
Instruction Fuzzy Hash: 8A814633B296E19AE3218B3C9A01BAC7F61AB11B44F044175CBC8B7B82CF79D519D391

Function 00007FF6B3292A60 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6B32998D3), ref: 00007FF6B329A391

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6783393797bd38d295cfccef32833937ef381231cefdfdd5a05e3105c17b1f04
Instruction ID: 2bc66f155738a8257565b81a35697585ff9c59c3ec06b672994aaaa831244c9b
Opcode Fuzzy Hash: 6783393797bd38d295cfccef32833937ef381231cefdfdd5a05e3105c17b1f04
Instruction Fuzzy Hash: 12F0BB16F49E0585F6599B5E790117562959F8CFD0F084234CF0CD7361DE3CE4C28244

Function 00007FF6B326C5A0 Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e9b248da945285402eb8cbb8b7c7d4b90029005f43c8d0b9d43454199c4fe2
Instruction ID: 4d34b09b7cad78c84806303ca6078453c90171825369269f11ebbfd0d55d5466
Opcode Fuzzy Hash: c8e9b248da945285402eb8cbb8b7c7d4b90029005f43c8d0b9d43454199c4fe2
Instruction Fuzzy Hash: 1E42D762719BD441F6118F6AB8526A7E361FF99BD4F04A121EF8D63B09DF3CD6818700

Function 00007FF6B327EAA0 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adda371c05508b0a298440d4eae58001dc0e5b5f45b4e3950a7a311b6da92386
Instruction ID: 45b7a4ca0f54733c066635bcfa3b185b5d55eb49d93c9203ed07b4437952516c
Opcode Fuzzy Hash: adda371c05508b0a298440d4eae58001dc0e5b5f45b4e3950a7a311b6da92386
Instruction Fuzzy Hash: 7AC179A2F1D6D2C5F7228A2C96027B96A817712771F549730CB6EB72D0CF7C9D528322

Function 00007FF6B326E450 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e93a0dc367e60ed858cbde761659c88b7b54c08f28d9b1d60bb46a7ffcba42f
Instruction ID: ab9f1f0db8086bb73362c9fa9718da8973b4cb628e277f6b7d17ad5854b39e60
Opcode Fuzzy Hash: 9e93a0dc367e60ed858cbde761659c88b7b54c08f28d9b1d60bb46a7ffcba42f
Instruction Fuzzy Hash: C2C15D97F39BA641F713433C56036B856005FA77E4A01D322FEA4B2FE5EF34A6429204

Function 00007FF6B327F3F0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69c4f7b8cd5da008c5c796e1d01ab5764fe54582b9148a761b74e01056b8c91
Instruction ID: 9a1c10e2fd09d978ad4ccab37cecc0030f973729608885978b805349ef7cd243
Opcode Fuzzy Hash: f69c4f7b8cd5da008c5c796e1d01ab5764fe54582b9148a761b74e01056b8c91
Instruction Fuzzy Hash: 50B12626F0D692E6FB658B78D7027FC27A1BB01788F544132DF4DA3A95DE7C99928300

Function 00007FF6B326D130 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb5e16058bb0566f99405c6c335fc1234fd8c3b2d60057ea747a17e7614ceed
Instruction ID: f1710208052d25c331607c563afcef5b171a33cd2ef506b1f6a6361fe339a319
Opcode Fuzzy Hash: ffb5e16058bb0566f99405c6c335fc1234fd8c3b2d60057ea747a17e7614ceed
Instruction Fuzzy Hash: 17C14062D19FC542E723AB3DA4032F6E310FFEA384F00D312EEC47595ADB69E2459644

Function 00007FF6B326B2F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49d64f606b30b5e613b7687bc14d59ee01eaa8d31e2a8703c4f9323d8549704
Instruction ID: d416797be00467981505a8bf5a77a3e2a1a5905893b636c8e13afd6d057c9589
Opcode Fuzzy Hash: e49d64f606b30b5e613b7687bc14d59ee01eaa8d31e2a8703c4f9323d8549704
Instruction Fuzzy Hash: 176173A3315BA4427A04CFF2BD3199BABA5F649BD8B00F435EE8D57B1CDA3CC4518640

Function 00007FF6B3264EC0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0532867200631d17e2e3206eb55439b492eb57631902a6d221b66ced3b8aee8b
Instruction ID: a24ce58b941a27b90be6f031bf8c4beef10ef8c53fde8b63e9243aa6d8ffac9e
Opcode Fuzzy Hash: 0532867200631d17e2e3206eb55439b492eb57631902a6d221b66ced3b8aee8b
Instruction Fuzzy Hash: F9414672F5467182FB18CF59E661A782756FB90BD0F519032DE5BA3B80CE38D896C380

Function 00007FF6B3264D50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8916ff02eb36279b0385f62ba8be761ded61a259e6ec6d0021c213f83ad3a4a8
Instruction ID: aaa78b613765ecb2d2ae20f289ff26247ff69c9851fde5857ce92530ed9cc6b7
Opcode Fuzzy Hash: 8916ff02eb36279b0385f62ba8be761ded61a259e6ec6d0021c213f83ad3a4a8
Instruction Fuzzy Hash: A831BBD6F08B8042FE54D7A8746737B9312AB957D0F80E235DE89AAE0FDF2DD2424140

Function 00007FF6B3298004 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b16f98ace69e0efadd172f747959fdb2bce834d04ca5212cc346081341c674
Instruction ID: d4a48160cf04c0681a3bbd100650c142785a6e34adcb2d51ca2d70d54ab32d54
Opcode Fuzzy Hash: 61b16f98ace69e0efadd172f747959fdb2bce834d04ca5212cc346081341c674
Instruction Fuzzy Hash: 10A00125A08E02D0E6548F18AA521302221AB59714B460272C21DA1072DE7CA540D215

Function 00007FF6B3291C00 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 339memorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B32850D0: GetEnvironmentStringsW.KERNEL32 ref: 00007FF6B3285157

CloseHandle.KERNEL32 ref: 00007FF6B3291C95
CloseHandle.KERNEL32 ref: 00007FF6B3291D4B
CloseHandle.KERNEL32 ref: 00007FF6B3291DE2
WaitForSingleObject.KERNEL32 ref: 00007FF6B329205F
GetLastError.KERNEL32 ref: 00007FF6B3292069
HeapFree.KERNEL32 ref: 00007FF6B3292088
HeapFree.KERNEL32 ref: 00007FF6B32920AC
GetExitCodeProcess.KERNEL32 ref: 00007FF6B32920D6
CloseHandle.KERNEL32 ref: 00007FF6B3292118
CloseHandle.KERNEL32 ref: 00007FF6B329211F

Strings

-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac, xrefs: 00007FF6B3291C01, 00007FF6B32921E6
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6B3291D94, 00007FF6B3292185, 00007FF6B32921B9
-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct, xrefs: 00007FF6B3291C07, 00007FF6B32921EC
-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe , xrefs: 00007FF6B3291C03, 00007FF6B32921E8

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: CloseHandle$FreeHeap$CodeEnvironmentErrorExitLastObjectProcessSingleStringsWait
String ID: -Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac$-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct$-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe $called `Result::unwrap()` on an `Err` value
API String ID: 1083365245-3402652994
Opcode ID: 068e135bdd4ee0b0cc79d674f2ea0cbd06011418e0e1c1ea8a16fe48549bf474
Instruction ID: 89edfe459e2ff4873b9c61770b0ae5f5cfa4b54dd770ec2b3ed1b558db0f9ff0
Opcode Fuzzy Hash: 068e135bdd4ee0b0cc79d674f2ea0cbd06011418e0e1c1ea8a16fe48549bf474
Instruction Fuzzy Hash: 4DF15036B04BC699E7708F29D9423E933A0FB15758F504235DB4DA6A9ADF38E689C340

Function 00007FF6B328D520 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 298COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6B328D537
DuplicateHandle.KERNEL32 ref: 00007FF6B328D562
GetLastError.KERNEL32 ref: 00007FF6B328D69E
CloseHandle.KERNEL32 ref: 00007FF6B328D6E1

Strings

RUST_MIN_STACK, xrefs: 00007FF6B328D749
failed to spawn thread, xrefs: 00007FF6B328DB33

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: Handle$CloseCurrentDuplicateErrorLastProcess
String ID: RUST_MIN_STACK$failed to spawn thread
API String ID: 3328748953-917136298
Opcode ID: edb176ba9bad7e56d3ac35411854c81880cf8e5b484e33333937882175b55ec9
Instruction ID: 9f09375561de1d3c93b907630d828730e460247a69ed050828bc7b8d4388c4a7
Opcode Fuzzy Hash: edb176ba9bad7e56d3ac35411854c81880cf8e5b484e33333937882175b55ec9
Instruction Fuzzy Hash: 5EE15D22B09B858AFB108F29DA423B927A0FF44B98F144136DF4DA7799DF3DE5498350

Function 00007FF6B3292590 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

CancelIo.KERNEL32(?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B32925B8
GetOverlappedResult.KERNEL32(?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B32925DD
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B3292605
CloseHandle.KERNEL32(?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B3292660
CloseHandle.KERNEL32(?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B3292666
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B3292689
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B32926F9
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B3292716
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B3292720
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3292047), ref: 00007FF6B329272F

Strings

-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac, xrefs: 00007FF6B3292591, 00007FF6B32926D6
-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe , xrefs: 00007FF6B3292593

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: CloseHandle$ErrorFreeHeapLast$CancelOverlappedResult
String ID: -Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac$-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe
API String ID: 3987361021-3266012847
Opcode ID: 91384812f4015f3388e566694ff4e244ccecc6340b338e133ce58bd3450d2711
Instruction ID: c1be8efb451a25973f1795d83a32e2966d7ba03d110a02ff2a42ab1ad10a255d
Opcode Fuzzy Hash: 91384812f4015f3388e566694ff4e244ccecc6340b338e133ce58bd3450d2711
Instruction Fuzzy Hash: E2415026B04B5596E7048F6ADA453A837B0FB88F98F054632DF0DA77A5DF78D582C340

Function 00007FF6B328FB00 Relevance: 19.7, APIs: 13, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6B328FB4D
ReadFileEx.KERNEL32 ref: 00007FF6B328FBB4
SleepEx.KERNEL32 ref: 00007FF6B328FBCA
GetLastError.KERNEL32 ref: 00007FF6B328FC00
WriteFileEx.KERNEL32 ref: 00007FF6B328FCB9
SleepEx.KERNEL32 ref: 00007FF6B328FCCA
CloseHandle.KERNEL32 ref: 00007FF6B328FD05
CloseHandle.KERNEL32 ref: 00007FF6B328FD0E
HeapFree.KERNEL32 ref: 00007FF6B328FD90
HeapFree.KERNEL32 ref: 00007FF6B328FDA6

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: CloseFileFreeHandleHeapSleep$ErrorLastReadWritememset
String ID:
API String ID: 779401166-0
Opcode ID: 78d0085b851b748739d3fac093d34ff165da2bff40ace1830053c82de9885ba3
Instruction ID: e4f9aa6c19e898f273c874ab3f89a3c0d4a183929c869b0191fe4b5d90a6e87f
Opcode Fuzzy Hash: 78d0085b851b748739d3fac093d34ff165da2bff40ace1830053c82de9885ba3
Instruction Fuzzy Hash: 73813F26704AC695EB309F29E9427F96360FF48798F044236DF5D96B98CF7896869300

Function 00007FF6B32975B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6B3297643
SysStringLen.OLEAUT32 ref: 00007FF6B3297653
SysFreeString.OLEAUT32 ref: 00007FF6B3297667
SysStringLen.OLEAUT32 ref: 00007FF6B32976B5
SysStringLen.OLEAUT32 ref: 00007FF6B32976F9
SysStringLen.OLEAUT32 ref: 00007FF6B3297708
SysFreeString.OLEAUT32 ref: 00007FF6B32977D6

Strings

Invalid NT signatureInvalid DOS signature for module: , xrefs: 00007FF6B32975B4

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: String$Free
String ID: Invalid NT signatureInvalid DOS signature for module:
API String ID: 1391021980-3480978609
Opcode ID: 23e49c5f6e9e951b63aa2959c342144616a048980e9d9883e981200d52027372
Instruction ID: 956c8233f8537e5bb0d16efd6d16a1090180cc44647301be7327a20c3285f838
Opcode Fuzzy Hash: 23e49c5f6e9e951b63aa2959c342144616a048980e9d9883e981200d52027372
Instruction Fuzzy Hash: 8D519F3AB18B4281EB248F1DE65536AA7A0FF84B94F445235EB8E97B95CF7CD044CB00

Function 00007FF6B3253000 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6B3253151
OutputDebugStringW.KERNEL32 ref: 00007FF6B32531C1
HeapFree.KERNEL32 ref: 00007FF6B32531DA

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6B3253219
kernel32.dllVirtualAllocEx, xrefs: 00007FF6B3253021
., xrefs: 00007FF6B32531B2
r, xrefs: 00007FF6B32531A7
GetProcAddress, xrefs: 00007FF6B32530C1

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: DebugFreeHeapOutputStringmemset
String ID: .$GetProcAddress$called `Result::unwrap()` on an `Err` value$kernel32.dllVirtualAllocEx$r
API String ID: 3278678782-1998162551
Opcode ID: 8ce24b62a18ca421bc3152a767145fb7cfdf1dff43468bc64e3ab93f7cb23723
Instruction ID: 72b2129bbc42f9098a9187623ad98c9157e13b091e47fe610fff04c9ceb79f37
Opcode Fuzzy Hash: 8ce24b62a18ca421bc3152a767145fb7cfdf1dff43468bc64e3ab93f7cb23723
Instruction Fuzzy Hash: A5514822B1C6D581F6218B2DA9037B6A761BF94794F045231DF8DA2769EF3DD286C700

Function 00007FF6B328F4F0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 237memorythreadCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B328F5E1
GetCurrentThread.KERNEL32 ref: 00007FF6B328F5ED
HeapFree.KERNEL32 ref: 00007FF6B328F61A
HeapFree.KERNEL32 ref: 00007FF6B328F7B9
HeapFree.KERNEL32 ref: 00007FF6B328F88B
HeapFree.KERNEL32 ref: 00007FF6B328F89E

Strings

main, xrefs: 00007FF6B328F536

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$CurrentThread
String ID: main
API String ID: 1184698198-3207122276
Opcode ID: 61e017777a7727f5ccb2847e099727255b132e3f38003baaefbe60160bd9367d
Instruction ID: 58c8897e9ecddeb73e23405b361a533275cfbd4c56a4a12f01a9330757ab01d3
Opcode Fuzzy Hash: 61e017777a7727f5ccb2847e099727255b132e3f38003baaefbe60160bd9367d
Instruction Fuzzy Hash: 91C14E26B08B9599E710CF29E5853AD3BA0FB88B98F044136EF4DA77A5CF79D485C340

Function 00007FF6B3290D80 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6B3290E5A
memmove.VCRUNTIME140 ref: 00007FF6B3290EB5
memmove.VCRUNTIME140 ref: 00007FF6B3290EE5
memmove.VCRUNTIME140 ref: 00007FF6B3290F19
memmove.VCRUNTIME140 ref: 00007FF6B3290F47
memmove.VCRUNTIME140 ref: 00007FF6B329105C
HeapFree.KERNEL32 ref: 00007FF6B329112D

Strings

assertion failed: new_left_len <= CAPACITY, xrefs: 00007FF6B329114E

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmove$FreeHeap
String ID: assertion failed: new_left_len <= CAPACITY
API String ID: 3670176668-3316943531
Opcode ID: bd3df8df1d91e6afc355728498be3d5d5a30efa8681b6ab148653e798d5e4dfa
Instruction ID: 21c9d65c25e6e4e343078db8dff84afd343f006de8375da6df01150ba0370608
Opcode Fuzzy Hash: bd3df8df1d91e6afc355728498be3d5d5a30efa8681b6ab148653e798d5e4dfa
Instruction Fuzzy Hash: 4BB19D26A10B8492DB158F19E9413EA77B4FB58B98F499236DF4D53361EF38E261C300

Function 00007FF6B32909A0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6B3290A2A
memmove.VCRUNTIME140 ref: 00007FF6B3290A4A
memmove.VCRUNTIME140 ref: 00007FF6B3290A85
memmove.VCRUNTIME140 ref: 00007FF6B3290AA4
memmove.VCRUNTIME140 ref: 00007FF6B3290C08
memmove.VCRUNTIME140 ref: 00007FF6B3290C29

Strings

assertion failed: old_left_len >= count, xrefs: 00007FF6B3290D4A
assertion failed: old_right_len + count <= CAPACITY, xrefs: 00007FF6B3290D32

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmove
String ID: assertion failed: old_left_len >= count$assertion failed: old_right_len + count <= CAPACITY
API String ID: 2162964266-1889375005
Opcode ID: 9c3b8417148723ba08c746177e8380ec937096b939c1c3b2d4099853ed383284
Instruction ID: f2a9d862ef79c2224ef7ca8cb24f2b95e674aadd5ba4587348d95f3c15e31e4e
Opcode Fuzzy Hash: 9c3b8417148723ba08c746177e8380ec937096b939c1c3b2d4099853ed383284
Instruction Fuzzy Hash: C4A1D722E04BC982E7559F18E9423F96364FF58798F549332DF4D63652EF39A296C300

Function 00007FF6B327FB70 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 266stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00007FF6B327FC54
memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00007FF6B327FD1D

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6B327FDD9
,(><&@, xrefs: 00007FF6B327FEA3
TryFromIntError:, xrefs: 00007FF6B327FE3A
RUST_BACKTRACEentity not foundpermission deniedconnection refusedconnection resethost unreachablenetwork unreachableconnection abortednot connectedaddress in useaddress not availablenetwork downbroken pipeentity already existsoperation would blocknot a directo, xrefs: 00007FF6B327FC3B, 00007FF6B327FE10

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: lstrlenmemcmp
String ID: ,(><&@$RUST_BACKTRACEentity not foundpermission deniedconnection refusedconnection resethost unreachablenetwork unreachableconnection abortednot connectedaddress in useaddress not availablenetwork downbroken pipeentity already existsoperation would blocknot a directo$TryFromIntError:$called `Result::unwrap()` on an `Err` value
API String ID: 1799893992-2190381041
Opcode ID: f76daf3a126a1a292aaca04d22363d6859162dd34aa7bb72d817fdd1c247bc5b
Instruction ID: b499f68181d7a04d737d6fbd1004afb41d790ed9c78064935ad3e9bc7e9dee5b
Opcode Fuzzy Hash: f76daf3a126a1a292aaca04d22363d6859162dd34aa7bb72d817fdd1c247bc5b
Instruction Fuzzy Hash: BBA1B362B08A46E6EB208F69D5022B92760FB54BA8F544631DF6DA3BD5DF3CE945C300

Function 00007FF6B3291180 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6B3291354
memmove.VCRUNTIME140 ref: 00007FF6B329136B
memmove.VCRUNTIME140 ref: 00007FF6B329137E
memmove.VCRUNTIME140 ref: 00007FF6B3291397
memmove.VCRUNTIME140 ref: 00007FF6B32913D8
memmove.VCRUNTIME140 ref: 00007FF6B32913F3

Strings

assertion failed: old_left_len + count <= CAPACITY, xrefs: 00007FF6B32915C2

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmove
String ID: assertion failed: old_left_len + count <= CAPACITY
API String ID: 2162964266-323339215
Opcode ID: c06701663169af3e5e93daf976e38ffb9366f7457630b5d59672495e30d54576
Instruction ID: 06ad2305b7320aa7d16df96d80c55c338ad662a09cbb1c8220dec8de0a2cfb0d
Opcode Fuzzy Hash: c06701663169af3e5e93daf976e38ffb9366f7457630b5d59672495e30d54576
Instruction Fuzzy Hash: F4C1C666A14BC482EB459F18E9023F96364FF58B98F555336DF4D63362EF38A295C300

Function 00007FF6B328E5B0 Relevance: 10.6, APIs: 7, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF6B328E5C3
GetLastError.KERNEL32 ref: 00007FF6B328E5D8
HeapFree.KERNEL32 ref: 00007FF6B328E653
HeapFree.KERNEL32 ref: 00007FF6B328E666
GetCurrentProcess.KERNEL32 ref: 00007FF6B328E67D
DuplicateHandle.KERNEL32 ref: 00007FF6B328E6A8
GetLastError.KERNEL32 ref: 00007FF6B328E6BA

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: ErrorFreeHandleHeapLast$CurrentDuplicateProcess
String ID:
API String ID: 443199557-0
Opcode ID: dfb22cdd308960437ef226678e4a295b727580a6409b6d3ee54e7e7e98ff0c41
Instruction ID: 0d2873a4ddfa7ef73feee4c1819b0d00c6ac1e6f399a6338e08c8a71b23db35f
Opcode Fuzzy Hash: dfb22cdd308960437ef226678e4a295b727580a6409b6d3ee54e7e7e98ff0c41
Instruction Fuzzy Hash: 0C315C35B18B1185FB108F6AD94A3AD22A1FF88BA4F448639CB6DA37D4CF3CD0408340

Function 00007FF6B3296DE0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B32975B0: SysFreeString.OLEAUT32 ref: 00007FF6B3297643
Part of subcall function 00007FF6B32975B0: SysStringLen.OLEAUT32 ref: 00007FF6B3297653
Part of subcall function 00007FF6B32975B0: SysFreeString.OLEAUT32 ref: 00007FF6B3297667
Part of subcall function 00007FF6B32975B0: SysStringLen.OLEAUT32 ref: 00007FF6B32976B5
Part of subcall function 00007FF6B32975B0: SysFreeString.OLEAUT32 ref: 00007FF6B32977D6

HeapFree.KERNEL32 ref: 00007FF6B3296FDE

Part of subcall function 00007FF6B32969C0: FormatMessageW.KERNEL32 ref: 00007FF6B3296A2A
Part of subcall function 00007FF6B32969C0: GetProcessHeap.KERNEL32 ref: 00007FF6B3296B24
Part of subcall function 00007FF6B32969C0: HeapFree.KERNEL32 ref: 00007FF6B3296B32

HeapFree.KERNEL32 ref: 00007FF6B3296FBC

Part of subcall function 00007FF6B32969C0: LoadLibraryExA.KERNEL32 ref: 00007FF6B32969FB

Strings

KO_S, xrefs: 00007FF6B3296E8B
KO_S, xrefs: 00007FF6B3296E49
KO_S, xrefs: 00007FF6B3296F19
KO_S, xrefs: 00007FF6B3296E0C

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: Free$String$Heap$FormatLibraryLoadMessageProcess
String ID: KO_S$KO_S$KO_S$KO_S
API String ID: 3026262243-1559209064
Opcode ID: 3831f844c3f47bd9a821f2afc3863872edeee65b5f153a98f6b503e721a371e8
Instruction ID: 825e432cbefce11de0374ab792d9cf54bdfb11095636259b3db7d69cc2211616
Opcode Fuzzy Hash: 3831f844c3f47bd9a821f2afc3863872edeee65b5f153a98f6b503e721a371e8
Instruction Fuzzy Hash: 26511836718B8196E7618F19F6413AAB3A5FB88750F404236EB8D93B59EF3CE454CB40

Function 00007FF6B32850D0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FF6B3285157
FreeEnvironmentStringsW.KERNEL32 ref: 00007FF6B328538C
GetLastError.KERNEL32 ref: 00007FF6B3288A40
CloseHandle.KERNEL32 ref: 00007FF6B3288B79

Strings

-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac, xrefs: 00007FF6B3284D41, 00007FF6B32850B6, 00007FF6B32850D1
-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct, xrefs: 00007FF6B32850D7
-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe , xrefs: 00007FF6B32850D3

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: EnvironmentStrings$CloseErrorFreeHandleLast
String ID: -Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac$-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct$-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe
API String ID: 1605123130-435359000
Opcode ID: ad6fe99b79b7659689b9f3a77182ff0bb9f4457b07c2bfa26f4552d920c66ed5
Instruction ID: de6f95a940163c81f1bfefa9303133350a2a3658e0bb40a416186ea43a28c049
Opcode Fuzzy Hash: ad6fe99b79b7659689b9f3a77182ff0bb9f4457b07c2bfa26f4552d920c66ed5
Instruction Fuzzy Hash: 25917B32708AC189EB608F29D9563FA37A0FB057A9F544235CB6DAB6C4EF389645C300

Function 00007FF6B32969C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memorylibrarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32 ref: 00007FF6B32969FB
FormatMessageW.KERNEL32 ref: 00007FF6B3296A2A
GetProcessHeap.KERNEL32 ref: 00007FF6B3296B24
HeapFree.KERNEL32 ref: 00007FF6B3296B32

Strings

ntdll.dll, xrefs: 00007FF6B32969EC

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: Heap$FormatFreeLibraryLoadMessageProcess
String ID: ntdll.dll
API String ID: 2073911336-2227199552
Opcode ID: b0d0f27879f1737e1c980c0b7697a5256b6eccc408c3280d812aea5dd712f8a9
Instruction ID: 7b6d635d486ae1e23e1d0b8765d3d8dffcf5c05a88dc727e64920ec44e0973b9
Opcode Fuzzy Hash: b0d0f27879f1737e1c980c0b7697a5256b6eccc408c3280d812aea5dd712f8a9
Instruction Fuzzy Hash: 60418E32B08B4192E7108F19F64536AA3A1FB85794F148234EB8997B99EF7DE4848700

Function 00007FF6B3292480 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,?,00007FF6B3291D2C), ref: 00007FF6B32924B0
GetLastError.KERNEL32(?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,?,00007FF6B3291D2C), ref: 00007FF6B329250A
CloseHandle.KERNEL32(?,?,?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,?,00007FF6B3291D2C), ref: 00007FF6B329256E
CloseHandle.KERNEL32(?,?,?,?,?,?,00000001,?,?,-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe ,?,00007FF6B3291D2C), ref: 00007FF6B3292574

Strings

-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe , xrefs: 00007FF6B3292481

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: CloseHandle$CreateErrorEventLast
String ID: -NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe
API String ID: 3743700123-3796342903
Opcode ID: 764e55fccaec367db8600bbafeb820a1a69775069a48feaf912cbaa7e889a1de
Instruction ID: cc46495aaff297c838f1b2852a6763433c293ac60508c7e591dbe2a4414584a0
Opcode Fuzzy Hash: 764e55fccaec367db8600bbafeb820a1a69775069a48feaf912cbaa7e889a1de
Instruction Fuzzy Hash: 7E218B33B04B4186F7258F26B9523A976A4FB887A0F188235DF9D527D1EF78D5D28300

Function 00007FF6B327A650 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 337COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,0000000100002600,?,?,-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct,00000001,00000000,?,00007FF6B3267DA2), ref: 00007FF6B327A720

Strings

-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct, xrefs: 00007FF6B327A656
"""""""", xrefs: 00007FF6B327A675
\\\\\\\\, xrefs: 00007FF6B327A7D7

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmove
String ID: """"""""$-NoProfile-NonInteractive-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProduct$\\\\\\\\
API String ID: 2162964266-2527656708
Opcode ID: 3ebe378ba1e5b0a0cc530eb8cf79493085359402cdb35856c52efbe778c82ec9
Instruction ID: 111e83051ff3f561ba7ba59ffd47fe31ca790849bf6e350cb9a4cf1c56671963
Opcode Fuzzy Hash: 3ebe378ba1e5b0a0cc530eb8cf79493085359402cdb35856c52efbe778c82ec9
Instruction Fuzzy Hash: 05C1F6A2B18B91C1EB108F1AE60A2BA6351FB45BE4F948632DF5DA7384DF3CE545C300

Function 00007FF6B32699A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32 ref: 00007FF6B32699D8
HeapFree.KERNEL32(?,?,?,?,?,00007FF6B32614AC), ref: 00007FF6B32699F6

Strings

KO_S, xrefs: 00007FF6B3269A0B
KO_S, xrefs: 00007FF6B32699C0

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: ErrorFreeHeapInfo
String ID: KO_S$KO_S
API String ID: 2644722224-3643238370
Opcode ID: 3779fb2e198122c4eaf8191be486a5b7982e36063e3fcc8c64ae1eac853d81ea
Instruction ID: f91416df264ce068b59901da4475e67c5bb4b08e56f14c62e35669b57edc6b07
Opcode Fuzzy Hash: 3779fb2e198122c4eaf8191be486a5b7982e36063e3fcc8c64ae1eac853d81ea
Instruction Fuzzy Hash: 61016776B0874182EB244F5AE5823BA52D1AF8CBD4F498139DF8DD3761DE7CD491C240

Function 00007FF6B327C930 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6B327C949
GetProcAddress.KERNEL32 ref: 00007FF6B327C95E

Strings

SetThreadDescription, xrefs: 00007FF6B327C954
kernel32, xrefs: 00007FF6B327C942

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 1f9ba1cc4ac202086bd21eb3f60e7a1a902e788bb4e1018a4082a40431d33b9d
Instruction ID: a1123f30bfeb4e34964b4e40b948a0fd841aaea74d745b453556856b2a914183
Opcode Fuzzy Hash: 1f9ba1cc4ac202086bd21eb3f60e7a1a902e788bb4e1018a4082a40431d33b9d
Instruction Fuzzy Hash: 45F05E50B0AA56E5FA55CB59AA460F422617F08BC0F844135CF0DA3760DE3CA949C200

Function 00007FF6B3264770 Relevance: 6.5, APIs: 5, Instructions: 228COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6B32647C5
memcmp.VCRUNTIME140 ref: 00007FF6B3264825
memcmp.VCRUNTIME140 ref: 00007FF6B32648E5
memcmp.VCRUNTIME140 ref: 00007FF6B3264943
memcmp.VCRUNTIME140 ref: 00007FF6B32649DC

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 7ba9f83aab7f458d2523825f9fdb98b88699e60e971da686df4a1a2ea9e203db
Instruction ID: 067a395864ae32b0aa010b701c751f38c614e0b2fc648570fb3ce6f740510f17
Opcode Fuzzy Hash: 7ba9f83aab7f458d2523825f9fdb98b88699e60e971da686df4a1a2ea9e203db
Instruction Fuzzy Hash: 6271D981B4ABA143FD159E2A9B0217A5690BF58BC4F189535DF8DE77A2FF38F491C200

Function 00007FF6B3263A60 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6B32641CE
memcmp.VCRUNTIME140 ref: 00007FF6B3264257

Strings

, xrefs: 00007FF6B3263A95
, xrefs: 00007FF6B3264152

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memcmp
String ID: $
API String ID: 1475443563-227171996
Opcode ID: 5d0345d70e85653de63984e50b363f7f5050189172f30f6c7d8ddb26480f7d86
Instruction ID: c0842770954dda4b8042c52eba0e2eb484fe1665e35e662001cef7fd4bc7e1bf
Opcode Fuzzy Hash: 5d0345d70e85653de63984e50b363f7f5050189172f30f6c7d8ddb26480f7d86
Instruction Fuzzy Hash: 4F51B662B09BD582DA118F5AA6051AA6760FF95BE4F054332DFAD53B9ADF38E144C300

Function 00007FF6B3296B50 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B32975B0: SysFreeString.OLEAUT32 ref: 00007FF6B3297643
Part of subcall function 00007FF6B32975B0: SysStringLen.OLEAUT32 ref: 00007FF6B3297653
Part of subcall function 00007FF6B32975B0: SysFreeString.OLEAUT32 ref: 00007FF6B3297667
Part of subcall function 00007FF6B32975B0: SysStringLen.OLEAUT32 ref: 00007FF6B32976B5
Part of subcall function 00007FF6B32975B0: SysFreeString.OLEAUT32 ref: 00007FF6B32977D6

Part of subcall function 00007FF6B32969C0: FormatMessageW.KERNEL32 ref: 00007FF6B3296A2A
Part of subcall function 00007FF6B32969C0: GetProcessHeap.KERNEL32 ref: 00007FF6B3296B24
Part of subcall function 00007FF6B32969C0: HeapFree.KERNEL32 ref: 00007FF6B3296B32

HeapFree.KERNEL32 ref: 00007FF6B3296C8E

Strings

}0x, xrefs: 00007FF6B3296C4F
KO_S, xrefs: 00007FF6B3296B88
Errorcodemessage, xrefs: 00007FF6B3296B65

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeString$Heap$FormatMessageProcess
String ID: }0x$Errorcodemessage$KO_S
API String ID: 3834163611-2264483571
Opcode ID: d9661228685614b2897c510db52353d528e28ee1cea753569626aa0d587d204f
Instruction ID: 5190732b7f3a37894a61669fad930bb205cab733f11f5f2905fa23d28f2c8856
Opcode Fuzzy Hash: d9661228685614b2897c510db52353d528e28ee1cea753569626aa0d587d204f
Instruction Fuzzy Hash: 1741E96670CA4691EB218F19E1813AD77B0FB887A0F445136EB8D93765DF7DD544CB00

Function 00007FF6B328D410 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000001,?,?,00000000,0000000A,-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac,?,00007FF6B3286AA1), ref: 00007FF6B328D490
HeapFree.KERNEL32 ref: 00007FF6B328D4A8
HeapFree.KERNEL32 ref: 00007FF6B328D4C5

Strings

-Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac, xrefs: 00007FF6B328D411

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap
String ID: -Command $antivirus = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct if ($antivirus) { $displayName = $antivirus.displayName $exePath = $antivirus.pathToSignedProductExe # Extrac
API String ID: 3298025750-2142436962
Opcode ID: cb925eaacc5efce4e7f51c13de2083a72cf1247f8748fa935440322030c6eb4b
Instruction ID: 2b58d2d6ec9d572cb5383c78959784834054677b234a1e0e8d54e98f71444e45
Opcode Fuzzy Hash: cb925eaacc5efce4e7f51c13de2083a72cf1247f8748fa935440322030c6eb4b
Instruction Fuzzy Hash: A2116025B04A51D1FA14DB2A9A4ABBA6B75FF48B84F498432DF0CA7795CE3CE049C314

Function 00007FF6B3282C3C Relevance: 5.2, APIs: 4, Instructions: 229memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B32831DF
HeapFree.KERNEL32 ref: 00007FF6B32831FF

Part of subcall function 00007FF6B327F320: memcmp.VCRUNTIME140 ref: 00007FF6B327F37A

Part of subcall function 00007FF6B32813F0: memmove.VCRUNTIME140(?,00000000,00000004,00000000,00000000,?,00000000,?,00007FF6B3284974,?,?,?,?,?,?,00007FFC07365570), ref: 00007FF6B32815E1

HeapFree.KERNEL32 ref: 00007FF6B32832B6
HeapFree.KERNEL32 ref: 00007FF6B32832D0

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap$memcmpmemmove
String ID:
API String ID: 2793343567-0
Opcode ID: 7e741c51b02e790958833b2b8735b60c45302074638f56a5c8eee82971af6974
Instruction ID: ddd856027744f91c78dbb86312e5f79e81821f66f54164ca7eacbac265babf8e
Opcode Fuzzy Hash: 7e741c51b02e790958833b2b8735b60c45302074638f56a5c8eee82971af6974
Instruction Fuzzy Hash: A6B17F32B08BC589E731CF29DA013E92760FB5875CF445231DB8D6AAA5DF78A6C5C340

Function 00007FF6B3291860 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6B329196F
memmove.VCRUNTIME140 ref: 00007FF6B3291988
memmove.VCRUNTIME140 ref: 00007FF6B3291A07
HeapFree.KERNEL32 ref: 00007FF6B3291B40

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: memmove$FreeHeap
String ID:
API String ID: 3670176668-0
Opcode ID: 81e384df63ca1b51aae44180ddea005126832a58fffc18558bf223db879766b0
Instruction ID: 7cb3151d2122e5894fc8cd320e3fe97a0fb8845989215d60cdbcecd4cdbda570
Opcode Fuzzy Hash: 81e384df63ca1b51aae44180ddea005126832a58fffc18558bf223db879766b0
Instruction Fuzzy Hash: C181E322B05BC586E7018F29E9063E963B4FF587A8F055231EF8C627A5EF38E195C300

Function 00007FF6B3291610 Relevance: 5.1, APIs: 4, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6B3291713
memmove.VCRUNTIME140 ref: 00007FF6B329172C
HeapFree.KERNEL32 ref: 00007FF6B3291820
HeapFree.KERNEL32 ref: 00007FF6B329183C

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeapmemmove
String ID:
API String ID: 913535592-0
Opcode ID: 134e16f9ccbe202af5521424db87552a4c6aa1a0fa5113da8756ef511665cc17
Instruction ID: 749638755bccdb8e088c70de1cd3cb9681748f58bd9d7f2f23555eeb629aa846
Opcode Fuzzy Hash: 134e16f9ccbe202af5521424db87552a4c6aa1a0fa5113da8756ef511665cc17
Instruction Fuzzy Hash: 0251E622B05B8496E7118F69ED063EA63B4FB58794F059231DF9D67761EF38E185C300

Function 00007FF6B3284020 Relevance: 5.1, APIs: 4, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B3283F39
HeapFree.KERNEL32 ref: 00007FF6B3283F49

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 584b817c781b292bdae6c9f173051f719874f7e7a874fc31c5244adf45dd7bb3
Instruction ID: 64c5c0b14029c1d5353d4f8935ccf3603357941f46fdc0c1fdf2174b5d559db7
Opcode Fuzzy Hash: 584b817c781b292bdae6c9f173051f719874f7e7a874fc31c5244adf45dd7bb3
Instruction Fuzzy Hash: F751B166F05A4586FE08CB5A9A423BD66B0BF98B98F148536CF1DA7794DF389482C340

Function 00007FF6B3283FF2 Relevance: 5.1, APIs: 4, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B3283F39
HeapFree.KERNEL32 ref: 00007FF6B3283F49

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4eabaeb2e6c4272030c28ef9aa8f4f5c48f3e402fb6e30ed2b619c6e7ec1ce14
Instruction ID: b7a0f31f7698d56b084e4760d3669c070504502619ef9398dfd142a6e7a9b1d9
Opcode Fuzzy Hash: 4eabaeb2e6c4272030c28ef9aa8f4f5c48f3e402fb6e30ed2b619c6e7ec1ce14
Instruction Fuzzy Hash: D051A166B09A4586FB05CB5ADA013BD66B0BF94B98F148536CF1DA3794DF3895828340

Function 00007FF6B3284010 Relevance: 5.1, APIs: 4, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B3283F39
HeapFree.KERNEL32 ref: 00007FF6B3283F49

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7288b7ead6b84b21427bc5c4ce3f40f32ae6214182979457ff8e2e89a53cb556
Instruction ID: 2403405c5f6524c347cbe2b53ad24067c5b90dce40bf699fdc63092fd61b3303
Opcode Fuzzy Hash: 7288b7ead6b84b21427bc5c4ce3f40f32ae6214182979457ff8e2e89a53cb556
Instruction Fuzzy Hash: 8951A166B09A4586FB05CB5ADA013BD66B0BF94B98F148536CF1DA3794DF3895828340

Function 00007FF6B32923F0 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6B3292423
HeapFree.KERNEL32 ref: 00007FF6B3292443
CloseHandle.KERNEL32 ref: 00007FF6B3292460
CloseHandle.KERNEL32 ref: 00007FF6B3292466

Memory Dump Source

Source File: 00000000.00000002.870145468.00007FF6B3251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B3250000, based on PE: true

Associated: 00000000.00000002.870073764.00007FF6B3250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870228180.00007FF6B329B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870270164.00007FF6B32AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.870300039.00007FF6B32AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b3250000_AMSilence.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 9706d9601bc963db368842f7adf9c599db0aa146ddee7e46d699f184a29084b8
Instruction ID: a3a311feb0b775fc7719823eadc4377e068f0bdfe4c15e289edf8032577a87c0
Opcode Fuzzy Hash: 9706d9601bc963db368842f7adf9c599db0aa146ddee7e46d699f184a29084b8
Instruction Fuzzy Hash: 67018F26B04A95D4E715DF3BED457E92360FB88B58F044132EE0D96665CF38D486C300

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AMSilence.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: AMSilence.exePID: 8496, Parent PID: 5016

General

Chronological Activities

Analysis Process: conhost.exePID: 8524, Parent PID: 8496

General

Chronological Activities

Disassembly

Windows Analysis Report
AMSilence.exe

Function 00007FF6B325B9F0 Relevance: 42.5, APIs: 21, Strings: 3, Instructions: 487
memoryCOMMON

Function 00007FF6B32521E0 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 375
memoryCOMMON

Function 00007FF6B3269D70 Relevance: 27.4, APIs: 18, Instructions: 427
memoryfileCOMMON

Function 00007FF6B325C3B0 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 437
memoryCOMMON

Function 00007FF6B3283A70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187
filememoryCOMMON

Function 00007FF6B32583F0 Relevance: 15.3, APIs: 10, Instructions: 254
memorystringCOMMON

Function 00007FF6B3273100 Relevance: 3.1, APIs: 2, Instructions: 82
COMMON

Function 00007FF6B32816A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
memoryCOMMON

Function 00007FF6B3252A90 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 118
memoryCOMMON

Function 00007FF6B3297960 Relevance: 9.1, APIs: 6, Instructions: 94
COMMON

Function 00007FF6B3252E70 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117
librarymemoryCOMMON

Function 00007FF6B32521A0 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 18
COMMON

Function 00007FF6B3252990 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 00007FF6B3283830 Relevance: 2.6, APIs: 2, Instructions: 107
memoryCOMMON