Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe
Analysis ID:	1532613
MD5:	5d0de7f05d673ba4135d698134385416
SHA1:	8f54cb2091ef206bb9b608c5d2e2e8ee53176e51
SHA256:	f221046e04812cb9cc27d82d35d6445f70801fb9ed0755d8cdffee45b61ba525
Tags:	exe

Errors Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains an invalid checksum

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe" MD5: 5D0DE7F05D673BA4135D698134385416)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe	Virustotal: Detection: 36%			Perma Link

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\ac\Desktop\MTA\MTASA spoofer\x64\Release\MTASpoofer.pdb source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe
Source:	Binary string: C:\Users\ac\Desktop\MTA\MTASA spoofer\x64\Release\MTASpoofer.pdb source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Code function: 2_2_00007FF7F43E2A2C DbgPrint,ExAllocatePoolWithTag,ZwQuerySystemInformation,ExFreePoolWithTag,ExFreePoolWithTag,

2_2_00007FF7F43E2A2C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Code function: 2_2_00007FF7F43E1190: IoDriverObjectType,ObReferenceObjectByName,DbgPrint,ObfDereferenceObject,DbgPrint,IoDriverObjectType,ObReferenceObjectByName,DbgPrint,DbgPrint,IoEnumerateDeviceObjectList,ExAllocatePoolWithTag,IoEnumerateDeviceObjectList,IoGetAttachedDeviceReference,KeInitializeEvent,IoBuildDeviceIoControlRequest,IofCallDriver,KeWaitForSingleObject,DbgPrint,ObfDereferenceObject,DbgPrint,rand,ObfDereferenceObject,DbgPrint,DbgPrint,ExFreePoolWithTag,DbgPrint,DbgPrint,DbgPrint,ObfDereferenceObject,rand,DbgPrint,

2_2_00007FF7F43E1190

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Code function: 2_2_00007FF7F43E1190

2_2_00007FF7F43E1190

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Code function: String function: 00007FF7F43E2DAD appears 42 times

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Binary string: \Device\%ws

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe	Virustotal: Detection: 36%

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\ac\Desktop\MTA\MTASA spoofer\x64\Release\MTASpoofer.pdb source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe
Source:	Binary string: C:\Users\ac\Desktop\MTA\MTASA spoofer\x64\Release\MTASpoofer.pdb source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Source: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Static PE information: real checksum: 0x9e88 should be: 0x118c0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Code function: 2_2_00007FF7F43E2DD4 cpuid

2_2_00007FF7F43E2DD4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe	32%	ReversingLabs	Win64.Malware.Generic
SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe	37%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532613
Start date and time:	2024-10-13 18:36:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, Sgrmuserer.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net
Execution Graph export aborted for target SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe, PID 7528 because there are no executed function

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):	5.627856281171006
TrID:	Win64 Device Driver (generic) (12004/3) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe
File size:	22'448 bytes
MD5:	5d0de7f05d673ba4135d698134385416
SHA1:	8f54cb2091ef206bb9b608c5d2e2e8ee53176e51
SHA256:	f221046e04812cb9cc27d82d35d6445f70801fb9ed0755d8cdffee45b61ba525
SHA512:	ad9844c47a5958df1d24041a9b1e0320c460e685c6a08c0af6b292c30e659182a53a4b57c005357938846fb27268e5b6ccceea1e55da1a2112052183e745c349
SSDEEP:	384:Hi3b+JWPVSsf0Kb+m5FbSBDbzKG+eV8NoFAoHq0vkpG6Bm2mxAhdw:LiVSs0KVnbSRbmNoiC3vkoTxA
TLSH:	7DA2199772640149E2B91139E7249A27C371F48143519BEF43E693B95F33BD025BFB82
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................5.......5.......Rich............................PE..d....Z.c.........."

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400016b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	native
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x639F5AE5 [Sun Dec 18 18:24:37 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	74b08518b0767e2e0d22ac4c02c62c8d

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
dec eax
mov dword ptr [esp+20h], edi
push ebp
inc ecx
push esp
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 70h
dec eax
mov eax, 00000014h
xor bh, FFFFFFFFh
dec dword ptr [eax-73h]
or eax, 00004994h
dec eax
mov eax, dword ptr [eax]
mov dword ptr [0000498Bh], eax
call dword ptr [0000297Dh]
movups xmm0, dqword ptr [000023CEh]
mov dword ptr [ebp+30h], eax
mov esi, 0000000Ch
mov eax, dword ptr [000023E0h]
dec eax
lea ebx, dword ptr [ebp-50h]
movups xmm1, dqword ptr [000023C5h]
mov dword ptr [ebp-10h], eax
inc esp
mov esi, esi
mov al, byte ptr [000023CDh]
xor edi, edi
mov byte ptr [ebp-0Ch], al
dec ecx
mov esp, 8E38E38Fh
jecxz 00007F8C7C82F30Ah
mov fs, bx
movups dqword ptr [ebp-30h], xmm0
mov dword ptr [ebp-50h], 39303035h
movups dqword ptr [ebp-20h], xmm1
mov dword ptr [ebp-4Ch], 33394537h
mov dword ptr [ebp-48h], 41333138h
inc eax
cmp byte ptr [ebx], bh
jne 00007F8C7C82F2F9h
dec eax
lea ecx, dword ptr [ebp+30h]
call dword ptr [00002916h]
mov ecx, eax
dec ecx
mov eax, esp
dec eax
mul ecx
dec eax
shr edx, 05h
dec eax
lea eax, dword ptr [edx+edx*8]
dec eax
shl eax, 02h
dec eax
sub ecx, eax
mov al, byte ptr [ebp+ecx-30h]
mov byte ptr [ebx], al
dec eax
inc ebx
dec ecx
sub esi, 01h
jne 00007F8C7C82F29Dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa000	0x28	INIT
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9000	0x18c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x40c8	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c3f	0x2e00	3f883a25dddecdbbda307aab754c7583	False	0.5070482336956522	data	6.237136703190457	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x460	0x600	c5f7dffd49afcb152126e2b46e1e16ef	False	0.4244791666666667	data	3.6210073341664373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data	0x5000	0x3068	0x200	db529a89da6069506a9071e8daed8c41	False	0.041015625	data	0.1479605681713509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x9000	0x18c	0x200	d3a03678d8485dfc63871a8bc639da56	False	0.494140625	data	3.182843258564883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
INIT	0xa000	0x2e0	0x400	2d593d8357e9b0ddf02cc53e75e04f14	False	0.4404296875	data	3.7518190901876096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ntoskrnl.exe	wcsstr, RtlInitUnicodeString, DbgPrint, KeInitializeEvent, KeWaitForSingleObject, ExAllocatePoolWithTag, ExFreePoolWithTag, MmMapLockedPages, IoBuildDeviceIoControlRequest, IofCallDriver, IoGetAttachedDeviceReference, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlRandomEx, IoEnumerateDeviceObjectList, ObQueryNameString, swprintf, ObReferenceObjectByName, rand, IoDriverObjectType, tolower, strstr, MmCopyMemory, ZwQuerySystemInformation

DLL

Import

ntoskrnl.exe

wcsstr, RtlInitUnicodeString, DbgPrint, KeInitializeEvent, KeWaitForSingleObject, ExAllocatePoolWithTag, ExFreePoolWithTag, MmMapLockedPages, IoBuildDeviceIoControlRequest, IofCallDriver, IoGetAttachedDeviceReference, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlRandomEx, IoEnumerateDeviceObjectList, ObQueryNameString, swprintf, ObReferenceObjectByName, rand, IoDriverObjectType, tolower, strstr, MmCopyMemory, ZwQuerySystemInformation

Target ID:	2
Start time:	12:37:01
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe"
Imagebase:	0x7ff7f43e0000
File size:	22'448 bytes
MD5 hash:	5D0DE7F05D673BA4135D698134385416
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FF7F43E1190 Relevance: 89.5, APIs: 29, Strings: 22, Instructions: 291memoryCOMMON

Download Yara Rule

APIs

ObReferenceObjectByName.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E11FB
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1262
ObfDereferenceObject.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E126B
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1281
ObReferenceObjectByName.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E12CA
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E12E2
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1344
IoEnumerateDeviceObjectList.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1380
ExAllocatePoolWithTag.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E13AD
IoEnumerateDeviceObjectList.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E13CD
IoGetAttachedDeviceReference.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E13F7
KeInitializeEvent.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E141F
IoBuildDeviceIoControlRequest.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1450
IofCallDriver.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1461
KeWaitForSingleObject.NTOSKRNL.EXE ref: 00007FF7F43E1480
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E148F
ObfDereferenceObject.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1497
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E14E0
rand.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E14E8
ObfDereferenceObject.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E14F0
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E150E
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1525
ExFreePoolWithTag.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E152F
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1541
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1552
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1560
ObfDereferenceObject.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1569
rand.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E15E8
DbgPrint.NTOSKRNL.EXE(?,?,00000000,0000000C,?,00007FF7F43E17A6), ref: 00007FF7F43E1620

Strings

[dbg] ! failed to get disk devices (got %d): %p !, xrefs: 00007FF7F43E151E
[dbg] swapped %wZ, xrefs: 00007FF7F43E125B, 00007FF7F43E12FD
[dbg] ! DiskEnableDisableFailurePrediction failed: %p !, xrefs: 00007FF7F43E14D9
storport.sys, xrefs: 00007FF7F43E1571
f9,A, xrefs: 00007FF7F43E15B1
[dbg] ! failed to find RaidUnitRegisterInterfaces !, xrefs: 00007FF7F43E1610
xxxx????xxxx????xx, xrefs: 00007FF7F43E1589
\Driver\partmgr, xrefs: 00007FF7F43E11B5
[dbg] ! failed to get %wZ: %p !, xrefs: 00007FF7F43E127A, 00007FF7F43E12DB
xx?xxxxxxxxxxxxx, xrefs: 00007FF7F43E134D
[dbg] ! failed to get disk device list size (got %d): %p !, xrefs: 00007FF7F43E154B
ScUn, xrefs: 00007FF7F43E13A7
[dbg] ! failed to find DiskEnableDisableFailurePrediction !, xrefs: 00007FF7F43E1559
xxxx, xrefs: 00007FF7F43E15A7
[dbg] disabling smart succeeded for %d/%d, xrefs: 00007FF7F43E1504
[dbg] ! failed to build IoControlRequest !, xrefs: 00007FF7F43E1488
[dbg] ! failed to find RaidUnitExtension_SerialNumber (1) !, xrefs: 00007FF7F43E15FE
[dbg] ! failed to find RaidUnitExtension_SerialNumber (0) !, xrefs: 00007FF7F43E1607
xxx, xrefs: 00007FF7F43E15C2
\Driver\Disk, xrefs: 00007FF7F43E1286
[dbg] ! failed to allocated %d disk devices !, xrefs: 00007FF7F43E153A
[dbg] ! failed to get "storport.sys" !, xrefs: 00007FF7F43E1619

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: Print.$Object.$DereferenceDeviceObject$EnumerateList.Name.PoolReferenceTag.Withrand.$AllocateAttachedBuildCallControlDriver.Event.FreeInitializeReference.Request.SingleWait
String ID: ScUn$[dbg] ! DiskEnableDisableFailurePrediction failed: %p !$[dbg] ! failed to allocated %d disk devices !$[dbg] ! failed to build IoControlRequest !$[dbg] ! failed to find DiskEnableDisableFailurePrediction !$[dbg] ! failed to find RaidUnitExtension_SerialNumber (0) !$[dbg] ! failed to find RaidUnitExtension_SerialNumber (1) !$[dbg] ! failed to find RaidUnitRegisterInterfaces !$[dbg] ! failed to get "storport.sys" !$[dbg] ! failed to get %wZ: %p !$[dbg] ! failed to get disk device list size (got %d): %p !$[dbg] ! failed to get disk devices (got %d): %p !$[dbg] disabling smart succeeded for %d/%d$[dbg] swapped %wZ$\Driver\Disk$\Driver\partmgr$f9,A$storport.sys$xx?xxxxxxxxxxxxx$xxx$xxxx$xxxx????xxxx????xx
API String ID: 2463539936-1864917822
Opcode ID: f33ca265b9728d91bbfaec0738f1161a48a94ffbcf742d8143d637bc2a0845c6
Instruction ID: 646a7fe950050b083a86ebdecc4782c1f143c822b7679557ddfe22ca328d7ab6
Opcode Fuzzy Hash: f33ca265b9728d91bbfaec0738f1161a48a94ffbcf742d8143d637bc2a0845c6
Instruction Fuzzy Hash: F2D19321A1A64687EB10EF26E8C06B9A3A0BF44744FC04039D96E637D5DF3CE54DC7A9

Function 00007FF7F43E2A2C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 111memorynativeCOMMON

Download Yara Rule

APIs

DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2A70
ExAllocatePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2A8B
ZwQuerySystemInformation.NTOSKRNL.EXE ref: 00007FF7F43E2AB9
ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2AC9
ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2BA1

Strings

[dbg] ! failed to allocate %d bytes for modules !, xrefs: 00007FF7F43E2AA0
[dbg] ! ZwQuerySystemInformation failed: %p !, xrefs: 00007FF7F43E2AD1
[dbg] ! ZwQuerySystemInformation for size failed: %p !, xrefs: 00007FF7F43E2A69
ScUn, xrefs: 00007FF7F43E2A85

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: PoolTag.With$Free$AllocateInformation.Print.QuerySystem
String ID: ScUn$[dbg] ! ZwQuerySystemInformation failed: %p !$[dbg] ! ZwQuerySystemInformation for size failed: %p !$[dbg] ! failed to allocate %d bytes for modules !
API String ID: 1773983456-2101061909
Opcode ID: ca76beedaf592add256a6862cf44b7a7118ccb02b041610b3a8eeb61682044bf
Instruction ID: 19ba97cec64f97e98ca46774f8edcbbb38f8f1440c47ce27f7f7a3191a4bfb23
Opcode Fuzzy Hash: ca76beedaf592add256a6862cf44b7a7118ccb02b041610b3a8eeb61682044bf
Instruction Fuzzy Hash: 4B41C622E09A8283E7119F2AD4412B9B360FFE8B44F55D135CB5D57392EF3CE58A8354

Function 00007FF7F43E2DD4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112b46b6c9c616fd42568f3a7420d783f7775e62a878b686386377c301934e2d
Instruction ID: e2f03f3df07c9e8dab2353ee70eb82e4d4a39012f1f8b902384ca444afbe0dfb
Opcode Fuzzy Hash: 112b46b6c9c616fd42568f3a7420d783f7775e62a878b686386377c301934e2d
Instruction Fuzzy Hash: 6A01F172A0D2524FFB298E2BE092726BA81ABA4310F40D07DE49EC36C5D57D90814F68

Function 00007FF7F43E1CD4 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 204COMMON

Download Yara Rule

APIs

ObReferenceObjectByName.NTOSKRNL.EXE ref: 00007FF7F43E1D40
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1DAE
ObfDereferenceObject.NTOSKRNL.EXE ref: 00007FF7F43E1DBA
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1DD1
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E204E

Part of subcall function 00007FF7F43E2C38: ExAllocatePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2C5B
Part of subcall function 00007FF7F43E2C38: MmCopyMemory.NTOSKRNL.EXE ref: 00007FF7F43E2C88

ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E1EB4
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1EC5
RtlInitUnicodeString.NTOSKRNL.EXE ref: 00007FF7F43E1EDB
IoGetDeviceObjectPointer.NTOSKRNL.EXE ref: 00007FF7F43E1F09
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1FC2
ObfDereferenceObject.NTOSKRNL.EXE ref: 00007FF7F43E1FD4
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1FE7
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1FFD
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2065

Strings

\Device\%ws, xrefs: 00007FF7F43E1E9F
[dbg] swapped %wZ, xrefs: 00007FF7F43E1DA7, 00007FF7F43E1FB2
[dbg] handled %d MACs, xrefs: 00007FF7F43E2047
, xrefs: 00007FF7F43E1D0D
[dbg] found NIC %ws, xrefs: 00007FF7F43E1EBE
xx?xx?????x???xxx, xrefs: 00007FF7F43E1E1A
[dbg] %wZ already swapped, xrefs: 00007FF7F43E1FE0
[dbg] ! failed to get %wZ: %p !, xrefs: 00007FF7F43E1DCA, 00007FF7F43E1FF6
\Driver\nsiproxy, xrefs: 00007FF7F43E1CF7
xxxxxx, xrefs: 00007FF7F43E1DF8
[dbg] ! failed to get "ndis.sys" !, xrefs: 00007FF7F43E1DEC
[dbg] ! failed to find ndisGlobalFilterList !, xrefs: 00007FF7F43E205E
[dbg] ! failed to find ndisFilter_IfBlock !, xrefs: 00007FF7F43E2055
ndis.sys, xrefs: 00007FF7F43E1DD8

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: Print.$DereferenceObjectObject.PoolTag.With$AllocateCopyDeviceFreeInitMemory.Name.Pointer.ReferenceString.Unicode
String ID: $[dbg] ! failed to find ndisFilter_IfBlock !$[dbg] ! failed to find ndisGlobalFilterList !$[dbg] ! failed to get "ndis.sys" !$[dbg] ! failed to get %wZ: %p !$[dbg] %wZ already swapped$[dbg] found NIC %ws$[dbg] handled %d MACs$[dbg] swapped %wZ$\Device\%ws$\Driver\nsiproxy$ndis.sys$xx?xx?????x???xxx$xxxxxx
API String ID: 44345724-1945522286
Opcode ID: c350e9f5d3da9a74abbef103ffd59a80bd0d3ce6a9cee281eb896e69e568e0be
Instruction ID: a4091406c537e2c11e978034b58422287579a0dd85a4f26ce83b3b80021d2de2
Opcode Fuzzy Hash: c350e9f5d3da9a74abbef103ffd59a80bd0d3ce6a9cee281eb896e69e568e0be
Instruction Fuzzy Hash: B5A18062A0AA4283EB10EF16E8803F9A360FF94744F804139DA6D676D5DF3CE54DC3A5

Function 00007FF7F43E2438 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

ObReferenceObjectByName.NTOSKRNL.EXE ref: 00007FF7F43E24AA
IoEnumerateDeviceObjectList.NTOSKRNL.EXE ref: 00007FF7F43E24D0
ExAllocatePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2506
IoEnumerateDeviceObjectList.NTOSKRNL.EXE ref: 00007FF7F43E2533
ObQueryNameString.NTOSKRNL.EXE ref: 00007FF7F43E2584
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2619
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2641
ObfDereferenceObject.NTOSKRNL.EXE ref: 00007FF7F43E2649
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2669
ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2673
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2688
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2699
ObfDereferenceObject.NTOSKRNL.EXE ref: 00007FF7F43E26A3
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E26BA

Strings

[dbg] ! RaidUnitRegisterInterfaces failed: %p !, xrefs: 00007FF7F43E2612
[dbg] ! failed to get storahci device list size (got %d): %p !, xrefs: 00007FF7F43E2692
, xrefs: 00007FF7F43E2473
\Driver\storahci, xrefs: 00007FF7F43E245F
[dbg] %wZ: RaidUnitRegisterInterfaces succeeded for %d/%d, xrefs: 00007FF7F43E263A
[dbg] ! failed to get storahci devices (got %d): %p !, xrefs: 00007FF7F43E2662
ScUn, xrefs: 00007FF7F43E24FA
[dbg] ! failed to get %wZ: %p !, xrefs: 00007FF7F43E26B3
\RaidPort, xrefs: 00007FF7F43E2597
[dbg] ! failed to allocated %d storahci devices !, xrefs: 00007FF7F43E2681

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: Print.$Object$DereferenceDeviceEnumerateList.Object.PoolTag.With$AllocateFreeNameName.QueryReferenceString.
String ID: $ScUn$[dbg] ! RaidUnitRegisterInterfaces failed: %p !$[dbg] ! failed to allocated %d storahci devices !$[dbg] ! failed to get %wZ: %p !$[dbg] ! failed to get storahci device list size (got %d): %p !$[dbg] ! failed to get storahci devices (got %d): %p !$[dbg] %wZ: RaidUnitRegisterInterfaces succeeded for %d/%d$\Driver\storahci$\RaidPort
API String ID: 2320022414-1430684278
Opcode ID: 044d98b04984aed8e766da6818a8067124e62322ef917fdd4a9d634ed9025da1
Instruction ID: 0169aae59a549603aac7416417cbddabb14763e2ad3e034611100d166a5d521f
Opcode Fuzzy Hash: 044d98b04984aed8e766da6818a8067124e62322ef917fdd4a9d634ed9025da1
Instruction Fuzzy Hash: CB71C622A1A682C3F710EF22E8807AAA760FF84744F804139DA6D176D5DF3CD54DC795

Function 00007FF7F43E16B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

RtlRandomEx.NTOSKRNL.EXE ref: 00007FF7F43E16E5
RtlRandomEx.NTOSKRNL.EXE ref: 00007FF7F43E174C
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E179C
RtlRandomEx.NTOSKRNL.EXE ref: 00007FF7F43E17C1
RtlRandomEx.NTOSKRNL.EXE ref: 00007FF7F43E17E4
RtlRandomEx.NTOSKRNL.EXE ref: 00007FF7F43E1802
RtlRandomEx.NTOSKRNL.EXE ref: 00007FF7F43E1838
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1877

Strings

[dbg] ++ loaded, xrefs: 00007FF7F43E1870
7890, xrefs: 00007FF7F43E16FA
[dbg] ++ loading (serial: %s), xrefs: 00007FF7F43E1795
5009813A, xrefs: 00007FF7F43E177E
813A, xrefs: 00007FF7F43E173C

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: Random$Print.
String ID: 5009813A$7890$813A$[dbg] ++ loaded$[dbg] ++ loading (serial: %s)
API String ID: 3762507709-1026871171
Opcode ID: 007b516e4bcba8a185ab856e83debb344ecfaa31f6102eaea60fd64371fbc4d9
Instruction ID: 6c895927eed4ad6226a84a70855e3d38e2af964a391dbd52bd0d242f709aaafd
Opcode Fuzzy Hash: 007b516e4bcba8a185ab856e83debb344ecfaa31f6102eaea60fd64371fbc4d9
Instruction Fuzzy Hash: C651E772E256958BEB00EF36D8800BCB7A0FF54744B810239DA2EA3B95DF38D549C365

Function 00007FF7F43E10AC Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F43E2A2C: DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2A70

DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E111B
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1156

Strings

[dbg] ! failed to get "ntoskrnl.exe" !, xrefs: 00007FF7F43E10C8
[dbg] ! KiUpdateTimeZoneInfo not found !, xrefs: 00007FF7F43E117B
ntoskrnl.exe, xrefs: 00007FF7F43E10B4
xxx????xxxx?xx, xrefs: 00007FF7F43E1120
xxxxxxxxxxxxxxxxxxxxxx?, xrefs: 00007FF7F43E115B
[dbg] nulled SMBIOS table physical address, xrefs: 00007FF7F43E1146
xxx????xx?x, xrefs: 00007FF7F43E10D4
[dbg] handled ExpBootEnvironmentInformation, xrefs: 00007FF7F43E110B
[dbg] ! WmipSMBiosTablePhysicalAddress not found !, xrefs: 00007FF7F43E114F
[dbg] ! ExpBootEnvironmentInformation not found !, xrefs: 00007FF7F43E1114
[dbg] replaced KiUpdateTimeZoneInfo, xrefs: 00007FF7F43E1174

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: Print.
String ID: [dbg] ! ExpBootEnvironmentInformation not found !$[dbg] ! KiUpdateTimeZoneInfo not found !$[dbg] ! WmipSMBiosTablePhysicalAddress not found !$[dbg] ! failed to get "ntoskrnl.exe" !$[dbg] handled ExpBootEnvironmentInformation$[dbg] nulled SMBIOS table physical address$[dbg] replaced KiUpdateTimeZoneInfo$ntoskrnl.exe$xxx????xx?x$xxx????xxxx?xx$xxxxxxxxxxxxxxxxxxxxxx?
API String ID: 2914841957-832411715
Opcode ID: c39bce68e6d7f9307d573532802104d0e6b114a22920be2165479a112ccfc6eb
Instruction ID: 28b467bc536ae189c49e2ab1127c999acd6f0085b4428a43af1bb5480a6edcb3
Opcode Fuzzy Hash: c39bce68e6d7f9307d573532802104d0e6b114a22920be2165479a112ccfc6eb
Instruction Fuzzy Hash: D821E7A0A0B50293EB54FF17E8D12F4A3A1AF44740FC4547AD53D626D1AE3CE50D82AA

Function 00007FF7F43E1898 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ObReferenceObjectByName.NTOSKRNL.EXE ref: 00007FF7F43E18E9
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1950
ObfDereferenceObject.NTOSKRNL.EXE ref: 00007FF7F43E1959
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E196F

Strings

[dbg] swapped %wZ, xrefs: 00007FF7F43E1949
\Driver\nvlddmkm, xrefs: 00007FF7F43E18A6
[dbg] ! failed to get %wZ: %p !, xrefs: 00007FF7F43E1968
, xrefs: 00007FF7F43E18B8

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: Print.$DereferenceName.ObjectObject.Reference
String ID: $[dbg] ! failed to get %wZ: %p !$[dbg] swapped %wZ$\Driver\nvlddmkm
API String ID: 2746957930-3701325682
Opcode ID: 8543937c9d61ae8933c1114851e1c6ad184ce2810c8f48d13cb1c70f1984aaff
Instruction ID: 2e1dc0a1ddf9315d0a163c94dff767e72ac020e92b692843bace7c24930a281d
Opcode Fuzzy Hash: 8543937c9d61ae8933c1114851e1c6ad184ce2810c8f48d13cb1c70f1984aaff
Instruction Fuzzy Hash: 8A214F72E15B5687EB009F61E8803A87374FF94348F801535DA6D67A94EF38D298C3A5

Function 00007FF7F43E2790 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

ObReferenceObjectByName.NTOSKRNL.EXE ref: 00007FF7F43E27E1
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2848
ObfDereferenceObject.NTOSKRNL.EXE ref: 00007FF7F43E2851
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2867

Strings

[dbg] swapped %wZ, xrefs: 00007FF7F43E2841
\Driver\mountmgr, xrefs: 00007FF7F43E279E
[dbg] ! failed to get %wZ: %p !, xrefs: 00007FF7F43E2860
, xrefs: 00007FF7F43E27B0

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: Print.$DereferenceName.ObjectObject.Reference
String ID: $[dbg] ! failed to get %wZ: %p !$[dbg] swapped %wZ$\Driver\mountmgr
API String ID: 2746957930-3214491416
Opcode ID: b50985e71b517e5adb780bb47acb2322fd821004a371bfc7607aa572c954b49e
Instruction ID: a233cfaeb220e8be8908744331722b29ba4c2e4f4f36ee4fd26afbf3445f995b
Opcode Fuzzy Hash: b50985e71b517e5adb780bb47acb2322fd821004a371bfc7607aa572c954b49e
Instruction Fuzzy Hash: 6D217172E15B568BEB009F61E8803A87370FF94348F805539DA6D67A94EF3CD258C3A5

Function 00007FF7F43E1A58 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E1B16

Strings

gfff, xrefs: 00007FF7F43E1AD9
GPU-, xrefs: 00007FF7F43E1ABC
[dbg] handled GPU serial, xrefs: 00007FF7F43E1B05

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: FreePoolTag.With
String ID: GPU-$[dbg] handled GPU serial$gfff
API String ID: 3482035206-1825009805
Opcode ID: 7193f271756192246a2e2b08a7cf75d4aa47b6e61ad8b0667bb66988683d412e
Instruction ID: 68d039c05659d6696393e8662b6fbffb84a0b68abf92e9b3f7bc5c47398c77e5
Opcode Fuzzy Hash: 7193f271756192246a2e2b08a7cf75d4aa47b6e61ad8b0667bb66988683d412e
Instruction Fuzzy Hash: 3521F521B15A9287EB48AF17D4C017DB651FF84B80F894139CA2E677D1CE3CE849C3A6

Function 00007FF7F43E2C38 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

ExAllocatePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2C5B
MmCopyMemory.NTOSKRNL.EXE ref: 00007FF7F43E2C88
ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2CA3
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2CB4

Strings

[dbg] ! failed to allocate pool of size %d !, xrefs: 00007FF7F43E2CAD
ScUn, xrefs: 00007FF7F43E2C55

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: PoolTag.With$AllocateCopyFreeMemory.Print.
String ID: ScUn$[dbg] ! failed to allocate pool of size %d !
API String ID: 2840923549-451155424
Opcode ID: 08521ace4a08f74b568fcc0eb2ff7058e86db5cae20d4ef836ab68ef978d1bcb
Instruction ID: 586639e79c7a4bedb89b5397b4a6af245984fac0ce8c83ad25a2a592d692cdaa
Opcode Fuzzy Hash: 08521ace4a08f74b568fcc0eb2ff7058e86db5cae20d4ef836ab68ef978d1bcb
Instruction Fuzzy Hash: D601C825B19A4283E7109F03F44022AE3A0FF98B90F844139EE9D577D9DF7CD4498799

Function 00007FF7F43E2874 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

ExAllocatePoolWithTag.NTOSKRNL.EXE(?,?,?,00007FF7F43E1696), ref: 00007FF7F43E2899
DbgPrint.NTOSKRNL.EXE(?,?,?,00007FF7F43E1696), ref: 00007FF7F43E28AE

Strings

@, xrefs: 00007FF7F43E28D2
ScUn, xrefs: 00007FF7F43E2893
[dbg] ! failed to allocate IOC_REQUEST !, xrefs: 00007FF7F43E28A7

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: AllocatePoolPrint.Tag.With
String ID: @$ScUn$[dbg] ! failed to allocate IOC_REQUEST !
API String ID: 4056552972-3030593671
Opcode ID: 5472ebfed6d7dbb3a84265965c5e0caca2074a139016a40c95578a7ec33ff667
Instruction ID: d5add55fd3d775b7ebba2cb5f1ebbde6a5d721fed86fc8de76f8568269e865ae
Opcode Fuzzy Hash: 5472ebfed6d7dbb3a84265965c5e0caca2074a139016a40c95578a7ec33ff667
Instruction Fuzzy Hash: 1D017132A09B41C7EB54CF1AE480119B7A4EB18B84B544039DB5D53799DF38C896C794

Function 00007FF7F43E2130 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2154
MmMapLockedPages.NTOSKRNL.EXE ref: 00007FF7F43E2171
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2192

Strings

[dbg] handled NICIoc, xrefs: 00007FF7F43E218B

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: FreeLockedPages.PoolPrint.Tag.With
String ID: [dbg] handled NICIoc
API String ID: 2686450947-1764774406
Opcode ID: b2a953c4740f12a198d48c13beead0023673273cad321d8ff562637ce5c92bfa
Instruction ID: f69f6faad9fd0651d91b732453f0381baf8e0d6e80fc4072542485c4f0e0d97b
Opcode Fuzzy Hash: b2a953c4740f12a198d48c13beead0023673273cad321d8ff562637ce5c92bfa
Instruction Fuzzy Hash: 0B01C611A1E68183EB44EF67D980239D370AF88BC4F884038DE3E123D5DE2DE5888255

Function 00007FF7F43E197C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

RtlRandomEx.NTOSKRNL.EXE ref: 00007FF7F43E19DE
RtlRandomEx.NTOSKRNL.EXE ref: 00007FF7F43E1A09

Strings

7890, xrefs: 00007FF7F43E19B2

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: Random
String ID: 7890
API String ID: 295165923-1318917690
Opcode ID: 74bdf7f2a9b737ed214e2226171097889700c4832f6c41cef61869f6d7e398c8
Instruction ID: e9a6feca46e7d36a42605929d3547d4e620b34d190d5eec47e9f31ca845246a7
Opcode Fuzzy Hash: 74bdf7f2a9b737ed214e2226171097889700c4832f6c41cef61869f6d7e398c8
Instruction Fuzzy Hash: 74213A25A197D187DB00DF27E880039B7B0FB98B80B984239CB9D53765CE38E489C744

Function 00007FF7F43E26DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E2711
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E275E

Strings

[dbg] handled StorageQueryIoc, xrefs: 00007FF7F43E2757

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: FreePoolPrint.Tag.With
String ID: [dbg] handled StorageQueryIoc
API String ID: 1830738274-1170490490
Opcode ID: d802660afd20de31d98152140b777413568f100922f13a92a10f04dd5b83dac1
Instruction ID: 2d4c10600040d8e874d2f86ac1e0ebebd1f8a62c567d9f1eca5bcc958908c14b
Opcode Fuzzy Hash: d802660afd20de31d98152140b777413568f100922f13a92a10f04dd5b83dac1
Instruction Fuzzy Hash: 7D110D12E197C543EB04DF26D5D01B8A360AF59B84F985138DF5C622D3EE1CE5C88295

Function 00007FF7F43E1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E1035
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E1078

Strings

[dbg] handled AtaPassIoc, xrefs: 00007FF7F43E1071

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: FreePoolPrint.Tag.With
String ID: [dbg] handled AtaPassIoc
API String ID: 1830738274-3984611794
Opcode ID: 993ed28a91b9affd979cf6d311117ac61cf5cde9680c8441f18048dc26e400fc
Instruction ID: 2ddc575efeb8c6381be9493b7e0ec96db2746a8516453bce34acc6c73feedd6b
Opcode Fuzzy Hash: 993ed28a91b9affd979cf6d311117ac61cf5cde9680c8441f18048dc26e400fc
Instruction Fuzzy Hash: C4110F12E1A68143EF00EF26D5D017CE3616FD5B84F948134DB6C623D5EE2CE9C88255

Function 00007FF7F43E23A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

ExFreePoolWithTag.NTOSKRNL.EXE ref: 00007FF7F43E23D1
DbgPrint.NTOSKRNL.EXE ref: 00007FF7F43E2406

Strings

[dbg] handled SmartDataIoc, xrefs: 00007FF7F43E23FF

Memory Dump Source

Source File: 00000002.00000002.1265823327.00007FF7F43E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F43E0000, based on PE: true

Associated: 00000002.00000002.1265789449.00007FF7F43E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265842373.00007FF7F43E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265858270.00007FF7F43E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1265873833.00007FF7F43EA000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f43e0000_SecuriteInfo.jbxd

Similarity

API ID: FreePoolPrint.Tag.With
String ID: [dbg] handled SmartDataIoc
API String ID: 1830738274-1602112487
Opcode ID: 6b87be9a05fba3971ba1ef728485d2d269528afa9ddb9793f184199f7609d50a
Instruction ID: b246c7b1c8732193d4ce49d6544cd8fa19625d81060a4e2c4bb35005aff0ed28
Opcode Fuzzy Hash: 6b87be9a05fba3971ba1ef728485d2d269528afa9ddb9793f184199f7609d50a
Instruction Fuzzy Hash: 75012C12E19A8543EB01DF1BD590278E360BF99B84F949134DF6C62292EE2CE5C88655

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exePID: 7528, Parent PID: 3968

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Win64.Malware-gen.1863.6431.exePID: 7528, Parent PID: 3968COMMON

Non-executed Functions

Function 00007FF7F43E1190 Relevance: 89.5, APIs: 29, Strings: 22, Instructions: 291memoryCOMMON

Function 00007FF7F43E2A2C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 111memorynativeCOMMON

Function 00007FF7F43E2DD4 Relevance: .0, Instructions: 48COMMON

Function 00007FF7F43E1CD4 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 204COMMON

Function 00007FF7F43E2438 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 162memoryCOMMON

Function 00007FF7F43E16B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 128COMMON

Function 00007FF7F43E10AC Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 50COMMON

Function 00007FF7F43E1898 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53COMMON

Function 00007FF7F43E2790 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52COMMON

Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.1863.6431.exe