Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
Analysis ID:	1543315
MD5:	f52111c3f5e33838bfa369b625f086c3
SHA1:	cf35eab7bf011cf4331b580afa86b545bbdd68e1
SHA256:	97a39344d4d8701faf884af706aedee5edc5d9529713a33c744241297c655144
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Queries memory information (via WMI often done to detect virtual machines)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

PE file contains sections with non-standard names

Program does not show much activity (idle)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: unity.pdb source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719418C90 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree,	0_2_00007FF719418C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C FindFirstFileExA,FindClose,	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434F7C FindFirstFileExA,FindClose,FindNextFileA,	0_2_00007FF719434F7C

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541E95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819267483.0000024542823000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245423EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245425EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245425EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819267483.000002454258C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.0000024542155000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.000002454239F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245427D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719427CE5 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,GetLastError,K32GetModuleFileNameExW,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,GetProcessHeap,HeapFree,	0_2_00007FF719427CE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429620 NtQueryInformationProcess,GetErrorInfo,NtQueryInformationProcess,HeapFree,HeapFree,	0_2_00007FF719429620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194240F5 PdhOpenQueryA,ProcessPrng,PdhCollectQueryData,HeapFree,NtQuerySystemInformation,GetErrorInfo,NtQuerySystemInformation,GetErrorInfo,RtlFreeHeap,	0_2_00007FF7194240F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194149E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF7194149E0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719427CE5	0_2_00007FF719427CE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942B510	0_2_00007FF71942B510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F9368	0_2_00007FF7193F9368
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719428391	0_2_00007FF719428391
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194153A0	0_2_00007FF7194153A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943B3D0	0_2_00007FF71943B3D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429EB0	0_2_00007FF719429EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D93	0_2_00007FF719411D93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F1530	0_2_00007FF7193F1530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194240F5	0_2_00007FF7194240F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2760	0_2_00007FF7193F2760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4790	0_2_00007FF7193F4790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942AF20	0_2_00007FF71942AF20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719424740	0_2_00007FF719424740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F6FBF	0_2_00007FF7193F6FBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2A60	0_2_00007FF7193F2A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719421A90	0_2_00007FF719421A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719413A20	0_2_00007FF719413A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719439A20	0_2_00007FF719439A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719410A40	0_2_00007FF719410A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719406AF0	0_2_00007FF719406AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943A2D0	0_2_00007FF71943A2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943D2D0	0_2_00007FF71943D2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941E970	0_2_00007FF71941E970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FF990	0_2_00007FF7193FF990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3930	0_2_00007FF7193F3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194071E0	0_2_00007FF7194071E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FF200	0_2_00007FF7193FF200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719439468	0_2_00007FF719439468
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F9496	0_2_00007FF7193F9496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71940CC30	0_2_00007FF71940CC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F6D00	0_2_00007FF7193F6D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434B90	0_2_00007FF719434B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429B80	0_2_00007FF719429B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D93	0_2_00007FF719411D93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2BF0	0_2_00007FF7193F2BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3BF0	0_2_00007FF7193F3BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719409400	0_2_00007FF719409400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719419BD0	0_2_00007FF719419BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194033D0	0_2_00007FF7194033D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FFE60	0_2_00007FF7193FFE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719426660	0_2_00007FF719426660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941561B	0_2_00007FF71941561B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943C710	0_2_00007FF71943C710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194046D0	0_2_00007FF7194046D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4ED0	0_2_00007FF7193F4ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4D40	0_2_00007FF7193F4D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D40	0_2_00007FF719411D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719416DF0	0_2_00007FF719416DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F65F0	0_2_00007FF7193F65F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194215E0	0_2_00007FF7194215E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719430DE4	0_2_00007FF719430DE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FDDC0	0_2_00007FF7193FDDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719420860	0_2_00007FF719420860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719404820	0_2_00007FF719404820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941604A	0_2_00007FF71941604A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194088E0	0_2_00007FF7194088E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3110	0_2_00007FF7193F3110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719408F20	0_2_00007FF719408F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942DFF0	0_2_00007FF71942DFF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943DFB0	0_2_00007FF71943DFB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194207A0	0_2_00007FF7194207A0

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1818609021.0000024541F5B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1820175168.0000024541F9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819722499.0000024541F9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819722499.0000024541F81000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1823003152.0000024541F0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815034458.00000245422EB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817794161.0000024541F0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805558953.0000024541F14000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal68.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF71942B510 CoCreateInstance,SysFreeString,CoSetProxyBlanket,GetErrorInfo,GetErrorInfo,SysFreeString,GetErrorInfo,

0_2_00007FF71942B510

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: profapi.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: unity.pdb source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Static PE information: section name: .voltbl
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

API coverage: 8.6 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719418C90 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree,	0_2_00007FF719418C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C FindFirstFileExA,FindClose,	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434F7C FindFirstFileExA,FindClose,FindNextFileA,	0_2_00007FF719434F7C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719411D93 HeapFree,HeapFree,HeapFree,GetSystemInfo,HeapFree,WakeByAddressAll,WakeByAddressSingle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,WakeByAddressSingle,WakeByAddressSingle,HeapFree,

0_2_00007FF719411D93

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1800922574.0000024540529000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801172127.000002454055A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipesb
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801136691.000002454050D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ons/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table V
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V rdvphgmoagrdjmj Bus
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801396380.000002454055C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costitio
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorllui
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541E95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicem
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1796266108.00000245404A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotaile
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes!
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801172127.000002454058C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801644029.000002454058C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotince
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor*
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition}
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitiony
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicex
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition+
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes:
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisorq
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitiond
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Serviceh!
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V rdvphgmoagrdjmj Bus Pipes
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542608000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1796266108.00000245404A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V HypervisorL8
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesui

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF71942F3B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF71942F3B8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719427CE5 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,GetLastError,K32GetModuleFileNameExW,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,GetProcessHeap,HeapFree,

0_2_00007FF719427CE5

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194343E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7194343E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942F3A8 SetUnhandledExceptionFilter,	0_2_00007FF71942F3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942F3B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF71942F3B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194337DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7194337DC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245426F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1818864972.00000245422ED000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719439280 cpuid

0_2_00007FF719439280

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719421A90 ProcessPrng,GetCurrentProcessId,ProcessPrng,HeapFree,CreateNamedPipeW,GetLastError,ProcessPrng,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,

0_2_00007FF719421A90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

0_2_00007FF719427CE5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF7194299B0 RtlGetVersion,

0_2_00007FF7194299B0

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: unity.pdb source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719418C90 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree,	0_2_00007FF719418C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C FindFirstFileExA,FindClose,	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434F7C FindFirstFileExA,FindClose,FindNextFileA,	0_2_00007FF719434F7C

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541E95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819267483.0000024542823000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245423EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245425EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245425EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819267483.000002454258C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.0000024542155000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.000002454239F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245427D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719427CE5 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,GetLastError,K32GetModuleFileNameExW,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,GetProcessHeap,HeapFree,	0_2_00007FF719427CE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429620 NtQueryInformationProcess,GetErrorInfo,NtQueryInformationProcess,HeapFree,HeapFree,	0_2_00007FF719429620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194240F5 PdhOpenQueryA,ProcessPrng,PdhCollectQueryData,HeapFree,NtQuerySystemInformation,GetErrorInfo,NtQuerySystemInformation,GetErrorInfo,RtlFreeHeap,	0_2_00007FF7194240F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194149E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF7194149E0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719427CE5	0_2_00007FF719427CE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942B510	0_2_00007FF71942B510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F9368	0_2_00007FF7193F9368
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719428391	0_2_00007FF719428391
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194153A0	0_2_00007FF7194153A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943B3D0	0_2_00007FF71943B3D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429EB0	0_2_00007FF719429EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D93	0_2_00007FF719411D93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F1530	0_2_00007FF7193F1530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194240F5	0_2_00007FF7194240F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2760	0_2_00007FF7193F2760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4790	0_2_00007FF7193F4790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942AF20	0_2_00007FF71942AF20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719424740	0_2_00007FF719424740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F6FBF	0_2_00007FF7193F6FBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2A60	0_2_00007FF7193F2A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719421A90	0_2_00007FF719421A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719413A20	0_2_00007FF719413A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719439A20	0_2_00007FF719439A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719410A40	0_2_00007FF719410A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719406AF0	0_2_00007FF719406AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943A2D0	0_2_00007FF71943A2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943D2D0	0_2_00007FF71943D2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941E970	0_2_00007FF71941E970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FF990	0_2_00007FF7193FF990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3930	0_2_00007FF7193F3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194071E0	0_2_00007FF7194071E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FF200	0_2_00007FF7193FF200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719439468	0_2_00007FF719439468
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F9496	0_2_00007FF7193F9496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71940CC30	0_2_00007FF71940CC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F6D00	0_2_00007FF7193F6D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434B90	0_2_00007FF719434B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429B80	0_2_00007FF719429B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D93	0_2_00007FF719411D93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2BF0	0_2_00007FF7193F2BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3BF0	0_2_00007FF7193F3BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719409400	0_2_00007FF719409400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719419BD0	0_2_00007FF719419BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194033D0	0_2_00007FF7194033D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FFE60	0_2_00007FF7193FFE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719426660	0_2_00007FF719426660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941561B	0_2_00007FF71941561B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943C710	0_2_00007FF71943C710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194046D0	0_2_00007FF7194046D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4ED0	0_2_00007FF7193F4ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4D40	0_2_00007FF7193F4D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D40	0_2_00007FF719411D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719416DF0	0_2_00007FF719416DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F65F0	0_2_00007FF7193F65F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194215E0	0_2_00007FF7194215E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719430DE4	0_2_00007FF719430DE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FDDC0	0_2_00007FF7193FDDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719420860	0_2_00007FF719420860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719404820	0_2_00007FF719404820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941604A	0_2_00007FF71941604A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194088E0	0_2_00007FF7194088E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3110	0_2_00007FF7193F3110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719408F20	0_2_00007FF719408F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942DFF0	0_2_00007FF71942DFF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943DFB0	0_2_00007FF71943DFB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194207A0	0_2_00007FF7194207A0

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal68.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF71942B510 CoCreateInstance,SysFreeString,CoSetProxyBlanket,GetErrorInfo,GetErrorInfo,SysFreeString,GetErrorInfo,

0_2_00007FF71942B510

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: profapi.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: unity.pdb source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Static PE information: section name: .voltbl
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

API coverage: 8.6 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719418C90 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree,	0_2_00007FF719418C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C FindFirstFileExA,FindClose,	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434F7C FindFirstFileExA,FindClose,FindNextFileA,	0_2_00007FF719434F7C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

0_2_00007FF719411D93

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1800922574.0000024540529000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801172127.000002454055A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipesb
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801136691.000002454050D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ons/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table V
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V rdvphgmoagrdjmj Bus
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801396380.000002454055C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costitio
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorllui
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541E95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicem
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1796266108.00000245404A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotaile
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes!
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801172127.000002454058C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801644029.000002454058C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotince
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor*
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition}
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitiony
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicex
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition+
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes:
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisorq
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitiond
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Serviceh!
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V rdvphgmoagrdjmj Bus Pipes
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542608000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1796266108.00000245404A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V HypervisorL8
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesui

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF71942F3B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF71942F3B8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

0_2_00007FF719427CE5

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194343E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7194343E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942F3A8 SetUnhandledExceptionFilter,	0_2_00007FF71942F3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942F3B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF71942F3B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194337DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7194337DC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Memory allocated: page read and write | page guard

Jump to behavior

Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719439280 cpuid

0_2_00007FF719439280

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719421A90 ProcessPrng,GetCurrentProcessId,ProcessPrng,HeapFree,CreateNamedPipeW,GetLastError,ProcessPrng,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,

0_2_00007FF719421A90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

0_2_00007FF719427CE5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF7194299B0 RtlGetVersion,

0_2_00007FF7194299B0

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

ID:	1543315
Product:	CloudBasic
Start time:	16:56:18
Start date:	27.10.2024
Sample:	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f52111c3f5e33838bfa369b625f086c3
SHA1:	cf35eab7bf011cf4331b580afa86b545bbdd68e1
SHA256:	97a39344d4d8701faf884af706aedee5edc5d9529713a33c744241297c655144
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe