Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
Analysis ID:	1543315
MD5:	f52111c3f5e33838bfa369b625f086c3
SHA1:	cf35eab7bf011cf4331b580afa86b545bbdd68e1
SHA256:	97a39344d4d8701faf884af706aedee5edc5d9529713a33c744241297c655144
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Queries memory information (via WMI often done to detect virtual machines)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

PE file contains sections with non-standard names

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe (PID: 3736 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe" MD5: F52111C3F5E33838BFA369B625F086C3)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: unity.pdb source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719418C90 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree,	0_2_00007FF719418C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C FindFirstFileExA,FindClose,	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434F7C FindFirstFileExA,FindClose,FindNextFileA,	0_2_00007FF719434F7C

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541E95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819267483.0000024542823000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245423EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245425EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245425EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819267483.000002454258C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.0000024542155000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.000002454239F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245427D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719427CE5 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,GetLastError,K32GetModuleFileNameExW,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,GetProcessHeap,HeapFree,	0_2_00007FF719427CE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429620 NtQueryInformationProcess,GetErrorInfo,NtQueryInformationProcess,HeapFree,HeapFree,	0_2_00007FF719429620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194240F5 PdhOpenQueryA,ProcessPrng,PdhCollectQueryData,HeapFree,NtQuerySystemInformation,GetErrorInfo,NtQuerySystemInformation,GetErrorInfo,RtlFreeHeap,	0_2_00007FF7194240F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194149E0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF7194149E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719427CE5	0_2_00007FF719427CE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942B510	0_2_00007FF71942B510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F9368	0_2_00007FF7193F9368
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719428391	0_2_00007FF719428391
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194153A0	0_2_00007FF7194153A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943B3D0	0_2_00007FF71943B3D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429EB0	0_2_00007FF719429EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D93	0_2_00007FF719411D93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F1530	0_2_00007FF7193F1530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194240F5	0_2_00007FF7194240F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2760	0_2_00007FF7193F2760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4790	0_2_00007FF7193F4790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942AF20	0_2_00007FF71942AF20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719424740	0_2_00007FF719424740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F6FBF	0_2_00007FF7193F6FBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2A60	0_2_00007FF7193F2A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719421A90	0_2_00007FF719421A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719413A20	0_2_00007FF719413A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719439A20	0_2_00007FF719439A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719410A40	0_2_00007FF719410A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719406AF0	0_2_00007FF719406AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943A2D0	0_2_00007FF71943A2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943D2D0	0_2_00007FF71943D2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941E970	0_2_00007FF71941E970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FF990	0_2_00007FF7193FF990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3930	0_2_00007FF7193F3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194071E0	0_2_00007FF7194071E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FF200	0_2_00007FF7193FF200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719439468	0_2_00007FF719439468
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F9496	0_2_00007FF7193F9496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71940CC30	0_2_00007FF71940CC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F6D00	0_2_00007FF7193F6D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434B90	0_2_00007FF719434B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719429B80	0_2_00007FF719429B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D93	0_2_00007FF719411D93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F2BF0	0_2_00007FF7193F2BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3BF0	0_2_00007FF7193F3BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719409400	0_2_00007FF719409400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719419BD0	0_2_00007FF719419BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194033D0	0_2_00007FF7194033D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FFE60	0_2_00007FF7193FFE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719426660	0_2_00007FF719426660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941561B	0_2_00007FF71941561B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943C710	0_2_00007FF71943C710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194046D0	0_2_00007FF7194046D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4ED0	0_2_00007FF7193F4ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F4D40	0_2_00007FF7193F4D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719411D40	0_2_00007FF719411D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719416DF0	0_2_00007FF719416DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F65F0	0_2_00007FF7193F65F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194215E0	0_2_00007FF7194215E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719430DE4	0_2_00007FF719430DE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193FDDC0	0_2_00007FF7193FDDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719420860	0_2_00007FF719420860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719404820	0_2_00007FF719404820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71941604A	0_2_00007FF71941604A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194088E0	0_2_00007FF7194088E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7193F3110	0_2_00007FF7193F3110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719408F20	0_2_00007FF719408F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942DFF0	0_2_00007FF71942DFF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71943DFB0	0_2_00007FF71943DFB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194207A0	0_2_00007FF7194207A0

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1818609021.0000024541F5B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1820175168.0000024541F9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819722499.0000024541F9B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819722499.0000024541F81000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1823003152.0000024541F0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815034458.00000245422EB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817794161.0000024541F0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805558953.0000024541F14000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal68.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF71942B510 CoCreateInstance,SysFreeString,CoSetProxyBlanket,GetErrorInfo,GetErrorInfo,SysFreeString,GetErrorInfo,

0_2_00007FF71942B510

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Section loaded: profapi.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: unity.pdb source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Static PE information: section name: .voltbl
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-27769

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

API coverage: 8.6 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719418C90 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree,	0_2_00007FF719418C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434E6C FindFirstFileExA,FindClose,	0_2_00007FF719434E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF719434F7C FindFirstFileExA,FindClose,FindNextFileA,	0_2_00007FF719434F7C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719411D93 HeapFree,HeapFree,HeapFree,GetSystemInfo,HeapFree,WakeByAddressAll,WakeByAddressSingle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,WakeByAddressSingle,WakeByAddressSingle,HeapFree,

0_2_00007FF719411D93

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1800922574.0000024540529000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801172127.000002454055A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipesb
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801136691.000002454050D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ons/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table V
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V rdvphgmoagrdjmj Bus
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801396380.000002454055C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costitio
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorllui
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803264069.0000024541E95000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1817495447.0000024541F57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicem
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1796266108.00000245404A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotaile
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes!
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801172127.000002454058C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1801644029.000002454058C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotince
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor*
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition}
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitiony
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicex
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition+
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes:
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisorq
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partitiond
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Serviceh!
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V rdvphgmoagrdjmj Bus Pipes
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.0000024542608000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.00000245421F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.00000245403CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.000002454215C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.00000245421F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1796266108.00000245404A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V HypervisorL8
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000002.1822174043.0000024540443000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1805165798.00000245421D8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1815410473.000002454226B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819395964.000002454226B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesui

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF71942F3B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF71942F3B8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719427CE5 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,GetLastError,K32GetModuleFileNameExW,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,GetProcessHeap,HeapFree,

0_2_00007FF719427CE5

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194343E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7194343E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942F3A8 SetUnhandledExceptionFilter,	0_2_00007FF71942F3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF71942F3B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF71942F3B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	Code function: 0_2_00007FF7194337DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7194337DC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245426F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1818864972.00000245422ED000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719439280 cpuid

0_2_00007FF719439280

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF719421A90 ProcessPrng,GetCurrentProcessId,ProcessPrng,HeapFree,CreateNamedPipeW,GetLastError,ProcessPrng,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,

0_2_00007FF719421A90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

0_2_00007FF719427CE5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Code function: 0_2_00007FF7194299B0 RtlGetVersion,

0_2_00007FF7194299B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	55%	ReversingLabs	Win64.Trojan.Generic
SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe	100%	Avira	TR/Crypt.Agent.khjso

Source	Detection	Scanner	Label
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245425EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245425EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns.windows.com/	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.000002454239F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.00000245427D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1819267483.0000024542823000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245423EC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1814540889.000002454262E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, 00000000.00000003.1803263854.00000245421FA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543315
Start date and time:	2024-10-27 16:56:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 44 Number of non-executed functions: 95
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.603847748500581
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
File size:	958'976 bytes
MD5:	f52111c3f5e33838bfa369b625f086c3
SHA1:	cf35eab7bf011cf4331b580afa86b545bbdd68e1
SHA256:	97a39344d4d8701faf884af706aedee5edc5d9529713a33c744241297c655144
SHA512:	ed17dcadff2b252f017450291339d84f30e55bb726760e80d09030e3496930606d649431b025bedb4061c0f4667919159d7413391cb06f2da165bc9b8795b589
SSDEEP:	24576:rE1DjSZB7niaSim76H+cWTuwWc0B02bVk0ZD:rkiZB7iaSiHx0F0B04Go
TLSH:	F715D047E66290FCD02AC4F48746A532F6717C164B2479FB9B90BB212F22FD06A3DB15
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....A.g.........."............................@..........................................`........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14003efc0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671041DD [Wed Oct 16 22:44:45 2024 UTC]
TLS Callbacks:	0x40024d20, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	dac20a408a16d396d39804339c3d3c76

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7F9CB9D540h
dec eax
add esp, 28h
jmp 00007F7F9CB9D157h
int3
int3
dec eax
sub esp, 28h
call 00007F7F9CB9D2F4h
dec eax
neg eax
sbb eax, eax
neg eax
dec eax
dec eax
add esp, 28h
ret
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
cmp dword ptr [000A9A16h], FFFFFFFFh
dec eax
mov ebx, ecx
jne 00007F7F9CB9D2E9h
call 00007F7F9CB9F0B5h
jmp 00007F7F9CB9D2F1h
dec eax
mov edx, ebx
dec eax
lea ecx, dword ptr [000A9A00h]
call 00007F7F9CB9F020h
xor edx, edx
test eax, eax
dec eax
cmove edx, ebx
dec eax
mov eax, edx
dec eax
add esp, 20h
pop ebx
ret
int3
int3
dec eax
sub esp, 18h
dec esp
mov eax, ecx
mov eax, 00005A4Dh
cmp word ptr [FFFC0FC5h], ax
jne 00007F7F9CB9D35Ah
dec eax
arpl word ptr [FFFC0FF8h], cx
dec eax
lea edx, dword ptr [FFFC0FB5h]
dec eax
add ecx, edx
cmp dword ptr [ecx], 00004550h
jne 00007F7F9CB9D341h
mov eax, 0000020Bh
cmp word ptr [ecx+18h], ax
jne 00007F7F9CB9D336h
dec esp
sub eax, edx
movzx eax, word ptr [ecx+14h]
dec eax
lea edx, dword ptr [ecx+18h]
dec eax
add edx, eax
movzx eax, word ptr [ecx+06h]
dec eax
lea ecx, dword ptr [eax+eax*4]
dec esp
lea ecx, dword ptr [edx+ecx*8]
dec eax
mov dword ptr [esp], edx
dec ecx
cmp edx, ecx
je 00007F7F9CB9D2FAh
mov ecx, dword ptr [edx+0Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe4bd8	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xea000	0x1ab8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0x71c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe4ad0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe2350	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xdd680	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe51f0	0x510	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4dc16	0x4de00	72dbd1eca204158d6a6b3c531ab4b762	False	0.5278422201043339	data	6.42086706229049	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4f000	0x989a4	0x98a00	9f9751104e37437506e10a112552dc51	False	0.9461890868140869	Matlab v4 mat-file (little endian) \3426\032?, rows 953267991, columns 1510874058	7.916905090012734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe8000	0x1b90	0xa00	cd95d90f21e02094de23b65dadbe06e3	False	0.146484375	data	1.9052885798327395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xea000	0x1ab8	0x1c00	f11b762d6390b1270b6590c3c3cd2357	False	0.4898158482142857	data	5.435059595682391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0xec000	0x80	0x200	b43242d35411407b1f6852a45cd5edaa	False	0.22265625	data	1.4582740264106036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xed000	0x89	0x200	f73b9c36b3b22255f2ae96abc9a50361	False	0.037109375	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.voltbl	0xee000	0x2a	0x200	eae09b4822d39f484dfe9175c88bb635	False	0.107421875	data	0.7001115316230119
_RDATA	0xef000	0xf4	0x200	5108344696762df5721526031cbb35c6	False	0.310546875	data	2.381296399543655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0x71c	0x800	2500d08c07fc63ba4a5be0ac4dd8eb08	False	0.56005859375	data	5.183843895441525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
bcryptprimitives.dll	ProcessPrng
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
ntdll.dll	NtQueryInformationProcess, NtQuerySystemInformation, NtWriteFile, RtlCaptureContext, RtlGetVersion, RtlLookupFunctionEntry, RtlNtStatusToDosError, RtlUnwindEx, RtlVirtualUnwind
ADVAPI32.dll	CopySid, GetLengthSid, GetTokenInformation, IsValidSid, OpenProcessToken
KERNEL32.dll	AddVectoredExceptionHandler, CloseHandle, CompareStringOrdinal, CompareStringW, CreateFileW, CreateNamedPipeW, CreateProcessW, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DeleteProcThreadAttributeList, DuplicateHandle, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExA, FindFirstFileW, FindNextFileA, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFullPathNameW, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetSystemTimePreciseAsFileTime, GetSystemTimes, GetTempPathW, GetTickCount64, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeProcThreadAttributeList, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, K32GetPerformanceInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, LocalFree, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFileEx, ReadProcessMemory, SetEnvironmentVariableA, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UpdateProcThreadAttribute, VirtualQueryEx, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteFileEx
powrprof.dll	CallNtPowerInformation
ole32.dll	CoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, PropVariantClear
shell32.dll	CommandLineToArgvW
oleaut32.dll	GetErrorInfo, SafeArrayAccessData, SafeArrayDestroy, SafeArrayUnaccessData, SysAllocStringLen, SysFreeString, SysStringLen, VariantClear
psapi.dll	GetModuleFileNameExW
pdh.dll	PdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter
propsys.dll	PropVariantToBSTR, VariantToPropVariant

Target ID:	0
Start time:	11:57:35
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe"
Imagebase:	0x7ff7193f0000
File size:	958'976 bytes
MD5 hash:	F52111C3F5E33838BFA369B625F086C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	65%
Total number of Nodes:	1187
Total number of Limit Nodes:	93

Executed Functions

Function 00007FF719427CE5 Relevance: 84.8, APIs: 47, Strings: 1, Instructions: 795memorytimenativeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE ref: 00007FF719427D5D
GetLastError.KERNEL32 ref: 00007FF719427D67
GetSystemTimes.KERNELBASE ref: 00007FF719427D82
GetLastError.KERNEL32 ref: 00007FF719427D8C
GetProcessIoCounters.KERNEL32 ref: 00007FF719427F02
OpenProcessToken.ADVAPI32 ref: 00007FF719427FA6
GetTokenInformation.KERNELBASE ref: 00007FF719427FEA
GetLastError.KERNEL32 ref: 00007FF719427FF4
GetProcessHeap.KERNEL32 ref: 00007FF719428019
HeapAlloc.KERNEL32 ref: 00007FF719428038
GetTokenInformation.KERNELBASE ref: 00007FF71942805B
GetLastError.KERNEL32 ref: 00007FF71942809C
GetLastError.KERNEL32 ref: 00007FF7194280B1
CloseHandle.KERNEL32 ref: 00007FF7194280BA
GetLastError.KERNEL32 ref: 00007FF7194280C4
NtQueryInformationProcess.NTDLL ref: 00007FF719428166
ReadProcessMemory.KERNELBASE ref: 00007FF71942819F
ReadProcessMemory.KERNELBASE ref: 00007FF7194281CE
HeapFree.KERNEL32 ref: 00007FF7194282B1

Strings

}, xrefs: 00007FF719428459

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Process$ErrorLast$HeapInformationToken$MemoryReadTimes$AllocCloseCountersFreeHandleOpenQuerySystem
String ID: }
API String ID: 2453134795-1418613170
Opcode ID: 5d88e57598b47a9ba4c7e4a7f78fd551a5d76a198221552e81de4add467ab235
Instruction ID: f9fce7a1ffdffb1a60166582c0bca6a76aac1e1dc9c70d449c55cdbdd46a53ae
Opcode Fuzzy Hash: 5d88e57598b47a9ba4c7e4a7f78fd551a5d76a198221552e81de4add467ab235
Instruction Fuzzy Hash: 26829425A08F8282F664AF15A4403BBA3B0FF557A8F844535DE9D43795DF3CE0AAC721

Function 00007FF7193F6FBF Relevance: 79.2, APIs: 35, Strings: 9, Instructions: 2187memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71942AAA0: GlobalMemoryStatusEx.KERNELBASE ref: 00007FF71942AAD7

GetComputerNameExW.KERNELBASE ref: 00007FF7193F6FE1
GetLastError.KERNEL32 ref: 00007FF7193F701A
GetComputerNameExW.KERNELBASE ref: 00007FF7193F7053
GetLastError.KERNEL32 ref: 00007FF7193F7083
HeapFree.KERNEL32 ref: 00007FF7193F709A
HeapFree.KERNEL32 ref: 00007FF7193F7106
HeapFree.KERNEL32 ref: 00007FF7193F72BD

Part of subcall function 00007FF719423DC0: GetProcessHeap.KERNEL32(?,?,00000008,?,00007FF7193FD692,?,?,00000008,?,00007FF71943AC51), ref: 00007FF71943C6DB

SysFreeString.OLEAUT32 ref: 00007FF7193F7BE1
SysFreeString.OLEAUT32 ref: 00007FF7193F7BEF
HeapFree.KERNEL32 ref: 00007FF7193F7C0B
GetErrorInfo.OLEAUT32 ref: 00007FF7193F7E55
HeapFree.KERNEL32 ref: 00007FF7193F8055

Part of subcall function 00007FF7193F1530: HeapReAlloc.KERNEL32 ref: 00007FF7193F1679
Part of subcall function 00007FF7193F1530: GetErrorInfo.OLEAUT32 ref: 00007FF7193F16A4

HeapFree.KERNEL32 ref: 00007FF7193F827A
HeapFree.KERNEL32 ref: 00007FF7193F9A96

Strings

, xrefs: 00007FF7193FAB95
)Xz8, xrefs: 00007FF7193F9CFF
WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayUnknownObjectIUnknownWrapperinnerIWbemClassWrapper, xrefs: 00007FF7193F7B6D
#, xrefs: 00007FF7193F81D1
, xrefs: 00007FF7193FAAC1
, xrefs: 00007FF7193FAAA6
main, xrefs: 00007FF7193FD484
ROOT\CIMV2, xrefs: 00007FF7193F72C6, 00007FF7193F841C, 00007FF7193F86D8, 00007FF7193F8A69, 00007FF7193F8C31
KA?%, xrefs: 00007FF7193F714A

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$Error$ComputerInfoLastNameString$AllocGlobalMemoryProcessStatus
String ID: $ $ $#$)Xz8$KA?%$ROOT\CIMV2$WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayUnknownObjectIUnknownWrapperinnerIWbemClassWrapper$main
API String ID: 677961636-4227071778
Opcode ID: e66ce47350784e3200ce116527d5a272d24021503b55028eac4c3cb67eec8676
Instruction ID: a91ce05ba4abd05f58d91e52869ad4a5ed99b64338d0f9066b5adaeae55863e5
Opcode Fuzzy Hash: e66ce47350784e3200ce116527d5a272d24021503b55028eac4c3cb67eec8676
Instruction Fuzzy Hash: C0336E36608FC285EB609F15E4403AAB7B0FB84B94F844139DA8D43B99EF3CD05ADB51

Function 00007FF7193F4790 Relevance: 31.9, APIs: 21, Instructions: 355
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF7193F4860
HeapFree.KERNEL32 ref: 00007FF7193F489D
RtlFreeHeap.NTDLL ref: 00007FF7193F4A59
HeapFree.KERNEL32 ref: 00007FF7193F4A8A
HeapFree.KERNEL32 ref: 00007FF7193F4ACD
HeapFree.KERNEL32 ref: 00007FF7193F4AE4
HeapFree.KERNEL32 ref: 00007FF7193F4B3A
PdhRemoveCounter.PDH ref: 00007FF7193F4B96
CloseHandle.KERNEL32 ref: 00007FF7193F4BF0

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$CloseCounterHandleRemove
String ID:
API String ID: 1366079419-0
Opcode ID: ec212d0d52e09e172e512e6528399edf32469e7bf74c51fdb048cfbc25f7aa8f
Instruction ID: 0a3d13cf3f4cdc399ccb2934622c741ba1f9e47c2128cebf6cf5e3a51853575d
Opcode Fuzzy Hash: ec212d0d52e09e172e512e6528399edf32469e7bf74c51fdb048cfbc25f7aa8f
Instruction Fuzzy Hash: 30E14225B09E4281EF55AF1AA44837A93B1BB44F78F89413ACE5D53394EF3CE44AC361

Function 00007FF719411D93 Relevance: 29.2, APIs: 15, Strings: 1, Instructions: 1161memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF719411E25
HeapFree.KERNEL32 ref: 00007FF719411EC5
HeapFree.KERNEL32 ref: 00007FF719412167
GetSystemInfo.KERNELBASE ref: 00007FF71941219D

Strings

RAYON_NUM_THREADSRAYON_RS_NUM_CPUS, xrefs: 00007FF719411D93

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$InfoSystem
String ID: RAYON_NUM_THREADSRAYON_RS_NUM_CPUS
API String ID: 738346042-2148087183
Opcode ID: ea87b5320bd023e519816e160dd32e72aab7a0a917993c44650e3bcb8726bb4d
Instruction ID: 91f20dc384aaffcae06c2c3be6711b0ae6852f775cdc7d461033a9cce74a0276
Opcode Fuzzy Hash: ea87b5320bd023e519816e160dd32e72aab7a0a917993c44650e3bcb8726bb4d
Instruction Fuzzy Hash: 99C29372A09FC181EA659F15A4443BBA7B0FB947A8F944235CE9D03795DF3CE0AAC310

Function 00007FF7193F1530 Relevance: 27.8, APIs: 18, Instructions: 752memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32 ref: 00007FF7193F1679
GetErrorInfo.OLEAUT32 ref: 00007FF7193F16A4
SafeArrayDestroy.OLEAUT32 ref: 00007FF7193F1701
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF7193F1780
HeapFree.KERNEL32 ref: 00007FF7193F25FE

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Heap$AllocArrayDestroyErrorFreeInfoPrngProcessSafe
String ID:
API String ID: 1349816234-0
Opcode ID: c29c62469598b689eb71da74954145a8344b78a8d7e467f98d739ef6b782bfda
Instruction ID: e3211c61f75aed4b8cbb68f7908f62ac77b6801e249299fdbe23db3ee1400013
Opcode Fuzzy Hash: c29c62469598b689eb71da74954145a8344b78a8d7e467f98d739ef6b782bfda
Instruction Fuzzy Hash: EC827D32A08FC181EA619F15E4403AAE7B0FB99768F84412ADE8D53B58EF7CD05AC751

Function 00007FF719428391 Relevance: 21.4, APIs: 14, Instructions: 373
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF719428500
VirtualQueryEx.KERNEL32 ref: 00007FF719428DE9
HeapFree.KERNEL32 ref: 00007FF719428E6D
HeapFree.KERNEL32 ref: 00007FF719428E93
ReadProcessMemory.KERNELBASE ref: 00007FF71942911F

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$MemoryProcessQueryReadVirtual
String ID:
API String ID: 3063523992-0
Opcode ID: 151a3323d10d2ec9980fec8d7033147d93c596ed21ea2862565e21808c8026f1
Instruction ID: 7017f9bfe6f0094908130df2f6e552ff35e283ef38daf22bc60bbd08a6369166
Opcode Fuzzy Hash: 151a3323d10d2ec9980fec8d7033147d93c596ed21ea2862565e21808c8026f1
Instruction Fuzzy Hash: 4C024236A18F8582E664AF15E0403ABB7B1FB957A8F804135DE8D43794DF3CE4AAC711

Function 00007FF7193F2760 Relevance: 14.8, APIs: 6, Strings: 2, Instructions: 757
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 00007FF7193F27F3
SysFreeString.OLEAUT32 ref: 00007FF7193F2801
GetErrorInfo.OLEAUT32 ref: 00007FF7193F2922
SysFreeString.OLEAUT32 ref: 00007FF7193F2943
SysFreeString.OLEAUT32 ref: 00007FF7193F2951
HeapFree.KERNEL32 ref: 00007FF7193F29B2

Strings

WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayUnknownObjectIUnknownWrapperinnerIWbemClassWrapper, xrefs: 00007FF7193F277F
falsetrue, xrefs: 00007FF7193F2A40

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Free$String$ErrorHeapInfo
String ID: WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayUnknownObjectIUnknownWrapperinnerIWbemClassWrapper$falsetrue
API String ID: 364368470-4172885470
Opcode ID: 5eb413ebe4317ec03e873e53ccd3b00486b5ad551304fe97e0cc17dfe49d2ec3
Instruction ID: 5f2fc1a7100bef8204568bd22d630cf100e0ee7cae0f2348a64c6588a9c3c744
Opcode Fuzzy Hash: 5eb413ebe4317ec03e873e53ccd3b00486b5ad551304fe97e0cc17dfe49d2ec3
Instruction Fuzzy Hash: BB52A056E2CB9241F6235B3594013B69A20AFA37E4F44C336FD9D32B95EF28E196C310

Function 00007FF7193F9368 Relevance: 14.7, APIs: 6, Strings: 2, Instructions: 660
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7193F2760: SysFreeString.OLEAUT32 ref: 00007FF7193F27F3
Part of subcall function 00007FF7193F2760: SysFreeString.OLEAUT32 ref: 00007FF7193F2801

HeapFree.KERNEL32 ref: 00007FF7193F97E1
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF7193F94CA

Part of subcall function 00007FF7193F4560: HeapFree.KERNEL32 ref: 00007FF7193F4613

HeapFree.KERNEL32 ref: 00007FF7193F987D
HeapFree.KERNEL32 ref: 00007FF7193F9936
HeapFree.KERNEL32 ref: 00007FF7193F9969
HeapFree.KERNEL32 ref: 00007FF7193F9A96

Strings

)Xz8, xrefs: 00007FF7193F9CFF
displayName, xrefs: 00007FF7193F9571, 00007FF7193F95DC, 00007FF7193F97C0

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Free$Heap$String$PrngProcess
String ID: )Xz8$displayName
API String ID: 4214144531-357724972
Opcode ID: 0f5c528221eb9dca3c3a2dad3958f1cf6314fd5229054b39d0feb69b74642625
Instruction ID: aa91cf0fe913f4f7ef61a11d561dc1765bb6d647b14dd50c318cdfa62d66144b
Opcode Fuzzy Hash: 0f5c528221eb9dca3c3a2dad3958f1cf6314fd5229054b39d0feb69b74642625
Instruction Fuzzy Hash: 04723236608FC285EA60DF25E4403AAB7B4F784794F90423ADA8D43B69EF3CD059DB51

Function 00007FF719424740 Relevance: 12.4, APIs: 8, Instructions: 401
memorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 00007FF719424796
HeapFree.KERNEL32 ref: 00007FF719424908
HeapFree.KERNEL32 ref: 00007FF7194249B1
RtlFreeHeap.NTDLL ref: 00007FF719424A13

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$Time$FilePreciseSystem
String ID:
API String ID: 1465647071-0
Opcode ID: 104fe460f8f9b8850f77478b062d6948d8b4e61141b7c96f7f5eee1019c5d081
Instruction ID: 746c5fbe2c90a9c82766647d5bb78a485c9c689d0c8216c26fade6aa509d7101
Opcode Fuzzy Hash: 104fe460f8f9b8850f77478b062d6948d8b4e61141b7c96f7f5eee1019c5d081
Instruction Fuzzy Hash: C512A022A18FC581E6659F25E4013EBE7B0FF95BA8F844221CE8D17B95EF38D199C710

Function 00007FF719429EB0 Relevance: 11.0, APIs: 7, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4ce4e9fcb133bc04e8ea4dac16a8700b966e8f493cf97da22114109e45849b
Instruction ID: bc22d7a9b70aeb8d5200915624aa2cbcd306b9e858291815165c7262791d1377
Opcode Fuzzy Hash: 8c4ce4e9fcb133bc04e8ea4dac16a8700b966e8f493cf97da22114109e45849b
Instruction Fuzzy Hash: 0412D322A18F8185E7609F25B4003ABE7A0FB45BA8F844236DF8D57B94DF7CD55AC310

Function 00007FF7194240F5 Relevance: 10.9, APIs: 7, Instructions: 356
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhOpenQueryA.PDH ref: 00007FF71942410E
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF719424174
PdhCollectQueryData.PDH ref: 00007FF7194243E8
HeapFree.KERNEL32 ref: 00007FF71942451C

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Query$CollectDataFreeHeapOpenPrngProcess
String ID:
API String ID: 3928232094-0
Opcode ID: 56299d45b8a3767dd1089dfcb9909c2841be091ff165f65c4ddf2014de8a2b09
Instruction ID: 11e10527d983e5b5c66caca6ed808ba62d46d3f508f2888adcece64b6038dc7c
Opcode Fuzzy Hash: 56299d45b8a3767dd1089dfcb9909c2841be091ff165f65c4ddf2014de8a2b09
Instruction Fuzzy Hash: F5F18F36A18F8181E7949F11B4447ABA7B4FB84BA8F844226EE8D47794DF7CD09AC710

Function 00007FF71942B510 Relevance: 10.6, APIs: 7, Instructions: 125
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.COMBASE ref: 00007FF71942B553
SysFreeString.OLEAUT32 ref: 00007FF71942B5D7
CoSetProxyBlanket.COMBASE ref: 00007FF71942B60C
GetErrorInfo.OLEAUT32 ref: 00007FF71942B635
GetErrorInfo.OLEAUT32 ref: 00007FF71942B669
SysFreeString.OLEAUT32 ref: 00007FF71942B68A
GetErrorInfo.OLEAUT32 ref: 00007FF71942B6C2

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorInfo$FreeString$BlanketCreateInstanceProxy
String ID:
API String ID: 2152923335-0
Opcode ID: 9411ef3042773a73d791371d01144303e8c09a5e28d5ade10defe1591fb42805
Instruction ID: 50c527d97e499b8dfc5944b87fddf99e1ea0a6bdfc917b8e7c08213f08b3d68b
Opcode Fuzzy Hash: 9411ef3042773a73d791371d01144303e8c09a5e28d5ade10defe1591fb42805
Instruction Fuzzy Hash: F5517A32608A8186EB249F21F45476BFBA0FB95BA8F844034DE8E47B94DFBCD059C750

Function 00007FF719429620 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 00007FF719429647
GetErrorInfo.OLEAUT32 ref: 00007FF719429669
NtQueryInformationProcess.NTDLL ref: 00007FF7194296E1
HeapFree.KERNEL32 ref: 00007FF71942970D
HeapFree.KERNEL32 ref: 00007FF719429721

Strings

#, xrefs: 00007FF719429684

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeapInformationProcessQuery$ErrorInfo
String ID: #
API String ID: 2435025923-1885708031
Opcode ID: 6863145b0c4aa29cf997b5814dc6276171e2dd58b389ea234517c05b84439d7f
Instruction ID: c92aec9e28bafe7b94ae3963cbc260b6df65a77e9f03e81d4ddcd53a570f8cf2
Opcode Fuzzy Hash: 6863145b0c4aa29cf997b5814dc6276171e2dd58b389ea234517c05b84439d7f
Instruction Fuzzy Hash: 53319039609E0181FB64AF21F54076BA6B0BF98BE8F844135DE4E47BA4DE3CD45AC710

Function 00007FF71943B3D0 Relevance: 9.4, APIs: 6, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6a2a004aedbe4b75deed0182919b5831f1a34c511a19f76d54f4eb63ccf324
Instruction ID: 21e3f5fd687e9b2ec464d38a8701cc0392c7a4185b3e982078b8be66cd9427e0
Opcode Fuzzy Hash: 5e6a2a004aedbe4b75deed0182919b5831f1a34c511a19f76d54f4eb63ccf324
Instruction Fuzzy Hash: 2C02E572B09F5981EA65AE25D0403BBE3B1FB447E8F844136CE5E07794DF28E16AC310

Function 00007FF7193F9496 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 531COMMON

Download Yara Rule

Strings

WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayUnknownObjectIUnknownWrapperinnerIWbemClassWrapper, xrefs: 00007FF7193F7B6D
ROOT\CIMV2, xrefs: 00007FF7193F72C6

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ROOT\CIMV2$WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayUnknownObjectIUnknownWrapperinnerIWbemClassWrapper
API String ID: 0-1905205246
Opcode ID: 0e42838405c456af271dce4768b272679c8c5829d5908e5295c0b397e84dd38d
Instruction ID: 0c737d695ed4e58c4a70c9faeaa48ed99a0acd318cb3e70dd0f0c8d27434a204
Opcode Fuzzy Hash: 0e42838405c456af271dce4768b272679c8c5829d5908e5295c0b397e84dd38d
Instruction Fuzzy Hash: 62528E32608BC285EB649F11E4403AABBB4FB84B94F948139DE8D47B56EF3CD416D790

Function 00007FF71942AF20 Relevance: 6.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9187f2c49970debbfdbd814a7605ba111c58eadf39de561fdb530202c53463cc
Instruction ID: 66acf9b5f40b65ece92889136607fed7041add0de3936ab28b9de06ba7f735b6
Opcode Fuzzy Hash: 9187f2c49970debbfdbd814a7605ba111c58eadf39de561fdb530202c53463cc
Instruction Fuzzy Hash: 46617B22F19E4645F6696E11A4103BBDAA1BF457FCF840235DE6E46BD4DE3CE02AD320

Function 00007FF7194153A0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ecb8fca5bfe1c33a3cfc75f5cd9a69e9b5c2971b915f93e97784e878837649c
Instruction ID: ce97dff4ba69c81a07224359a1e09a32ce213668c2b92953dbdfedaa596fc3ac
Opcode Fuzzy Hash: 9ecb8fca5bfe1c33a3cfc75f5cd9a69e9b5c2971b915f93e97784e878837649c
Instruction Fuzzy Hash: 8B517E12A1DA81C6F7345E25A0403FBAB61E7453ACFA84234EE8D077C9CB3CE15AC794

Function 00007FF7193F1C9D Relevance: 15.2, APIs: 10, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetErrorInfo.OLEAUT32 ref: 00007FF7193F16A4
VariantToPropVariant.PROPSYS ref: 00007FF7193F1CE8
PropVariantToBSTR.PROPSYS ref: 00007FF7193F1D63
GetErrorInfo.OLEAUT32 ref: 00007FF7193F1E19
PropVariantClear.OLE32 ref: 00007FF7193F1E2C
GetErrorInfo.OLEAUT32 ref: 00007FF7193F1E7E
SysFreeString.OLEAUT32 ref: 00007FF7193F1E91
PropVariantClear.OLE32 ref: 00007FF7193F1E9F
SysFreeString.OLEAUT32 ref: 00007FF7193F1F4C
VariantClear.OLEAUT32 ref: 00007FF7193F207B

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Prop$ClearErrorInfo$FreeString
String ID:
API String ID: 570662331-0
Opcode ID: bebd55958e66e253b4849391341620331f60f95ae5790505315ea8cf5252a665
Instruction ID: b6d8b9e9bb53d209d7b6692d4d7aed58d4ae65f64445a61e2a1c16595a93ec80
Opcode Fuzzy Hash: bebd55958e66e253b4849391341620331f60f95ae5790505315ea8cf5252a665
Instruction Fuzzy Hash: 07A12732609BC585EB719F54F4443EAB3A4FB94768F80412ADACD43A68EF7CD14ACB50

Function 00007FF719410F60 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 294
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7194111BB
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7194111CE
WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71941126A
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71941127D
HeapFree.KERNEL32 ref: 00007FF71941134A
HeapFree.KERNEL32 ref: 00007FF7194113AE
HeapFree.KERNEL32 ref: 00007FF719411431

Strings

main, xrefs: 00007FF719411094

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressWake$FreeHeap$Single
String ID: main
API String ID: 1240595486-3207122276
Opcode ID: bdb94416423033ee1f73b5047d5fb0997711d58cffea29daf9f7bb9d34a9806a
Instruction ID: 94eec7e978f594a57693bf47cce7eb6c7c746a69b0734b7539f0e717e326b69e
Opcode Fuzzy Hash: bdb94416423033ee1f73b5047d5fb0997711d58cffea29daf9f7bb9d34a9806a
Instruction Fuzzy Hash: 7BE18225A09E82C0EA61EF15D4443BBA3B4FB99BA8F944132CE5D437A5DF3CE45AC310

Function 00007FF7194292F0 Relevance: 9.1, APIs: 6, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsValidSid.ADVAPI32 ref: 00007FF719429307
GetLengthSid.ADVAPI32 ref: 00007FF719429314
CopySid.ADVAPI32 ref: 00007FF71942934A
CopySid.ADVAPI32 ref: 00007FF719429370
GetLastError.KERNEL32 ref: 00007FF71942937A
GetLastError.KERNEL32 ref: 00007FF719429397

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: CopyErrorLast$LengthValid
String ID:
API String ID: 2568129594-0
Opcode ID: 0e49618112296a34e2eb2a9b01751e4924692ee81ac4a8362ef5ee7b0b51c715
Instruction ID: 45018e02cd548e99f29a076cfd6c5ddcddf9db2ea6ada142e879657f033b1209
Opcode Fuzzy Hash: 0e49618112296a34e2eb2a9b01751e4924692ee81ac4a8362ef5ee7b0b51c715
Instruction Fuzzy Hash: 00214C29A09E0241FA946F22794037B92F57F59BE9F948434CE4D46394EE3CE4AAC360

Function 00007FF71942A743 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00007FF71942A98E
GetLastError.KERNEL32 ref: 00007FF71942A998
K32GetPerformanceInfo.KERNEL32 ref: 00007FF71942A9DF

Strings

@, xrefs: 00007FF71942A981
wY, xrefs: 00007FF71942A8C4

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorGlobalInfoLastMemoryPerformanceStatus
String ID: @$wY
API String ID: 1018018668-360745159
Opcode ID: 6465437232a31e7a4ba4c861d441ae7e7ef74c1f711b79d65f2745a73d9a11ab
Instruction ID: 90c70d0a62d874f56464d4fa32fc881ac448c6ecf35e77c23bb25e6a666e3f1e
Opcode Fuzzy Hash: 6465437232a31e7a4ba4c861d441ae7e7ef74c1f711b79d65f2745a73d9a11ab
Instruction Fuzzy Hash: 76715C32A08EC181E7659B15F5453EBA3B5FB947A8F404225EE8C07B98DF3DD19ACB00

Function 00007FF7193FD450 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AddVectoredExceptionHandler.KERNEL32 ref: 00007FF7193FD45E
SetThreadStackGuarantee.KERNELBASE ref: 00007FF7193FD471
GetCurrentThread.KERNEL32 ref: 00007FF7193FD477
SetThreadDescription.KERNELBASE ref: 00007FF7193FD48E

Strings

main, xrefs: 00007FF7193FD484

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
String ID: main
API String ID: 3663057573-3207122276
Opcode ID: 5a80f7ec4fae98fced53f095b4c87e72f461f131b1fbde58c132a96d5f9f97f6
Instruction ID: cf4655c54b653ba0af64194e0f188df1061f7adfda98f86c4ade9687f46681b2
Opcode Fuzzy Hash: 5a80f7ec4fae98fced53f095b4c87e72f461f131b1fbde58c132a96d5f9f97f6
Instruction Fuzzy Hash: 1D314879A18E4281EB84EF10E49436AB3B0FB98B58F904135DE8E07765DF3CE15AC711

Function 00007FF7194293F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE ref: 00007FF719429472
GetLastError.KERNEL32 ref: 00007FF719429496
HeapFree.KERNEL32 ref: 00007FF7194294D1

Strings

ReadProcessMemory returned unexpected number of bytes readUnable to read process dataIntel x86MIPSRISC AlphaPPCSHXARMIntel Itanium-based x64RISC Alpha x64MSIL(Intel or AMD) x64Intel Itanium-based x86unknownARM x64CPU , xrefs: 00007FF7194294AF

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFreeHeapLastMemoryProcessRead
String ID: ReadProcessMemory returned unexpected number of bytes readUnable to read process dataIntel x86MIPSRISC AlphaPPCSHXARMIntel Itanium-based x64RISC Alpha x64MSIL(Intel or AMD) x64Intel Itanium-based x86unknownARM x64CPU
API String ID: 2093145822-811746041
Opcode ID: 51381de981be656762fccfaef145adf355968698ac8d16d05ffd77e0bcdf3b44
Instruction ID: 3dc0cc0f6158804c173d91ee17d25ee8c09b64dec5e41fd47de0b6c8bd294b49
Opcode Fuzzy Hash: 51381de981be656762fccfaef145adf355968698ac8d16d05ffd77e0bcdf3b44
Instruction Fuzzy Hash: 4D216036A19F4282E660AF12B94067BE2B4BB557F8F844135DE9D467E4DF3CD06AC310

Function 00007FF71942EE44 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF71942EE58

Part of subcall function 00007FF71942F120: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF71942F142

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF71942EE6D
__scrt_release_startup_lock.LIBCMT ref: 00007FF71942EEDB
__scrt_is_managed_app.LIBCMT ref: 00007FF71942EF52

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
String ID:
API String ID: 1321466686-0
Opcode ID: 3c6ad83e5cf6ee04d2b10ebb4389df0253d689530acf9a8e860adfa21f3ee168
Instruction ID: 3eac4ee3025e551bda6f2e398f3bc52aead340d57582c1237f8e22fd7378de86
Opcode Fuzzy Hash: 3c6ad83e5cf6ee04d2b10ebb4389df0253d689530acf9a8e860adfa21f3ee168
Instruction Fuzzy Hash: CE311625A08A0281FA64BF61A4153FBA2B0AF557ACFC44075EE4D476D7DE2CF46FC221

Function 00007FF719422140 Relevance: 6.1, APIs: 4, Instructions: 71memorythreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF71942219A
HeapFree.KERNEL32 ref: 00007FF7194221DA
HeapFree.KERNEL32 ref: 00007FF7194221EC
GetLastError.KERNEL32 ref: 00007FF7194221F2

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$CreateErrorLastThread
String ID:
API String ID: 1443094557-0
Opcode ID: 908a772330ffe284ec5ea7e4ee1c761596a100f1a8440f4522cc365b5c20ae0e
Instruction ID: 3abdf604fb7e7c60aa8d5ebbd03ffce6e910041be1b89d33d304b972fb6eb3e0
Opcode Fuzzy Hash: 908a772330ffe284ec5ea7e4ee1c761596a100f1a8440f4522cc365b5c20ae0e
Instruction Fuzzy Hash: 3E219625608F4141FB58AF22A9443BBA2B1BF59BE8F888035DE4C47754DE3CE09BC361

Function 00007FF71942B440 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE ref: 00007FF71942B44D
CoInitializeSecurity.COMBASE ref: 00007FF71942B48E
GetErrorInfo.OLEAUT32 ref: 00007FF71942B4AA
GetErrorInfo.OLEAUT32 ref: 00007FF71942B4DF

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorInfoInitialize$Security
String ID:
API String ID: 413594595-0
Opcode ID: ee577557710e3ff20b3bfabbc57fb21bbbc8e37046a28ced7eac5ab59fae3d02
Instruction ID: 97d520943e3e9276795f77eb5dd8bf66174b489ef8c42d35420286addaa1f8dc
Opcode Fuzzy Hash: ee577557710e3ff20b3bfabbc57fb21bbbc8e37046a28ced7eac5ab59fae3d02
Instruction Fuzzy Hash: 21116D32608A8182EB649F28F09476FA7A1FF85B68F904134DA8E47A84CFBCD009C710

Function 00007FF71942AAA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00007FF71942AAD7
K32GetPerformanceInfo.KERNEL32 ref: 00007FF71942AB24

Strings

@, xrefs: 00007FF71942AACA

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: GlobalInfoMemoryPerformanceStatus
String ID: @
API String ID: 3163563144-2766056989
Opcode ID: 14ccefcfe9fe51394f1b229004149faf3558cd4997d3c21b7a03f785823ca065
Instruction ID: 8ed99d461adfefd36154887f08f3d83392fae065abcfc885bf94dc94ca722433
Opcode Fuzzy Hash: 14ccefcfe9fe51394f1b229004149faf3558cd4997d3c21b7a03f785823ca065
Instruction Fuzzy Hash: 0301C011958DC192E2365B28A4063F7A3B5BFE472DF405310FAC902764EF7AD2A7CB10

Function 00007FF719425CB5 Relevance: 4.7, APIs: 3, Instructions: 232timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00007FF719425DED
GetProcessTimes.KERNELBASE ref: 00007FF719425E63
GetLastError.KERNEL32 ref: 00007FF719425E6D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Process$ErrorLastOpenTimes
String ID:
API String ID: 1188884809-0
Opcode ID: 952f96abda71e25ebcc561753b4c6614b160aa5578729c8a1a523bd0f357e6ef
Instruction ID: 2be18f34288f9f6903e10e263f8b5a12b7a36ea5f8b0aaffe5c53f834701c80c
Opcode Fuzzy Hash: 952f96abda71e25ebcc561753b4c6614b160aa5578729c8a1a523bd0f357e6ef
Instruction Fuzzy Hash: 3DC13832619BC181E7709B15F4403EAB7A0FB95B94F908226CACD17B99EF3CD159C740

Function 00007FF719427800 Relevance: 4.6, APIs: 3, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF719427A10: HeapFree.KERNEL32 ref: 00007FF719427A6C
Part of subcall function 00007FF719427A10: HeapFree.KERNEL32 ref: 00007FF719427AD6

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF719427900
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7194279A7
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7194279E4

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressSingleWake$FreeHeap
String ID:
API String ID: 4197705244-0
Opcode ID: 10200e68ec3b0f703d8c0814d1b9fa833798532b108e22d78e19a1c38410394c
Instruction ID: 0b124838546a9ad6dafdf6f07b890472b38126fb67c1de07a10740d082e7eaac
Opcode Fuzzy Hash: 10200e68ec3b0f703d8c0814d1b9fa833798532b108e22d78e19a1c38410394c
Instruction Fuzzy Hash: 59517172A09A8141E762EF29E4013AFA7B0F755BA8F944036CF8D43655DF2DE0ABC350

Function 00007FF71943C180 Relevance: 4.6, APIs: 3, Instructions: 83COMMON

Download Yara Rule

APIs

WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71943C20C
GetLastError.KERNEL32 ref: 00007FF71943C214

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressErrorLastWait
String ID:
API String ID: 1574541344-0
Opcode ID: b6657e0dd20e206b3906a48f93d9f26ef8d93301633b4a0c806cebab4e83e6f3
Instruction ID: b7b8d2a8d3f450d23abcc06f90c3104f2caa084bf7f767fb30432d07795cbbbf
Opcode Fuzzy Hash: b6657e0dd20e206b3906a48f93d9f26ef8d93301633b4a0c806cebab4e83e6f3
Instruction Fuzzy Hash: 17213836F0891242FA24AF67A80013BE7B0AB947EDF944035DE5D47694CE3CD95BCB14

Function 00007FF719422360 Relevance: 4.5, APIs: 3, Instructions: 31memorythreadCOMMON

Download Yara Rule

APIs

SetThreadStackGuarantee.KERNELBASE ref: 00007FF719422377
HeapFree.KERNEL32 ref: 00007FF7194223A8
HeapFree.KERNEL32 ref: 00007FF7194223BA

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$GuaranteeStackThread
String ID:
API String ID: 707462487-0
Opcode ID: 66d00cb258cb74d98166b4b66dc8822cc350b008ba4a16a88ee5117d97b016e1
Instruction ID: 84ecd60b3dc68b6e6b935bd8988d6ad16200276875ffa53c8857e61aac606f3e
Opcode Fuzzy Hash: 66d00cb258cb74d98166b4b66dc8822cc350b008ba4a16a88ee5117d97b016e1
Instruction Fuzzy Hash: D9F06D25608D4181E754AF26E80426AA3B1AB99BA8F884431CE4D43768CF38D09BC751

Function 00007FF7193F1000 Relevance: 3.1, APIs: 2, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32 ref: 00007FF7193F10D8
HeapFree.KERNEL32 ref: 00007FF7193F11D3

Part of subcall function 00007FF7193F1530: HeapReAlloc.KERNEL32 ref: 00007FF7193F1679
Part of subcall function 00007FF7193F1530: GetErrorInfo.OLEAUT32 ref: 00007FF7193F16A4

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHeapInfo$AllocFree
String ID:
API String ID: 2984634587-0
Opcode ID: 43b973bcaaef3d1ee88f4743413bfbcd8f9b9f9ebe56ad1af47da9617c73d417
Instruction ID: d1e01a5f2d1909de244646337c5b40c0a0ae8c835de3282396e16e1b8bc40e04
Opcode Fuzzy Hash: 43b973bcaaef3d1ee88f4743413bfbcd8f9b9f9ebe56ad1af47da9617c73d417
Instruction Fuzzy Hash: E4516D22A0CBC586EB619F59F0403AAF7B0FB95758F408129EBCD42655EF3CE089CB11

Function 00007FF7194294F0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(?,?,?,?,00000000,?,?,00000000,?,?,?,?,00007FF719429701), ref: 00007FF71942950E
LocalFree.KERNEL32 ref: 00007FF7194295CB

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArgvCommandFreeLineLocal
String ID:
API String ID: 1203019955-0
Opcode ID: 7ea5468951f74cabbb3c7dc7317faa3e960f0c4893bfabd42287a116135260e9
Instruction ID: b778ac7d31245bc0e92308e6c6ca743643d433717cca778dc52d5c144f402f62
Opcode Fuzzy Hash: 7ea5468951f74cabbb3c7dc7317faa3e960f0c4893bfabd42287a116135260e9
Instruction Fuzzy Hash: 8A31AF27A18F4181E665AF15B5003ABA7B0FB897E8F844224EE9D16795DF3CE1DAC700

Function 00007FF71942AAE1 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF71942AAE1
K32GetPerformanceInfo.KERNEL32 ref: 00007FF71942AB24

Part of subcall function 00007FF7194240F5: NtQuerySystemInformation.NTDLL ref: 00007FF71942460B
Part of subcall function 00007FF7194240F5: GetErrorInfo.OLEAUT32 ref: 00007FF719424628

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorInfo$InformationLastPerformanceQuerySystem
String ID:
API String ID: 2723024872-0
Opcode ID: fe0aa4673ae50e7e3e03436d737138bacd2392ac09ddb365e7bb3c06fd4d4bf2
Instruction ID: ec7b84a266ac085574c781560a8693b2bfae4c2f65fb559210f260fe4cee3ce1
Opcode Fuzzy Hash: fe0aa4673ae50e7e3e03436d737138bacd2392ac09ddb365e7bb3c06fd4d4bf2
Instruction Fuzzy Hash: E4113B21A08EC482E6625B28B4053EAA3B5FFA47A8F005311FEDC46795DE3DD19A8B00

Function 00007FF7194260F4 Relevance: 2.6, APIs: 2, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF71942639C
HeapFree.KERNEL32 ref: 00007FF7194263F6

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 798245b7ab70c358bf1df9ed5a884c71b29f5f6043c8dc270fe3060bde0b6e6f
Instruction ID: 32b59618dfd0c625615e99fbac20106b908d3890e88987f50ab02cd441cc8f77
Opcode Fuzzy Hash: 798245b7ab70c358bf1df9ed5a884c71b29f5f6043c8dc270fe3060bde0b6e6f
Instruction Fuzzy Hash: AE516C72609FC581EA60DF15F4807EAA3A4FB98BA4F944136CE9D03B95DF38D16AC710

Function 00007FF719411A76 Relevance: 2.6, APIs: 2, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF719411BC5
HeapFree.KERNEL32 ref: 00007FF719411BD7

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 86f904aaa3c65c48738e3509c55a17962c12fa5348bd937c70632ad2560d5d40
Instruction ID: 8ba93633b154dedb53747c2b79c2a3cb66ef7641a139d675ddc82d7509e36edb
Opcode Fuzzy Hash: 86f904aaa3c65c48738e3509c55a17962c12fa5348bd937c70632ad2560d5d40
Instruction Fuzzy Hash: A8313022A18E41C0E750DF05E44437AA3B1FB987A8F954136DE8E47694EF3CE0DAC711

Function 00007FF719427B40 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF719427630: HeapFree.KERNEL32 ref: 00007FF71942768C
Part of subcall function 00007FF719427630: HeapFree.KERNEL32 ref: 00007FF7194276F6
Part of subcall function 00007FF719427630: HeapFree.KERNEL32 ref: 00007FF71942772C
Part of subcall function 00007FF719427630: HeapFree.KERNEL32 ref: 00007FF719427796

WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF719427C1D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$AddressWake
String ID:
API String ID: 3299827928-0
Opcode ID: ed110cfc72df1d9bb5abb9f82d0b2c1370c7af3f9e3bcea856309d1ef38e4956
Instruction ID: 8e9de93fdbd9b5149f0031fbf2da555f5d70d133972f3027cb1098d6b02f15f0
Opcode Fuzzy Hash: ed110cfc72df1d9bb5abb9f82d0b2c1370c7af3f9e3bcea856309d1ef38e4956
Instruction Fuzzy Hash: 4E416232919FC082E651DF25E5403AAB370F799768F549225DFCD02626DF39E1EAC700

Function 00007FF71942C650 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL ref: 00007FF71942C67D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a65fdc84a313883470fe09558d37892a7dbbe7e3a0d4a1aad14dc5d0bf84ca90
Instruction ID: 51b73f9dfb27a4317570c1b0529b9ad5724bf669b800ffa520b4ad75634ff9a8
Opcode Fuzzy Hash: a65fdc84a313883470fe09558d37892a7dbbe7e3a0d4a1aad14dc5d0bf84ca90
Instruction Fuzzy Hash: 6211D561E1DE1681FA596F6175043BE91B17F24B69F884076CD0D863C1DF2CD46BC219

Function 00007FF71943596C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7194359A0

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3daf18a492b336f48958c3f6006e67bae82e118ed740d741e7f2c2026eda6575
Instruction ID: 54000098a9bf10623db60cd24a3da78ea42c46f1192f02c8357053f601759c66
Opcode Fuzzy Hash: 3daf18a492b336f48958c3f6006e67bae82e118ed740d741e7f2c2026eda6575
Instruction Fuzzy Hash: 6211603691CA9282E610BF21944113BE2B5FF403F8FD40535EE8D87691EF2CE62AC760

Function 00007FF7193F5DE0 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,?,00000004,00000004,00007FF719439A04), ref: 00007FF7193F5E09

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0f346a6475d21e7ac84e8198129cd29b4544aa885fb9339a79c830c6606f6605
Instruction ID: 07c4454a70d9167e88e6b6c5b1579869f95259095953ce2a629195a7ada7fc94
Opcode Fuzzy Hash: 0f346a6475d21e7ac84e8198129cd29b4544aa885fb9339a79c830c6606f6605
Instruction Fuzzy Hash: D6F0FE31A09E0281FA986F11B9043B9D1F06F147E4F94803ACD8D467D4EF3C945BC312

Function 00007FF71943C240 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71943C2D9

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressWake
String ID:
API String ID: 98804233-0
Opcode ID: 5a4fb9a1632a20af32b0cba92af7591ea6201659d8ddcd3c11e83cd5ac86dc82
Instruction ID: f94702d701646bd39b9ac437e2462393eef4549f56bf18610fef3b281748e252
Opcode Fuzzy Hash: 5a4fb9a1632a20af32b0cba92af7591ea6201659d8ddcd3c11e83cd5ac86dc82
Instruction Fuzzy Hash: 2FF02B33B085014BEB26CF64A41025AA3D0D7847ADB044131CF8A4B694DF3CC5C7CB44

Function 00007FF71943C2A9 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71943C2D9

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressWake
String ID:
API String ID: 98804233-0
Opcode ID: 9177e388edf6cd5e13afea9d7598100ba0104a870d58dfe09ec343f647a51f84
Instruction ID: d628a095be0de065f56caa16f4f20ef24ee49ee81ee67257138cc4de6bc48ab1
Opcode Fuzzy Hash: 9177e388edf6cd5e13afea9d7598100ba0104a870d58dfe09ec343f647a51f84
Instruction Fuzzy Hash: D8E065279086114AE6269F65B01412EA760E7597FDF440131CE89069A4CE3CD2DBCF14

Function 00007FF719423DB0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00007FF719423DB6

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: db880b177b4e332f209ae3891594c51cdc57423b1a6ca2fe16bcc4d58633f3e0
Instruction ID: e313724e52fda0ed9debfc85b71eca4481fc9e862f3b18cb41d83e3038add6f1
Opcode Fuzzy Hash: db880b177b4e332f209ae3891594c51cdc57423b1a6ca2fe16bcc4d58633f3e0
Instruction Fuzzy Hash: 5BA00224B15B9182D69C3F35585603A91705F24A15BA01839C907401558D6DD1AA8750

Function 00007FF719434414 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF719434469

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: e3b66ab36946cd814e3191d6e0603d68ba3655b68ec0b3218edca5d23f0afe4c
Instruction ID: 0220ae10b79a1a6df6d616e05cabb9b33598d98d7db2783bce9aed627d7bde0e
Opcode Fuzzy Hash: e3b66ab36946cd814e3191d6e0603d68ba3655b68ec0b3218edca5d23f0afe4c
Instruction Fuzzy Hash: C9F03C58B09A1241FEA4BEB195052F682B15F68FF8FC84430CD0D86391EE1CE66BC230

Non-executed Functions

Function 00007FF719419BD0 Relevance: 201.6, APIs: 107, Strings: 6, Instructions: 3882memoryCOMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FF719419C49
FreeEnvironmentStringsW.KERNEL32 ref: 00007FF719419E4F
CompareStringOrdinal.KERNEL32 ref: 00007FF71941A11F
CloseHandle.KERNEL32 ref: 00007FF71941E53E
GetLastError.KERNEL32 ref: 00007FF71941E5DE
CloseHandle.KERNEL32 ref: 00007FF71941E600
CloseHandle.KERNEL32 ref: 00007FF71941E60E
CloseHandle.KERNEL32 ref: 00007FF71941E61F
CloseHandle.KERNEL32 ref: 00007FF71941E63D
CloseHandle.KERNEL32 ref: 00007FF71941E656
CloseHandle.KERNEL32 ref: 00007FF71941E66F
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71941E688
HeapFree.KERNEL32 ref: 00007FF71941E6AA
HeapFree.KERNEL32 ref: 00007FF71941E6CC
HeapFree.KERNEL32 ref: 00007FF71941E6EE
HeapFree.KERNEL32 ref: 00007FF71941E705
HeapFree.KERNEL32 ref: 00007FF71941E72E

Strings

PATH#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid, xrefs: 00007FF71941D31F
\?\\, xrefs: 00007FF71941A948
]?\\, xrefs: 00007FF71941A950
.exeprogram not found, xrefs: 00007FF71941AAD7
p, xrefs: 00007FF71941E300
\cmd.exemaximum number of ProcThreadAttributes exceeded, xrefs: 00007FF71941C1C2, 00007FF71941C2C3

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$Free$Heap$EnvironmentStrings$AddressCompareErrorLastOrdinalSingleStringWake
String ID: .exeprogram not found$PATH#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid$\?\\$\cmd.exemaximum number of ProcThreadAttributes exceeded$]?\\$p
API String ID: 2113584991-511396685
Opcode ID: 5fa8c446d8d9887713a4488d328d19734ddea3d4f1c4b1f91951140c4aeecb8a
Instruction ID: 336100b2ee5f7115f79e74b0d89b2f6697c101ad0f5007391514e68bb8f35d9e
Opcode Fuzzy Hash: 5fa8c446d8d9887713a4488d328d19734ddea3d4f1c4b1f91951140c4aeecb8a
Instruction Fuzzy Hash: E2839F62A08EC1C1E675AF15A4043BBA7B1FB84BA8F944135CE9D07B99DF3CE45AC710

Function 00007FF7194207A0 Relevance: 24.4, APIs: 16, Instructions: 399COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF719422A96
GetFullPathNameW.KERNEL32 ref: 00007FF719422AA8
GetLastError.KERNEL32 ref: 00007FF719422AB4
GetLastError.KERNEL32 ref: 00007FF719422ACE

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID:
API String ID: 2482867836-0
Opcode ID: e24c4dc0c7af3a511acf873f88959fec18c1e6850ff1b7f72b0e02d80dcb9514
Instruction ID: 739efba12b3d2af2053bc88d7b86b8d9173152355770add54649b6be9481e96b
Opcode Fuzzy Hash: e24c4dc0c7af3a511acf873f88959fec18c1e6850ff1b7f72b0e02d80dcb9514
Instruction Fuzzy Hash: DBF19D62A18F4281EA54AF12F4043ABE7B1FB44BA8F944435DE4D07B94DF7CD4AAC760

Function 00007FF71941604A Relevance: 19.8, APIs: 13, Instructions: 281memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF71941609F
HeapFree.KERNEL32 ref: 00007FF7194160B1
SetLastError.KERNEL32 ref: 00007FF719416176
GetEnvironmentVariableW.KERNEL32 ref: 00007FF719416188
GetLastError.KERNEL32 ref: 00007FF719416194
GetLastError.KERNEL32 ref: 00007FF7194161AE
HeapFree.KERNEL32 ref: 00007FF71941625A

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFreeHeapLast$EnvironmentVariable
String ID:
API String ID: 3632352037-0
Opcode ID: 989655814f3e13b94b90d13cbba6b1f80aced7731873db937b9ad3d8c78cda3c
Instruction ID: 47cceaa36518d133d150500edc82781d2914fa3478e85b73516a2681b45a0976
Opcode Fuzzy Hash: 989655814f3e13b94b90d13cbba6b1f80aced7731873db937b9ad3d8c78cda3c
Instruction Fuzzy Hash: F1C1AE26A08E4181E660AF15E44437BE3B1EB44BB8FA84135DE9D43795CF7CE09AC724

Function 00007FF719421A90 Relevance: 16.9, APIs: 11, Instructions: 373memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF719421AF0
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF719421B21
HeapFree.KERNEL32 ref: 00007FF719421BF1

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentFreeHeapPrng
String ID:
API String ID: 2687294623-0
Opcode ID: bc5a0fc6f5540db4620ae3adc30b4bbd605ea8d129fa8dc8b93c0e1bc3d8ccaf
Instruction ID: 2a82e821dfd0596c6979c129bfcf1e8f4f13ee6d63099a06ea0392d6a1ef2d2d
Opcode Fuzzy Hash: bc5a0fc6f5540db4620ae3adc30b4bbd605ea8d129fa8dc8b93c0e1bc3d8ccaf
Instruction Fuzzy Hash: 34F1DD36A08F8185E7649F11B4003ABA6A1FB887B8F84423ADE9D43794DF7CE45AC750

Function 00007FF719416DF0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 343COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF719416F86
GetFullPathNameW.KERNEL32 ref: 00007FF719416F9A
GetLastError.KERNEL32 ref: 00007FF719416FA7
GetLastError.KERNEL32 ref: 00007FF719416FC1

Strings

\\?\\\?\UNC\, xrefs: 00007FF71941707D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\\\?\UNC\
API String ID: 2482867836-3975371117
Opcode ID: 194bec776990e58ab78f546e6f745d8a38fbf75298c8663cc40ba9e39f8608c2
Instruction ID: 7b09da97a842582e6c7d21d91d0cc93998c37730210524163374616ee6a021f5
Opcode Fuzzy Hash: 194bec776990e58ab78f546e6f745d8a38fbf75298c8663cc40ba9e39f8608c2
Instruction Fuzzy Hash: 8FE16C32A08E52C1EA60AF15E44437BA2B1FB457A8FA04535DE9D43794DF7CF4AAC360

Function 00007FF719413A20 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 454memorythreadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF719413A80
HeapFree.KERNEL32 ref: 00007FF71941405B
HeapFree.KERNEL32 ref: 00007FF71941427A
HeapFree.KERNEL32 ref: 00007FF71941428C
HeapFree.KERNEL32 ref: 00007FF7194142FD
HeapFree.KERNEL32 ref: 00007FF71941430F

Strings

<unknown>PATH#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid, xrefs: 00007FF719414187
main, xrefs: 00007FF7194141A9

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$SwitchThread
String ID: <unknown>PATH#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid$main
API String ID: 4159854540-1882161258
Opcode ID: 3a98e10e75aa7c3bbdbb407dd6d67e707269efdb5d41cc425f484672447b4b7c
Instruction ID: b6964c660524fdc1949b57d6505470d4e638245675ab8482c648b6c0ce36e455
Opcode Fuzzy Hash: 3a98e10e75aa7c3bbdbb407dd6d67e707269efdb5d41cc425f484672447b4b7c
Instruction Fuzzy Hash: 8C327E32918FC081E7508F21E8543BB73B0F765B9CF595238DE8D0A299CF79A19AC360

Function 00007FF719408F20 Relevance: 12.8, Strings: 10, Instructions: 333COMMON

Download Yara Rule

Strings

INFINITY, xrefs: 00007FF719408F91
-, xrefs: 00007FF719409189
NAN, xrefs: 00007FF719409083
-, xrefs: 00007FF71940912A
-, xrefs: 00007FF71940905C
-, xrefs: 00007FF7194090E1
<, xrefs: 00007FF71940923E
-, xrefs: 00007FF71940914D
+, xrefs: 00007FF719408F43
-, xrefs: 00007FF719408F3E

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$-$-$-$-$-$-$<$INFINITY$NAN
API String ID: 0-3578884141
Opcode ID: ff8031eca7435475b68572b83a84c57ff33b673f09d9fd4322f5dbf2ce02a6c6
Instruction ID: 0fd7661405a02d48e4f23d9ae061f01b600563a5a3311fb7e2db932a10c1caf3
Opcode Fuzzy Hash: ff8031eca7435475b68572b83a84c57ff33b673f09d9fd4322f5dbf2ce02a6c6
Instruction Fuzzy Hash: F3C1033AA0C94241FAE1AE2494543FBE661AF447BCFDC4131DD4D962D1DE3DE9ABC220

Function 00007FF7194215E0 Relevance: 12.2, APIs: 8, Instructions: 215threadmemoryCOMMON

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32 ref: 00007FF719421634
HeapFree.KERNEL32 ref: 00007FF7194216AD
InitializeProcThreadAttributeList.KERNEL32 ref: 00007FF7194216C5
UpdateProcThreadAttribute.KERNEL32 ref: 00007FF719421729

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AttributeProcThread$InitializeList$FreeHeapUpdate
String ID:
API String ID: 3328213773-0
Opcode ID: c944da4e7662f927c09eda50b897ea192e57b1ca58eea342e177adfe36839c44
Instruction ID: 7f990cc3a5cca521274c457871a5139f2277981e0b1f557067ee4d5a5d70cca6
Opcode Fuzzy Hash: c944da4e7662f927c09eda50b897ea192e57b1ca58eea342e177adfe36839c44
Instruction Fuzzy Hash: 2E81C669B19E4681EA54AF16A4447F7A2B1BF8CBF8F984231DD5D03394DE3CE05AC210

Function 00007FF7193F3BF0 Relevance: 11.8, Strings: 9, Instructions: 593COMMON

Download Yara Rule

Strings

\\, xrefs: 00007FF7193F3DAD
\u, xrefs: 00007FF7193F4000
}, xrefs: 00007FF7193F3FFB
IWbemClassWrapper, xrefs: 00007FF7193F453B
0123456789abcdef[, xrefs: 00007FF7193F3F85, 00007FF7193F4142
{, xrefs: 00007FF7193F41C4
\u, xrefs: 00007FF7193F41BD
}, xrefs: 00007FF7193F41B8
{, xrefs: 00007FF7193F4007

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0123456789abcdef[$IWbemClassWrapper$\\$\u$\u${${$}$}
API String ID: 0-2337650335
Opcode ID: b4dcbb6f3575be4fb808c18639e5d635e595360f3d0c2e8639a000fc8bb2716d
Instruction ID: 8c3d5ed1bdb4dac2de25b3ae777055a68b352e6381d34f39e32a5bc3825c51ea
Opcode Fuzzy Hash: b4dcbb6f3575be4fb808c18639e5d635e595360f3d0c2e8639a000fc8bb2716d
Instruction Fuzzy Hash: 75324D22B1C99246FF709F64A40CB79EB70EB51BA8FC44139DA4D13AD1DA3DD14AC722

Function 00007FF719418C90 Relevance: 10.7, APIs: 7, Instructions: 182filememoryCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32 ref: 00007FF719418DD9
GetFileInformationByHandleEx.KERNEL32 ref: 00007FF719418E14
GetLastError.KERNEL32 ref: 00007FF719418EBE
CloseHandle.KERNEL32 ref: 00007FF719418EDA
FindFirstFileW.KERNEL32 ref: 00007FF719418F0F
FindClose.KERNEL32 ref: 00007FF719418F1E
HeapFree.KERNEL32 ref: 00007FF719418FCC

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FileHandle$CloseFindInformation$ErrorFirstFreeHeapLast
String ID:
API String ID: 3677867274-0
Opcode ID: 0445f3f35f1d63ed32cc572b873c6131fa5efa2d55e0ae8ddc939cc8d020b090
Instruction ID: a1a7a91a2984385687973d847a6683168607ecd03b76af6421f825a90e9482aa
Opcode Fuzzy Hash: 0445f3f35f1d63ed32cc572b873c6131fa5efa2d55e0ae8ddc939cc8d020b090
Instruction Fuzzy Hash: BD815732608B8186E7749F15E4403ABB7B1FB947A8F508125DFCA46B94DF7CE09ACB50

Function 00007FF71942F3B8 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF71942F3D4
RtlCaptureContext.NTDLL ref: 00007FF71942F401
RtlLookupFunctionEntry.NTDLL ref: 00007FF71942F41B
RtlVirtualUnwind.NTDLL ref: 00007FF71942F45C
IsDebuggerPresent.KERNEL32 ref: 00007FF71942F4B0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF71942F4D1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF71942F4DC

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 40f74aeec278dc0b4ed8692fbd82faccefb9773f4f47e1fa3e6592142d04547c
Instruction ID: b62e97ce0fd84ee97e571c930de0dc25f116cfa81d273f8158637475ba8595e6
Opcode Fuzzy Hash: 40f74aeec278dc0b4ed8692fbd82faccefb9773f4f47e1fa3e6592142d04547c
Instruction Fuzzy Hash: 35314D76609E8185EB609F60E8403EEB3B0FB94758F844039DE4D47A98DF38D659C720

Function 00007FF7194337DC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF719433855
RtlLookupFunctionEntry.NTDLL ref: 00007FF71943386D
RtlVirtualUnwind.NTDLL ref: 00007FF7194338A8
IsDebuggerPresent.KERNEL32 ref: 00007FF7194338E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7194338EB
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7194338F6

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 6db0eae2340264798065aa7446da7f38de82570c146f18533c35537213b19dc6
Instruction ID: 37d44f347a4510f897dd2206e6e605ba55a0123ad99af1f47993130b6a5e98f3
Opcode Fuzzy Hash: 6db0eae2340264798065aa7446da7f38de82570c146f18533c35537213b19dc6
Instruction Fuzzy Hash: C7315336608F8185DB609F25E8402AE73B0FB857A8F900135EE9D43B58DF3CD55ACB50

Function 00007FF7194088E0 Relevance: 9.1, Strings: 7, Instructions: 324COMMON

Download Yara Rule

Strings

+, xrefs: 00007FF71940890B
-, xrefs: 00007FF719408AE7
-, xrefs: 00007FF719408A85
-, xrefs: 00007FF719408906
-, xrefs: 00007FF719408B0B
NAN, xrefs: 00007FF719408A32
INFINITY, xrefs: 00007FF71940895E

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$-$-$-$-$INFINITY$NAN
API String ID: 0-176520682
Opcode ID: 98e068ad37056ec9995d9d95118e3993f8b73c79113080f4e61d0759b0d2c983
Instruction ID: e116163dc769384248ad14bea28c72f77fe52a2def1f8d1c3c996feaae2fa596
Opcode Fuzzy Hash: 98e068ad37056ec9995d9d95118e3993f8b73c79113080f4e61d0759b0d2c983
Instruction Fuzzy Hash: 0DC13711E0CD4241FAA0AE1496403FBD671AF843B8FDC4231DD4D527D1DE6EE56EC622

Function 00007FF719434F7C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileExA.KERNEL32 ref: 00007FF71943504C
FindClose.KERNEL32 ref: 00007FF719435076
FindNextFileA.KERNEL32 ref: 00007FF7194350E9

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, xrefs: 00007FF719434F82
., xrefs: 00007FF7194350B0

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
API String ID: 3541575487-273700198
Opcode ID: 56c4d5096090ad4553bb9af2360e9cecdd577b6f7de8b517e7bb815df88bfe2a
Instruction ID: 087adc665f66e12ba17ab8c423bc5ee0edc31a00bc1af718e2e4fec19582d807
Opcode Fuzzy Hash: 56c4d5096090ad4553bb9af2360e9cecdd577b6f7de8b517e7bb815df88bfe2a
Instruction Fuzzy Hash: D9410311B08DA245FA60AE7194046FBE3B19B86BFCF884131DE5D066C5DE3CD26BC350

Function 00007FF719411D40 Relevance: 8.2, APIs: 4, Strings: 1, Instructions: 657COMMON

Download Yara Rule

Strings

RUST_MIN_STACKfatal runtime error: something here is badly broken!, xrefs: 00007FF719412E92

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: RUST_MIN_STACKfatal runtime error: something here is badly broken!
API String ID: 0-3541298642
Opcode ID: d718f7ca95da5a16c32e018f72510c9828246170336ee8f00e39ca06a21a2c36
Instruction ID: e2c9b2507de597b4c4beb9864176322febeb48da3a411219936915f43cb05184
Opcode Fuzzy Hash: d718f7ca95da5a16c32e018f72510c9828246170336ee8f00e39ca06a21a2c36
Instruction Fuzzy Hash: CF726A72609FC181E6659F15A4443AAB7B0FB987A8F548235CEDC03795DF3CE1AAC710

Function 00007FF71943A2D0 Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 591COMMON

Download Yara Rule

Strings

modnarod, xrefs: 00007FF71943A6F9
uespemos, xrefs: 00007FF71943A6EC
arenegyl, xrefs: 00007FF71943A70B
setybdet, xrefs: 00007FF71943A71D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 07c4a18721397a9007824e1eb7835f53016bc29d8d0e3ee80955e7a7d790ba1c
Instruction ID: 03145446d4b5e24e761c04b267cf59ef0d01673ada993f7c0accb112797b2c4f
Opcode Fuzzy Hash: 07c4a18721397a9007824e1eb7835f53016bc29d8d0e3ee80955e7a7d790ba1c
Instruction Fuzzy Hash: B6222562F18F9582EA049F79A41056AB761FB85BF8F409336DEAE133D5DA3CC256C300

Function 00007FF71943D2D0 Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 572COMMON

Download Yara Rule

Strings

setybdet, xrefs: 00007FF71943D9E3
modnarod, xrefs: 00007FF71943D707
arenegyl, xrefs: 00007FF71943D720
uespemos, xrefs: 00007FF71943D6FA

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: f6869429580fcbe86a1aebb355acb7f0ab35209e6d4ed928cf56b71c9d93ecc2
Instruction ID: e3e00412fc13513a160e560f8e4a00207aad1d0429cf54732b3a1dc79a4aafa6
Opcode Fuzzy Hash: f6869429580fcbe86a1aebb355acb7f0ab35209e6d4ed928cf56b71c9d93ecc2
Instruction Fuzzy Hash: 3B322853E18FD581E605DF3895112BA6720F799BA8F48A334DFAD16692DF38E2D6C300

Function 00007FF719439A20 Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 569COMMON

Download Yara Rule

Strings

modnarod, xrefs: 00007FF719439E39
arenegyl, xrefs: 00007FF719439E46
setybdet, xrefs: 00007FF719439E58
uespemos, xrefs: 00007FF719439E2C

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 179e9233c6c8072a5bda6d08b46d08e36c8ee2a95dc1a833813a41860633d4dd
Instruction ID: 723c148a0e159c5c1fd96c894f92be4627496cc1e7d2231046b84ecf04897f7e
Opcode Fuzzy Hash: 179e9233c6c8072a5bda6d08b46d08e36c8ee2a95dc1a833813a41860633d4dd
Instruction Fuzzy Hash: 662224B6B18F9581EB049F79A41156AA321E785BF8F908336DE6E533D5EE3CC256C300

Function 00007FF71943DFB0 Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 546COMMON

Download Yara Rule

Strings

modnarod, xrefs: 00007FF71943E3B0
arenegyl, xrefs: 00007FF71943E3BD
uespemos, xrefs: 00007FF71943E3A3
setybdet, xrefs: 00007FF71943E3CF

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 95971e91e5a4cffe41299828f37425548441baae9a585990b980fbf353cdf808
Instruction ID: 2e0e96cd6b81d41d12c157b495a2fbca037c0a0716e912aa5ab5178f18e25ea6
Opcode Fuzzy Hash: 95971e91e5a4cffe41299828f37425548441baae9a585990b980fbf353cdf808
Instruction Fuzzy Hash: 551249A2B15F9542EA249F79A40167BA761EB85BE4F809331DE6E137C5DF3CD246C300

Function 00007FF7194033D0 Relevance: 7.8, Strings: 6, Instructions: 329COMMON

Download Yara Rule

Strings

FFFFFFFF, xrefs: 00007FF71940352D
-, xrefs: 00007FF7194036E6
d, xrefs: 00007FF719403537
+, xrefs: 00007FF719403676
FFFFFFFF, xrefs: 00007FF719403401
-, xrefs: 00007FF71940366E

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$-$-$FFFFFFFF$FFFFFFFF$d
API String ID: 0-1053537561
Opcode ID: 593f7d21cc9bec23c0a78bcdc2e08223371110083b76d33be5e39ff576dfdafd
Instruction ID: 8a54f44bf540e2ba6a3443a31b2928fec21a31ebe01445a59d7976e33c4f13cd
Opcode Fuzzy Hash: 593f7d21cc9bec23c0a78bcdc2e08223371110083b76d33be5e39ff576dfdafd
Instruction Fuzzy Hash: 6AB13B22F08D9142EAA4AE1685417FBEEE0AB11BF8F8D5631CE6D077D0E93D955BC310

Function 00007FF7193F3110 Relevance: 6.8, Strings: 5, Instructions: 541COMMON

Download Yara Rule

Strings

]0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF7193F37EA
, : {,} }((,]0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000, xrefs: 00007FF7193F383B
,} }((,]0x0001020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900000000000000000000000000000000000000000000000, xrefs: 00007FF7193F3819, 00007FF7193F3917
0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF7193F32C1, 00007FF7193F3450, 00007FF7193F3616
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF7193F313C, 00007FF7193F3370, 00007FF7193F3481, 00007FF7193F352C, 00007FF7193F365B, 00007FF7193F3687

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,} }((,]0x0001020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900000000000000000000000000000000000000000000000$, : {,} }((,]0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000$00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000$0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000$]0x00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000
API String ID: 0-2071427841
Opcode ID: e9cba40268eedb7b97191b433b4686c2d00fadda313a83c78542d69372e21008
Instruction ID: 6e10b3c4727a92014124f9e241890bc02b4ac78729befb4de3d5d020b6c0be05
Opcode Fuzzy Hash: e9cba40268eedb7b97191b433b4686c2d00fadda313a83c78542d69372e21008
Instruction Fuzzy Hash: 08222632B18A9582EB649F15E0107B9B760FB947A8F805239DE8E03BD1EF3DD54AC711

Function 00007FF7193F2BF0 Relevance: 5.6, Strings: 4, Instructions: 621COMMON

Download Yara Rule

Strings

)0123456789abcdef[, xrefs: 00007FF7193F30EA
IUnknown, xrefs: 00007FF7193F3044
0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF7193F2CCC, 00007FF7193F2DD2, 00007FF7193F2FB0
,]0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000, xrefs: 00007FF7193F30BF

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: )0123456789abcdef[$,]0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000$0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000$IUnknown
API String ID: 0-1102945861
Opcode ID: 9c4c938acde91bd6008d320ed2a51f1aa1ce802be5f6e71dae5e31e0123f9179
Instruction ID: bd26ccbe1d39c3c8b3cb36ae3e7b1223e52d17fffd868983cfab836bb63de3f1
Opcode Fuzzy Hash: 9c4c938acde91bd6008d320ed2a51f1aa1ce802be5f6e71dae5e31e0123f9179
Instruction Fuzzy Hash: 9F326D33B2CA6182D7789F15E010BB9B660EB947A8F901335DE9E17BD0DE2DC516CB11

Function 00007FF71941E970 Relevance: 5.5, APIs: 3, Instructions: 969memoryCOMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32 ref: 00007FF71941EA0E
HeapFree.KERNEL32 ref: 00007FF71941EA82
HeapFree.KERNEL32 ref: 00007FF71941EA9B

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$CompareOrdinalString
String ID:
API String ID: 3984308579-0
Opcode ID: 950de85a88c091dd21e4004f4fdde0dbde896fb1319e84ebe0b1f1acce1cf529
Instruction ID: 8112b6610f187df4e97f26ede15ea3ca8d05d506965a04f6af05a05718ba6726
Opcode Fuzzy Hash: 950de85a88c091dd21e4004f4fdde0dbde896fb1319e84ebe0b1f1acce1cf529
Instruction Fuzzy Hash: 25B28422918FC4C1E6229F18E4057EAB3B4FFA8798F559221DF9C13665EF35E1A6C700

Function 00007FF719434E6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF719434414: HeapAlloc.KERNEL32 ref: 00007FF719434469

FindFirstFileExA.KERNEL32 ref: 00007FF71943504C
FindClose.KERNEL32 ref: 00007FF719435076
FindNextFileA.KERNEL32 ref: 00007FF7194350E9

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, xrefs: 00007FF719434F82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$AllocCloseFirstHeapNext
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
API String ID: 1986626903-2976275561
Opcode ID: c734659124528dbc49deeaae8ed06717fe1e44c661f23d57db9ea74f7eb45c44
Instruction ID: 66ee7434967ff91e96aaa7f3c12c6b790aa3a5bfed2626d6ee0cef86725e7fa6
Opcode Fuzzy Hash: c734659124528dbc49deeaae8ed06717fe1e44c661f23d57db9ea74f7eb45c44
Instruction Fuzzy Hash: 7F51FD25B18E6142FA10AE3694057BBE2A1AB85FF8F884231DE1D07BD5DE3CD267C314

Function 00007FF719434B90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF719434BC8

Part of subcall function 00007FF719433794: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7194339E6), ref: 00007FF7194337C1

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, xrefs: 00007FF719434BA3
*?, xrefs: 00007FF719434BEF

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
API String ID: 2518042432-2358971015
Opcode ID: 0232d76f78ebb2758fae45bd42998701f585f0105d761c1567db8fbf1688985a
Instruction ID: 9928db01a5051ee3f441f2dc4a3fd88c91c62f85f7af6274898b31b194632f50
Opcode Fuzzy Hash: 0232d76f78ebb2758fae45bd42998701f585f0105d761c1567db8fbf1688985a
Instruction Fuzzy Hash: 3151C166B14EA685EB10EFB198100EEA7B4AB44BE8B854531DE1D17B85DF3CD16AC320

Function 00007FF7193F4D40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

arenegyl, xrefs: 00007FF7193F4D5F
modnarod, xrefs: 00007FF7193F4D52
setybdet, xrefs: 00007FF7193F4D6C
uespemos, xrefs: 00007FF7193F4D45

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: b53ee3dc563229a3e121e102d59622d1dafcecfc1a71ad0d7f919501d0d05ed5
Instruction ID: 76ec1cbf303cce7338208477d8689cb8b464b193edae1ecf70b097d3e639a449
Opcode Fuzzy Hash: b53ee3dc563229a3e121e102d59622d1dafcecfc1a71ad0d7f919501d0d05ed5
Instruction Fuzzy Hash: 8A3137E6B08B8042FE54DBE4787536B9222A7457D0F90E13AEE4D9BF1EDE2DD2424240

Function 00007FF719426660 Relevance: 5.1, Strings: 4, Instructions: 91COMMON

Download Yara Rule

Strings

uespemos, xrefs: 00007FF719426664
modnarod, xrefs: 00007FF719426671
arenegyl, xrefs: 00007FF71942667E
setybdet, xrefs: 00007FF71942668B

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 537035319c30ec46fa3be5ca8e4e0f38031d99aaa15b71ee970a14fb9b46fb35
Instruction ID: f25b433d14cf9842a0093f7237761c4130dba47fec39b423f1f3b14a693c573f
Opcode Fuzzy Hash: 537035319c30ec46fa3be5ca8e4e0f38031d99aaa15b71ee970a14fb9b46fb35
Instruction Fuzzy Hash: E721F6E6B08B8442FE44DBE4787636B9262A3847C0F90E036EE4D9BB1EDF3DD2514640

Function 00007FF7194149E0 Relevance: 4.6, APIs: 3, Instructions: 65filenativesynchronizationCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL ref: 00007FF719414A26
WaitForSingleObject.KERNEL32 ref: 00007FF719414A3B
RtlNtStatusToDosError.NTDLL ref: 00007FF719414A62

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileObjectSingleStatusWaitWrite
String ID:
API String ID: 3447438843-0
Opcode ID: ff2926c82701f16349109ba7b2b2f8b0d40f1a5e512d77a2efc1591088f02375
Instruction ID: 0cdbf5a45d04c12dfcf028cd8b0bef05757694932dd294b1cbf4c4191d8acaa8
Opcode Fuzzy Hash: ff2926c82701f16349109ba7b2b2f8b0d40f1a5e512d77a2efc1591088f02375
Instruction Fuzzy Hash: A321AC32A1CB8582E7509B24F440357B3A1EBD4364F958231EA9D42794EF7CE1D9CB00

Function 00007FF71943C710 Relevance: 4.1, Strings: 3, Instructions: 369COMMON

Download Yara Rule

Strings

GenuineI, xrefs: 00007FF71943CC24
Authenti, xrefs: 00007FF71943CBC4
HygonGen, xrefs: 00007FF71943CBE3

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: 14a05d1007bf4751255e69e18bf7c88f4a0a8b1ca8a38ba49d4b390e210eea7d
Instruction ID: 447cda19a284b93967ec93457ab5f0739617431b03bf618ea840cf95013529a8
Opcode Fuzzy Hash: 14a05d1007bf4751255e69e18bf7c88f4a0a8b1ca8a38ba49d4b390e210eea7d
Instruction Fuzzy Hash: 10B17BA7B389A103FB598E16BD62BB64891B358BD8F547038ED5F87BC0C97DCA11C204

Function 00007FF7193FDDC0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 690COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7193FF1BF

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 925872390141976ef33f80e9ad79504a24abc4f70c8bc6aa377e1941aa1d6911
Instruction ID: b0619f35205b7998b71e9b5393ceeb55653be3655f3daae36a0533bf6dd986af
Opcode Fuzzy Hash: 925872390141976ef33f80e9ad79504a24abc4f70c8bc6aa377e1941aa1d6911
Instruction Fuzzy Hash: 3F627F32608BC181EB709B15E4443EBB7A1F788798F844129DB8D47B99EF3CE54ACB11

Function 00007FF7193F2A60 Relevance: 3.4, Strings: 2, Instructions: 866COMMON

Download Yara Rule

Strings

0.ee--+NaNinf00e0)0123456789abcdef[, xrefs: 00007FF71940AA44, 00007FF71940AC2F, 00007FF71940ACC7, 00007FF71940AEBD, 00007FF71940B04B
0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF7193F2B4D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0.ee--+NaNinf00e0)0123456789abcdef[$0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000
API String ID: 0-1148296569
Opcode ID: 705f09fa26d367c52989b36b38cacb9bfa6117882df57ce40e5ce0692cf91b44
Instruction ID: ad2041e0c970d3690e3fe84a6f29065f3369fd648de7584c2ea7ccdc898c3410
Opcode Fuzzy Hash: 705f09fa26d367c52989b36b38cacb9bfa6117882df57ce40e5ce0692cf91b44
Instruction Fuzzy Hash: B982E232A1CB8181EBA19F14E4443AAB2B1FB803A8F945235DE8D07BE4DF7DD55AC750

Function 00007FF719439468 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7194396B5
RaiseException.KERNEL32 ref: 00007FF7194396C6

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 402b289977f7ea5324dd44b01ff3ffbdff8edebea9ab7a901136a953af1109ca
Instruction ID: aad3e5fe70fa811b690e75ab204b8e2bb8ea335dd881e572e742166f5a3b181b
Opcode Fuzzy Hash: 402b289977f7ea5324dd44b01ff3ffbdff8edebea9ab7a901136a953af1109ca
Instruction Fuzzy Hash: BFB17977604B94CBEB19DF29C881369BBB0F784B9CF148921DA5D837A4CB39D466C710

Function 00007FF719429B80 Relevance: 3.1, APIs: 2, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

CallNtPowerInformation.POWRPROF ref: 00007FF719429C03
HeapFree.KERNEL32 ref: 00007FF719429D16

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: CallFreeHeapInformationPower
String ID:
API String ID: 2434942627-0
Opcode ID: ec9a4f8239c59fb008051ae9490cc599cc0269061da6c6f501c7f5f2d4168d69
Instruction ID: 2145c58c11070fef284700ab90a56c4eb4dacf859e1efe29198d4e71b088a4ae
Opcode Fuzzy Hash: ec9a4f8239c59fb008051ae9490cc599cc0269061da6c6f501c7f5f2d4168d69
Instruction Fuzzy Hash: 7A41E675B29F0141EA55AF16B50067AA6F5BB44BF4F844635CE6E437D0DE3CE066C320

Function 00007FF719410A40 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

setybdet, xrefs: 00007FF719410AAD
arenegyl, xrefs: 00007FF719410AB7

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: arenegyl$setybdet
API String ID: 0-2199462733
Opcode ID: 0164fea7b49c2b2bb52f027481c7429a2554de76c65e751bdbeb65e442ba6dba
Instruction ID: 62fff5be4611b85fb9fe1021a29d72994cb857d285be88ac3a6e45c0fa11c855
Opcode Fuzzy Hash: 0164fea7b49c2b2bb52f027481c7429a2554de76c65e751bdbeb65e442ba6dba
Instruction Fuzzy Hash: 6B517C23B446A185F2A4AF75BA503E76A60F318758FC85121DF8C87311EF38DAE78340

Function 00007FF7194046D0 Relevance: 2.1, Strings: 1, Instructions: 857COMMON

Download Yara Rule

Strings

+NaNinf00e0)0123456789abcdef[, xrefs: 00007FF719404829, 00007FF719405BD9

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +NaNinf00e0)0123456789abcdef[
API String ID: 0-2384358695
Opcode ID: 6afff7df6cb84d95af471487224147f7ca696779b4dec658d170c7bfea696783
Instruction ID: 71fd9093f2d2bd7fceebabf9afc5f3a711dc9da7d479707318a293bafc4b4a5b
Opcode Fuzzy Hash: 6afff7df6cb84d95af471487224147f7ca696779b4dec658d170c7bfea696783
Instruction Fuzzy Hash: C872E572E19BC142EA649F01A0407FAA770EBD57A8F988335DE9D03A85DF6CD195CB40

Function 00007FF71942DFF0 Relevance: 1.9, Strings: 1, Instructions: 685COMMON

Download Yara Rule

Strings

0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF71942E0D2, 00007FF71942E1DD, 00007FF71942E320, 00007FF71942E4E6, 00007FF71942E760, 00007FF71942E991

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000
API String ID: 0-528166994
Opcode ID: 177899f69a30b83c0af9f94e933b7b8987c5fe5214a1e6ce76235c91d1fe9612
Instruction ID: 6f8baa7d2984c8335c3f5be68a8d874114ab3a05acb29acbb60315d79a1ec7f4
Opcode Fuzzy Hash: 177899f69a30b83c0af9f94e933b7b8987c5fe5214a1e6ce76235c91d1fe9612
Instruction Fuzzy Hash: 37324932B18A9182E7749F15F000BFAA660FB517A8FC05235DE9E17BD0CB3DA52AC751

Function 00007FF7193F3930 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

0.ee--+NaNinf00e0)0123456789abcdef[, xrefs: 00007FF71940BB2C, 00007FF71940BD17, 00007FF71940BDAF, 00007FF71940BFC5, 00007FF71940C153

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0.ee--+NaNinf00e0)0123456789abcdef[
API String ID: 0-4188985375
Opcode ID: 79890adfb8bc154ac4d888d0f3179f3684b3303b0a2e77f43360038f1b49795e
Instruction ID: 7f26fd52491db4b0873ce778a66bbf8df1a73235e77d7b63f4cf9d18987eb648
Opcode Fuzzy Hash: 79890adfb8bc154ac4d888d0f3179f3684b3303b0a2e77f43360038f1b49795e
Instruction Fuzzy Hash: AC52A432A1DB8181E7A19F14E4403ABA3B1FB803A8F944235DE9D07B98DF7DD55ACB14

Function 00007FF719404820 Relevance: 1.9, Strings: 1, Instructions: 635COMMON

Download Yara Rule

Strings

+NaNinf00e0)0123456789abcdef[, xrefs: 00007FF719404829, 00007FF719405BD9

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +NaNinf00e0)0123456789abcdef[
API String ID: 0-2384358695
Opcode ID: 8a15915c14b6dad6f93c73035314e9fb10ea180711ba590e246142a47a64dd8a
Instruction ID: d0fa10f1e987422c11aefb758a53f266fe73adc9bd9191215e645d9b781cb03f
Opcode Fuzzy Hash: 8a15915c14b6dad6f93c73035314e9fb10ea180711ba590e246142a47a64dd8a
Instruction Fuzzy Hash: F252E573A19BC146E6B09F01A0407FAA770EBD97A8F984335DE9912B85DF7CE095CB40

Function 00007FF7193FFE60 Relevance: 1.8, Instructions: 1779COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e8f5ad5dd13e0867f4e1dacf8e5b3d3b523346aff363390bf6142720fae954
Instruction ID: e345897404c7abda68324a7ccc86cb754f47bc413c0024cc7d456f3e85efbede
Opcode Fuzzy Hash: 06e8f5ad5dd13e0867f4e1dacf8e5b3d3b523346aff363390bf6142720fae954
Instruction Fuzzy Hash: 5CD2B4A7F45AD043FA60CFE4B4607D7AB61FB95788F44A026DE8C93B09DE38C6918744

Function 00007FF719406AF0 Relevance: 1.7, Strings: 1, Instructions: 485COMMON

Download Yara Rule

Strings

+NaNinf00e0)0123456789abcdef[, xrefs: 00007FF719406AF9

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +NaNinf00e0)0123456789abcdef[
API String ID: 0-2384358695
Opcode ID: e2f99b4e2bbfd12d4e75b894faa676f3925af17ed298a83248089a69ed283514
Instruction ID: 522e679131d2ba117ffc32185052f46228bab9848856cbe4528c24c8519d4d9d
Opcode Fuzzy Hash: e2f99b4e2bbfd12d4e75b894faa676f3925af17ed298a83248089a69ed283514
Instruction Fuzzy Hash: 61F18B72718B9583DB44DF65E8042AAEB61F740BD8F984135EE4E47B88CE3CD96AC700

Function 00007FF7194071E0 Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

+NaNinf00e0)0123456789abcdef[, xrefs: 00007FF7194071EB

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +NaNinf00e0)0123456789abcdef[
API String ID: 0-2384358695
Opcode ID: 63fb08ce134a1876497834fbfa7686dd1416f72865187cab584f3a596cfc9a74
Instruction ID: 9b6cde60e051e2a6f06b830f6c9a364d43813256a4c44015e38d91d817a60d0b
Opcode Fuzzy Hash: 63fb08ce134a1876497834fbfa7686dd1416f72865187cab584f3a596cfc9a74
Instruction Fuzzy Hash: 46E15D72F19A9543EE68DE2498503BE9691AB847E8F998431CD4E07BC0DE3CA95BC311

Function 00007FF7193FF200 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

x, xrefs: 00007FF7193FF33B

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 655615e668a32a333fbe7ebac06fbf3d2f61645a69bb48ea104703aef8e52571
Instruction ID: f72a7b37eef19faa0c7a4b213389a3b2c5f21ec022c52eb24d003a0c2f7bbc44
Opcode Fuzzy Hash: 655615e668a32a333fbe7ebac06fbf3d2f61645a69bb48ea104703aef8e52571
Instruction Fuzzy Hash: A702A336619FC584D6B18B19F8803DAB3A4F798794F548226DECC53B19EF78D198CB00

Function 00007FF7194299B0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 00007FF7194299E9

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 10e9138612ea2870d11cd6da35c1ce88293fa70dfc1ed33709475503f47d7329
Instruction ID: c4c582e6c287d7844f53a9db4afea0aae3de2f5c1e192f97acf93d180da20662
Opcode Fuzzy Hash: 10e9138612ea2870d11cd6da35c1ce88293fa70dfc1ed33709475503f47d7329
Instruction Fuzzy Hash: FFF0863DA08A5581E774AF11F1013EAA370EB587A8F944531CB4E17794CA3CD55BCB10

Function 00007FF719430DE4 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF719430E20

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 55c9d86daa9c82bbed98e8762f1898e164d310721818ed04656cb74e2f17e478
Instruction ID: d223742a27d19fb92df744d131a617a94f517ebfca8fccb7469c901572db3b3e
Opcode Fuzzy Hash: 55c9d86daa9c82bbed98e8762f1898e164d310721818ed04656cb74e2f17e478
Instruction Fuzzy Hash: A341D232714E548AEF48EF2AD4141AAB3B1B758FE8B899132DE0D87754EE3CD15AC340

Function 00007FF7193F4ED0 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11233f3203f44a8d52b6f36193fe8e041c9bf36cf7265d154777a10529cda472
Instruction ID: f0d1082f2565f1a001eeb47706cd4f8918955ca34e35583bde5e3dcd925841fa
Opcode Fuzzy Hash: 11233f3203f44a8d52b6f36193fe8e041c9bf36cf7265d154777a10529cda472
Instruction Fuzzy Hash: 56323822F1CA9242EE10EE259404ABAEB21EB557A8FC45335EE4E536C5FF3CD54AC311

Function 00007FF71940CC30 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f74e0904647ab47a3ec70489c98d78e0712ecbf22d9bd3c13f8f94284c49827
Instruction ID: 360275f0c291a71b8983627a6a628fa1884168c280ad70c7916750679bc6ecbd
Opcode Fuzzy Hash: 7f74e0904647ab47a3ec70489c98d78e0712ecbf22d9bd3c13f8f94284c49827
Instruction Fuzzy Hash: 52F12762E29FC182E3525B3854013FBF724AFEB798F84D322EED531A81DB689156D214

Function 00007FF7193FF990 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31be5707e724445f2252c5881b99883c2d0881c28b889c9f2e2d75c82b7ba2b
Instruction ID: 5e1589d1126e8265170e2216aa57ffc0f49dd187af78fc69c57da152fe37c094
Opcode Fuzzy Hash: e31be5707e724445f2252c5881b99883c2d0881c28b889c9f2e2d75c82b7ba2b
Instruction Fuzzy Hash: DEB10866F81BA443DA188F85B85179AA365B3C9BD4F45E026DE4CA7F58ED3CC9038340

Function 00007FF719420860 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a43fb75938622ecc89e568e1b1af2ed9744f7fa5f91b6e5357eac623a75edd7
Instruction ID: 966a4a98af83d3838cc046514a21df06aaed938b23ed3ae5b6c876b78112ac58
Opcode Fuzzy Hash: 6a43fb75938622ecc89e568e1b1af2ed9744f7fa5f91b6e5357eac623a75edd7
Instruction Fuzzy Hash: 2EB10252E1CE4241FA255E15A1103BBEBF2BF507ACF845231DE9B077D1EE6CE56AC210

Function 00007FF71941561B Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7ef7116775b5135d93d3f5f4916e2978da80738964e10cbb3d34a4c80a3dc7
Instruction ID: af01c3fd584e27884f24562e073b4ebd0ac86dfac84a451cc024c28c2c1765c7
Opcode Fuzzy Hash: da7ef7116775b5135d93d3f5f4916e2978da80738964e10cbb3d34a4c80a3dc7
Instruction Fuzzy Hash: 40A17892D1CA95C8F7225D649410BFBEAA15701379FEC9331CD7E121C0DAA879BBD3A0

Function 00007FF7193F6D00 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e190796d52877904b2f7036acb285d6a2357fc17dac6f35cdb6d8c91d7262f5d
Instruction ID: d3b7a9e53914f9ec273c3a75b1c7a8dde5e26329f052b9363079ea1116e79e21
Opcode Fuzzy Hash: e190796d52877904b2f7036acb285d6a2357fc17dac6f35cdb6d8c91d7262f5d
Instruction Fuzzy Hash: 98513696F18B8541FE109B7864113BAD320AF967D8F84A33AEECD66A55FF3CD1468240

Function 00007FF7193F65F0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b0bec211e6195bb120cdd5099edde79d6a45dd3d239ce56b518f5aae1f642a
Instruction ID: a7cab7e7553e3a3cdf64e1aefc271de5eadbe9912a8622da3be1eaa383a3afa2
Opcode Fuzzy Hash: e9b0bec211e6195bb120cdd5099edde79d6a45dd3d239ce56b518f5aae1f642a
Instruction Fuzzy Hash: D2414972F14A6542FF14CF61A674E386662E390FE8F81913ACD1A13B90DE28D85AD341

Function 00007FF719409400 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9775d2703ff0c20151bb12cba428608931df9f6d74f872bf3b80d424fcb634d
Instruction ID: 2478c623ce55db3562ddc86cdd3e67db444ea39aff397bb73a6d849fce2e7c56
Opcode Fuzzy Hash: c9775d2703ff0c20151bb12cba428608931df9f6d74f872bf3b80d424fcb634d
Instruction Fuzzy Hash: 46315976F19D1603FEA8992999217F641924B417F4ED89330DD3E8BBD8E92C945AC110

Function 00007FF719439280 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666be09939b598d6dd5efa9e60ad622723159b4466b6cc905416c5108f0645ab
Instruction ID: 9aaa4c1d0753a7cbfb130273d089f1486b7f2e49c0b629e2165e6da23c9c5be2
Opcode Fuzzy Hash: 666be09939b598d6dd5efa9e60ad622723159b4466b6cc905416c5108f0645ab
Instruction Fuzzy Hash: A4F0C875B19A518BDBD49F68A44266AB7E1F7583D4F908039D98CC3F04C63CC061CF14

Function 00007FF71942F3A8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab6bf9516f8b2bfb3011f8bb532ff976483aeb6874551f9edb41a2ce433879b
Instruction ID: a612a396ec0b4d78a4f618bb1c09764e97054e86f74fabbd0b7dea3fc7afa454
Opcode Fuzzy Hash: 4ab6bf9516f8b2bfb3011f8bb532ff976483aeb6874551f9edb41a2ce433879b
Instruction Fuzzy Hash: 2DA00125908C0294E649AF10AA60062A2B1BB64369BC10175C80D81069AE2CA56AC664

Function 00007FF719422440 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 293memoryfileCOMMON

Download Yara Rule

APIs

ReadFileEx.KERNEL32 ref: 00007FF719422666
SleepEx.KERNEL32 ref: 00007FF71942267A
CloseHandle.KERNEL32 ref: 00007FF7194227DB
CloseHandle.KERNEL32 ref: 00007FF7194227E0
HeapFree.KERNEL32 ref: 00007FF71942282A
HeapFree.KERNEL32 ref: 00007FF7194228D8
HeapFree.KERNEL32 ref: 00007FF7194228EA

Strings

main, xrefs: 00007FF719422567

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$CloseHandle$FileReadSleep
String ID: main
API String ID: 1055633282-3207122276
Opcode ID: 2ad78091861c12846a0f5148fef5463d9080a29c8e8d0a25bc5919945dac62a8
Instruction ID: 56fcb573a763f7602b705791ad289c37ba991b481e1e8ae75a277ba54fe20f05
Opcode Fuzzy Hash: 2ad78091861c12846a0f5148fef5463d9080a29c8e8d0a25bc5919945dac62a8
Instruction Fuzzy Hash: 5FD17525A08E4181EB68AF15F4503BBA3B0FB94BA8F944135DE4D43794DF3CE5AAC711

Function 00007FF719416690 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 138memorylibraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF719416743
GetLastError.KERNEL32 ref: 00007FF71941675E
GetLastError.KERNEL32 ref: 00007FF719416778
HeapFree.KERNEL32 ref: 00007FF719416800
GetLastError.KERNEL32 ref: 00007FF719416839
HeapFree.KERNEL32 ref: 00007FF719416855
GetModuleHandleA.KERNEL32 ref: 00007FF719416872
GetProcAddress.KERNEL32 ref: 00007FF719416887

Strings

kernel32, xrefs: 00007FF71941686B
GetTempPath2W, xrefs: 00007FF71941687D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FreeHeap$AddressHandleModuleProc
String ID: GetTempPath2W$kernel32
API String ID: 945766713-407914046
Opcode ID: 5605e513ce9e32255ab3d05cecbf6f3774abd73f92c90a0121b774093a6f9a76
Instruction ID: 7c58dd425e163ac3d7358761a2f18a6df6fe6836cd872745ccbb9d797d838b73
Opcode Fuzzy Hash: 5605e513ce9e32255ab3d05cecbf6f3774abd73f92c90a0121b774093a6f9a76
Instruction Fuzzy Hash: 3251EE25A09E4282F620AF15A804377E3B0BB547BCFE44536DE5D53694DF7CE0AEC620

Function 00007FF719416B50 Relevance: 13.7, APIs: 9, Instructions: 176memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71941604A: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF719416493

CreateFileW.KERNEL32 ref: 00007FF719416CC3
GetLastError.KERNEL32 ref: 00007FF719416CEB
SetFileInformationByHandle.KERNEL32 ref: 00007FF719416D14
HeapFree.KERNEL32 ref: 00007FF719416D58
GetLastError.KERNEL32 ref: 00007FF719416D6B
HeapFree.KERNEL32 ref: 00007FF719416D94
GetLastError.KERNEL32 ref: 00007FF719416DA5
CloseHandle.KERNEL32 ref: 00007FF719416DB9
HeapFree.KERNEL32 ref: 00007FF719416DD5

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$ErrorLast$FileHandle$CloseCreateInformation
String ID:
API String ID: 910738790-0
Opcode ID: f0a1c335fddc2b081e6868987c1cae8b888d9ce2031ee9c6f2b73a3eb6e1ea87
Instruction ID: f02604dcf8697c209de9068164d08dd31b82f54c2edb4fd963cc7118310e0907
Opcode Fuzzy Hash: f0a1c335fddc2b081e6868987c1cae8b888d9ce2031ee9c6f2b73a3eb6e1ea87
Instruction Fuzzy Hash: BE71E351A0CA5282FB60AF16951037BA7B0EB457A8FA40135DE8D07AC4DF2DF4BEC720

Function 00007FF71942108E Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 254COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7194210A6
DuplicateHandle.KERNEL32 ref: 00007FF7194210D2
GetLastError.KERNEL32 ref: 00007FF71942121E
CloseHandle.KERNEL32 ref: 00007FF71942125B
CloseHandle.KERNEL32 ref: 00007FF719421530

Strings

RUST_MIN_STACKfatal runtime error: something here is badly broken!, xrefs: 00007FF71942129E

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Handle$Close$CurrentDuplicateErrorLastProcess
String ID: RUST_MIN_STACKfatal runtime error: something here is badly broken!
API String ID: 1869159801-3541298642
Opcode ID: b93176c6b91049284afab0887def83b06ca28ec74641455f65aefc60b5919201
Instruction ID: f4313deb7d489be8ca7ea375eed7451c91226aebda139ec6b5203a703e3bfea2
Opcode Fuzzy Hash: b93176c6b91049284afab0887def83b06ca28ec74641455f65aefc60b5919201
Instruction Fuzzy Hash: 48B1A725A09E4241FA55AF11A4403BBA7B0FF99BA8F944571DE4E03795DF3CE46BC320

Function 00007FF719435C04 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF719435A99,?,?,00000000,00007FF7194319E4), ref: 00007FF719435C89
GetLastError.KERNEL32(?,?,00000000,00007FF719435A99,?,?,00000000,00007FF7194319E4), ref: 00007FF719435C97
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF719435A99,?,?,00000000,00007FF7194319E4), ref: 00007FF719435CC1
FreeLibrary.KERNEL32(?,?,00000000,00007FF719435A99,?,?,00000000,00007FF7194319E4), ref: 00007FF719435D07
GetProcAddress.KERNEL32(?,?,00000000,00007FF719435A99,?,?,00000000,00007FF7194319E4), ref: 00007FF719435D13

Strings

api-ms-, xrefs: 00007FF719435CA9
MZx, xrefs: 00007FF719435C22, 00007FF719435CD2, 00007FF719435CF0

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: MZx$api-ms-
API String ID: 2559590344-259127448
Opcode ID: f2e26ac8825cf457cbafa1647916896e25036d89d3c965aed87dd1a64f96d237
Instruction ID: ae742e31218cb3fcfd05a3b47ee02c07464edcb0d3628e826b98d2a0f323f66a
Opcode Fuzzy Hash: f2e26ac8825cf457cbafa1647916896e25036d89d3c965aed87dd1a64f96d237
Instruction Fuzzy Hash: 8331D621A2AE5281EE51FF26A8101B6E3B4BF04BB8F994535DD1D0B354EF3CE15AC360

Function 00007FF719419570 Relevance: 12.2, APIs: 8, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF71941976B
HeapFree.KERNEL32 ref: 00007FF71941977D
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7194197A1
HeapFree.KERNEL32 ref: 00007FF7194197FF
HeapFree.KERNEL32 ref: 00007FF719419811
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71941982E
HeapFree.KERNEL32 ref: 00007FF7194198B4
HeapFree.KERNEL32 ref: 00007FF7194198C6

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$AddressSingleWake
String ID:
API String ID: 2995119335-0
Opcode ID: 94362c2dee94ac0e1db62c5d23b458bc634988d2173e6a05fd2ae0cdd0081ff0
Instruction ID: ef5e5688c5ae6f6bf055a295d7ba62a5b6dd114e1d6452d8717c13d53f775909
Opcode Fuzzy Hash: 94362c2dee94ac0e1db62c5d23b458bc634988d2173e6a05fd2ae0cdd0081ff0
Instruction Fuzzy Hash: 2FA15139A19E4181FA94EF15A44037BA3B1AF95BA8F944032CE5D433A1DF2DF46BC321

Function 00007FF719426470 Relevance: 11.4, APIs: 9, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF719426492
HeapFree.KERNEL32 ref: 00007FF7194264DC
HeapFree.KERNEL32 ref: 00007FF7194264F4
HeapFree.KERNEL32 ref: 00007FF7194265B4

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5530337a3b1a5ca4cd145474f9dae2a9150a13d2ce605fc52d83da4e957db690
Instruction ID: af21c009dc035bccfa1166127ecc84698889e2fdd57bc520218544eeec375b62
Opcode Fuzzy Hash: 5530337a3b1a5ca4cd145474f9dae2a9150a13d2ce605fc52d83da4e957db690
Instruction Fuzzy Hash: C551F115A09E4181EA749F16B4443BB93B1BF54B68F884436CE4D07394DE3CE49AC361

Function 00007FF719432C60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF719432D82

Strings

MZx, xrefs: 00007FF719432C7F, 00007FF719432D2A

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: MZx
API String ID: 190572456-2575928145
Opcode ID: d21820a490ad5c2dbee937205ab945630f75fb2f9bea8aaae3a1c006bf1c577d
Instruction ID: e8a9f8ef04d6a38eafcc92a4cacd62f2cf240933121c2fd8e9e2001ed5ab32eb
Opcode Fuzzy Hash: d21820a490ad5c2dbee937205ab945630f75fb2f9bea8aaae3a1c006bf1c577d
Instruction Fuzzy Hash: 3641F021B29E6281FE51AF66A800272F2B1BF14BF8F894535DD1D4B784DE3CE55AC360

Function 00007FF719421980 Relevance: 10.6, APIs: 7, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF719421987
GetLastError.KERNEL32 ref: 00007FF71942199C
HeapFree.KERNEL32 ref: 00007FF719421A03
HeapFree.KERNEL32 ref: 00007FF719421A15
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF719421089), ref: 00007FF719421A2D
DuplicateHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF719421089), ref: 00007FF719421A59
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF719421089), ref: 00007FF719421A6C

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFreeHandleHeapLast$CurrentDuplicateProcess
String ID:
API String ID: 443199557-0
Opcode ID: adcd85294e83936fd1ce9d3c7476648fae6c027e1a692116ccee4f7a6100d974
Instruction ID: 598f5fc2b946524034f900aeb842d8d1d4b93384a27c72b66f52f44cbbf5a80d
Opcode Fuzzy Hash: adcd85294e83936fd1ce9d3c7476648fae6c027e1a692116ccee4f7a6100d974
Instruction Fuzzy Hash: E6219365A0CA4141FB50AF22A40437BA2B1BF5CBF8F984235DD5E43798DE3CD49AC361

Function 00007FF719423DF0 Relevance: 10.2, APIs: 8, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF719423E52
HeapFree.KERNEL32 ref: 00007FF719423E76
HeapFree.KERNEL32 ref: 00007FF719423EAB
HeapFree.KERNEL32 ref: 00007FF719423F02
HeapFree.KERNEL32 ref: 00007FF719423F46
HeapFree.KERNEL32 ref: 00007FF719423F8A
HeapFree.KERNEL32 ref: 00007FF719423FCE

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8e22c6d8da65e10ca2e6105041303d10067d9b0bd163b4e422512d9cf6127bd5
Instruction ID: cb366257b571bd75bd9650c2f5a92ab257396a330424d8970181e602b8f6e518
Opcode Fuzzy Hash: 8e22c6d8da65e10ca2e6105041303d10067d9b0bd163b4e422512d9cf6127bd5
Instruction Fuzzy Hash: A7613065A09E4180EA55EF16B9447BAA3B1FB45FBCF894536CE1C07394CF38D4AAC321

Function 00007FF719414AE0 Relevance: 9.2, APIs: 6, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00007FFB2B315570,00000000,?,00000000), ref: 00007FF719414B66
WriteConsoleW.KERNEL32(?,00000000), ref: 00007FF719414BA5
GetLastError.KERNEL32 ref: 00007FF719414BBF
WriteConsoleW.KERNEL32 ref: 00007FF719414C2B
GetLastError.KERNEL32 ref: 00007FF719414C35
HeapFree.KERNEL32 ref: 00007FF719414E04

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharFreeHeapMultiWide
String ID:
API String ID: 271091963-0
Opcode ID: 429d2fe4f8fc218a77b38f4bcedadf7481245324a3c5be18c175e49f5f940461
Instruction ID: 5fa86d927dd2a9ea7149b90be06743c98fba8435a2561f55b0327a75766e2d38
Opcode Fuzzy Hash: 429d2fe4f8fc218a77b38f4bcedadf7481245324a3c5be18c175e49f5f940461
Instruction Fuzzy Hash: 87A1D076A08E4181E7549F15E45437AA3B0EB98B68FA48231DE8E433D4DF3CE4AAC310

Function 00007FF71942B796 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942B7B1
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: e9d297c6be2ede8681503d80009022dad66925c03d1df27faf81eb65b374f2c5
Instruction ID: f99edfcb2a7e43e14a4f5607618903a6ea1da663cdb9790d1f79f612468c56ea
Opcode Fuzzy Hash: e9d297c6be2ede8681503d80009022dad66925c03d1df27faf81eb65b374f2c5
Instruction Fuzzy Hash: AD51B172A18E8181EB14AF11E4547BEA7B0FB557A8F84853ADE5E47780DF7CD05AC320

Function 00007FF719430688 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7194306A8
GetProcAddress.KERNEL32 ref: 00007FF7194306BE
FreeLibrary.KERNEL32 ref: 00007FF7194306E3

Strings

mscoree.dll, xrefs: 00007FF71943069F
CorExitProcess, xrefs: 00007FF7194306B7

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8ad75c9b2001095171fbc87dbc4ba10c95cbb3bbe63332794da30d7c3c5a1d91
Instruction ID: 7870c9813446732ffaa08acb72a04bd6e159d9d047fff5ae63a7e94121d82f56
Opcode Fuzzy Hash: 8ad75c9b2001095171fbc87dbc4ba10c95cbb3bbe63332794da30d7c3c5a1d91
Instruction Fuzzy Hash: 7AF0A465B18E4282EF84AF61F45037AA3B0EF98BA8F885035DD4F06658DE3CD45EC720

Function 00007FF719438134 Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a135943541c8766e215c940362d333d62093623cb3c270acde4c0a8d731f3e9
Instruction ID: ea913f14cf6053ec228d48e2185b9266140ba9f8222eac21d9992e445a1fc6b6
Opcode Fuzzy Hash: 2a135943541c8766e215c940362d333d62093623cb3c270acde4c0a8d731f3e9
Instruction Fuzzy Hash: 51A1C462A08B6245FB71AF71941037AE6A1AF507F8F844631DE6D067C5DF3CD62AC321

Function 00007FF7194376B0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7194376F5

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3f84e64e143d9820fc32c732a1f48943f3932278dabc228925a7de9aac275e89
Instruction ID: 50de0c9d8273aeedd729f01b40c16137e2ce3bc7ecfb20eade73dfc4dbbec15b
Opcode Fuzzy Hash: 3f84e64e143d9820fc32c732a1f48943f3932278dabc228925a7de9aac275e89
Instruction Fuzzy Hash: 2581C136E18A2255F754EF7588406BEA6B1AF45BBCF804235CD4E52791DE38A52BC320

Function 00007FF719437994 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF719437857), ref: 00007FF7194379F1
WideCharToMultiByte.KERNEL32 ref: 00007FF719437ACD
WriteFile.KERNEL32 ref: 00007FF719437AF3
WriteFile.KERNEL32 ref: 00007FF719437B32
GetLastError.KERNEL32 ref: 00007FF719437B6A

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 719cbbc18990bedbb18da9ed8cab8098de0ad74b27520897d8bcb39dd9f2865c
Instruction ID: fae1e8dd494585ebb4a1574b5cdf9ed3dc634c1efa77d229a12f5b032fafd5b7
Opcode Fuzzy Hash: 719cbbc18990bedbb18da9ed8cab8098de0ad74b27520897d8bcb39dd9f2865c
Instruction Fuzzy Hash: EA51A036A14A6185E710DF75D4443AEBBB0FB457ACF848135CE8A47B98DF38D26AC720

Function 00007FF719411AED Relevance: 7.6, APIs: 6, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF719411BC5
HeapFree.KERNEL32 ref: 00007FF719411BD7
HeapFree.KERNEL32 ref: 00007FF719411CA8
HeapFree.KERNEL32 ref: 00007FF719411CBA
HeapFree.KERNEL32 ref: 00007FF719411D1A
HeapFree.KERNEL32 ref: 00007FF719411D2C

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a5c8f169a7d2f0cbf1286d3dd229f6c211e02dd5ad703b26aa0e0baae3315f32
Instruction ID: 58ba966ec814e57f0069e7ddc13a4f32384d719e48bda92a2e7353dd88297756
Opcode Fuzzy Hash: a5c8f169a7d2f0cbf1286d3dd229f6c211e02dd5ad703b26aa0e0baae3315f32
Instruction Fuzzy Hash: CF511F25A08E4280F664EF06E44437AA3B1FB897A8F944035CE4D477A5DF3CE4AAC321

Function 00007FF71941BAA9 Relevance: 7.6, APIs: 5, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF71941BB0E
SetLastError.KERNEL32 ref: 00007FF71941BBDB
GetSystemDirectoryW.KERNEL32 ref: 00007FF71941BBE7
GetLastError.KERNEL32 ref: 00007FF71941BBF3
GetLastError.KERNEL32 ref: 00007FF71941BC0C

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$DirectoryFreeHeapSystem
String ID:
API String ID: 696374338-0
Opcode ID: 97ec37e43301fee58b96359254ef66bed1fdc19a103305fd7a7aedbeba9cf76e
Instruction ID: 9a1fa27aece7b06d3cb158a5b6a03d909ded743f3f0ca9a20c9601b71e93bc32
Opcode Fuzzy Hash: 97ec37e43301fee58b96359254ef66bed1fdc19a103305fd7a7aedbeba9cf76e
Instruction Fuzzy Hash: F831B425A08E92C1F7746F25945437BA2A0BB14778FA44235DD5E83ACCDE6CF49AC360

Function 00007FF719439098 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7194390BF
_set_statfp.LIBCMT ref: 00007FF7194390DA
_set_statfp.LIBCMT ref: 00007FF7194390F6
_set_statfp.LIBCMT ref: 00007FF719439132

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: acc3ac3db6f420b8ce4dd437937ea7c4908a5afd762a9fd16bbaf05600465055
Instruction ID: 6b0d78d9c2d60c4b6c4ac918820dd129b8a14422e1b85f11f2d940e8b1264ff8
Opcode Fuzzy Hash: acc3ac3db6f420b8ce4dd437937ea7c4908a5afd762a9fd16bbaf05600465055
Instruction Fuzzy Hash: 3911B13AE18E2385FA2C3934D44937791316F403F8F844730EEA9161D68E1C566BC160

Function 00007FF71942B803 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942B81E
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Part of subcall function 00007FF71942C490: SysStringLen.OLEAUT32 ref: 00007FF71942C4CE
Part of subcall function 00007FF71942C490: SysStringLen.OLEAUT32 ref: 00007FF71942C4E1

Strings

, xrefs: 00007FF71942BD7D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafeString$AccessUnaccess
String ID:
API String ID: 1557863903-3916222277
Opcode ID: c88dc68ecb0d1db77c17268bc4056e443a85f1a48cc954189e8b7b691a010998
Instruction ID: 921dc66ae6848e4568175d1dbee885b31160123061b2d74424ad438850b6a1f0
Opcode Fuzzy Hash: c88dc68ecb0d1db77c17268bc4056e443a85f1a48cc954189e8b7b691a010998
Instruction Fuzzy Hash: C2613A2291CBC182E6719F25B1403ABE3A0FB95758F849125DFCD02A96DF7CE19ACB50

Function 00007FF719437DC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF719437EA6
WriteFile.KERNEL32 ref: 00007FF719437ED9
GetLastError.KERNEL32 ref: 00007FF719437EFB

Strings

U, xrefs: 00007FF719437E84

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 3f509cf637140e699c61dbaf545df12fbaaa146e68ca4ec2491fd70597743d5f
Instruction ID: 3dc90fe2240e3ac1f617c886b4fc54c29cd2cd600a68ed141e51931ac6145a7a
Opcode Fuzzy Hash: 3f509cf637140e699c61dbaf545df12fbaaa146e68ca4ec2491fd70597743d5f
Instruction Fuzzy Hash: 4441C332A19A5182E760DF25E4053BAA7B0FB88BE8F804031EE8D87748DF3CD516CB50

Function 00007FF719415170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

kernel32, xrefs: 00007FF7194152DC
SetThreadDescription, xrefs: 00007FF7194152EE

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandleLast
String ID: SetThreadDescription$kernel32
API String ID: 2586478127-1950310818
Opcode ID: fe4288b309e7fbef6374d59babafb229089f34dae923ced2b4bd8aa037e8d8b2
Instruction ID: ccb4b87d1c4beb4bee756be3243e76ef68d2369d6110c5a8c45c35acd9baf10d
Opcode Fuzzy Hash: fe4288b309e7fbef6374d59babafb229089f34dae923ced2b4bd8aa037e8d8b2
Instruction Fuzzy Hash: E421D692F19E4690FA49AF426D400F6D2715F04BF9EE88432DC0C07B94DE3CB46BC2A0

Function 00007FF7193FCFD3 Relevance: 6.4, APIs: 5, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF7193FCFFE
CloseHandle.KERNEL32 ref: 00007FF7193FD052
CloseHandle.KERNEL32 ref: 00007FF7193FD071
CloseHandle.KERNEL32 ref: 00007FF7193FD090

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 604f775c468aad3ba7f75e8f03208f459edf5ce20fd1715933c3dabe9cb9bfcd
Instruction ID: 227bcd74fcc73b0dd38a2e7e84e66ca44c2b2dc1de40c91ac58c0eec384b1d2e
Opcode Fuzzy Hash: 604f775c468aad3ba7f75e8f03208f459edf5ce20fd1715933c3dabe9cb9bfcd
Instruction Fuzzy Hash: 08419625A09E8241EDA5AF05944C379A2B0EF85BB8FC4023ACD3D57794EF2DE44BC352

Function 00007FF7194143F0 Relevance: 6.2, APIs: 4, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71941477D
HeapFree.KERNEL32 ref: 00007FF7194147DB
HeapFree.KERNEL32 ref: 00007FF7194147ED

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$AddressSingleWake
String ID:
API String ID: 2995119335-0
Opcode ID: a5fd3ce5d5b542c7f3c20d4e684b4362b03622c873eeb9bae6aa005b821eeca0
Instruction ID: 8f9d40ed12301f2747f2ff45346e62dea2e43d4947637cefd19095c266790f94
Opcode Fuzzy Hash: a5fd3ce5d5b542c7f3c20d4e684b4362b03622c873eeb9bae6aa005b821eeca0
Instruction Fuzzy Hash: F1917025A09D4281FA94AF15A944337E2B1AF15B7CFA80571CE5C563A0EF3CF46BC322

Function 00007FF71941BCC8 Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF71941BBDB
GetSystemDirectoryW.KERNEL32 ref: 00007FF71941BBE7
GetLastError.KERNEL32 ref: 00007FF71941BBF3
GetLastError.KERNEL32 ref: 00007FF71941BC0C

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$DirectorySystem
String ID:
API String ID: 860285823-0
Opcode ID: 65dabdab1f85738be084f83754e8e3568ba0fffc2f45c3433d723a0a8b2c8085
Instruction ID: e7a3ff4bd6a147a5de61d0e4df8fb1171ad0ef6cc63a331f12090b3ffc7f7175
Opcode Fuzzy Hash: 65dabdab1f85738be084f83754e8e3568ba0fffc2f45c3433d723a0a8b2c8085
Instruction Fuzzy Hash: 07516F22A08A91C1E770AF11A4543BBA6B1FB847B8F900235DD9D47BD9CF7CE46AC710

Function 00007FF71942B992 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942B9AD
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: b233418013cd02a2e4bc24f94a7350fad37d27bfd8ca7c7c33492e197b35e930
Instruction ID: 1f2b283d08b6281ea9db9397cc48846def4c4cddf424cdf55e8e351d06f42088
Opcode Fuzzy Hash: b233418013cd02a2e4bc24f94a7350fad37d27bfd8ca7c7c33492e197b35e930
Instruction Fuzzy Hash: D341D032A18E8186EB54DF26E05477EB7A0FB55768F848239CB4A07A80DF7CE059C720

Function 00007FF71943DC70 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71943DD75
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71943DE21
WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF71943DE3A
GetLastError.KERNEL32 ref: 00007FF71943DE42

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: Address$SingleWake$ErrorLastWait
String ID:
API String ID: 1609941449-0
Opcode ID: a4d5a98216b76fd1b6661c3ae7c93c22af50d8349565ab91706f02704ee29fa1
Instruction ID: 1dcc477e63b80fcb83e666663d62b097993009b4291a103fb4aa07ecabd5df82
Opcode Fuzzy Hash: a4d5a98216b76fd1b6661c3ae7c93c22af50d8349565ab91706f02704ee29fa1
Instruction Fuzzy Hash: 9151C22291CEC181F761EF25A90077AA7A0E7A5BACF449135DE8D07256CF3CE1DAC750

Function 00007FF71942BB46 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942BB61
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: 2712e1397dc9877b4be4a413f005525f4763aa971cca74807003f9150f7c70ba
Instruction ID: 9e5b64b4b14a9c0fd49b7fbe8f259d535315d0178dcb7dda24cc09bffe172707
Opcode Fuzzy Hash: 2712e1397dc9877b4be4a413f005525f4763aa971cca74807003f9150f7c70ba
Instruction Fuzzy Hash: 5841D272A18E8182EB549F21E4547BEA7A4FB157A8F848139CF9A47780DF7CD069C320

Function 00007FF71942BBB3 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942BBCA
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: 0469e7bf688aaa21385f130966428af5ec834611c1888b24aed53a0957f4474d
Instruction ID: 73e61e4ff34a63253da915a2f11e7cbe3fc1a2ba5313cfe10574f45f6a79b213
Opcode Fuzzy Hash: 0469e7bf688aaa21385f130966428af5ec834611c1888b24aed53a0957f4474d
Instruction Fuzzy Hash: 7F41D172A19A8186EB559F21E0547BEB7B0FB51768F848639CF5A07780DF7CE069C320

Function 00007FF71942BAD9 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942BAF4
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: 8eda1155e8629288c2daca216309719416c45d74798263c3a865e7b4483a2aa0
Instruction ID: 0b4a01b8439cb9efbb6ff8bf38e5234ecac65665c63e53879b52ca8f0d79bd04
Opcode Fuzzy Hash: 8eda1155e8629288c2daca216309719416c45d74798263c3a865e7b4483a2aa0
Instruction Fuzzy Hash: 2241C062A18E8182EB559F61E05477FA7B4FF15768F808179CB5A47680DF7CD06AC320

Function 00007FF71942B925 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942B940
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: 6ca9d58d07348689f3375048a7a0c446f2e361dddb571042583b13a1b492846a
Instruction ID: 59a466865994451c70c90abfb615d21ba20460383a380fe8118e3c4f0a4c159a
Opcode Fuzzy Hash: 6ca9d58d07348689f3375048a7a0c446f2e361dddb571042583b13a1b492846a
Instruction Fuzzy Hash: 4541D672A28E8182EB55DF25E05437EA7B0FF56768F808239DB5A17680DF7CD099C320

Function 00007FF71942B9FF Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942BA1A
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: 77a66249446af70903ebf470f482a297c23eb81fc97dbb67ba6592974c30eea5
Instruction ID: 9f302682ac4b9f7c5792eaec795792f5fccd1f41c8911e1e15d8c69dadc74928
Opcode Fuzzy Hash: 77a66249446af70903ebf470f482a297c23eb81fc97dbb67ba6592974c30eea5
Instruction Fuzzy Hash: 2741BD72A19E8186EB549F21E05437EB7A0FB557A8F848239CF5A07780DF7CE059C760

Function 00007FF71942B729 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942B744
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: 7768938dae23807fd30a69f7977739c6a21227e38bdead711a7cecf92f3f4624
Instruction ID: 9180b5ea4312f772a93b5a804d582340534bb7a0f1bb280b8da0b42b3f9b8a3a
Opcode Fuzzy Hash: 7768938dae23807fd30a69f7977739c6a21227e38bdead711a7cecf92f3f4624
Instruction Fuzzy Hash: 6B41D0A2A19E8182EB559F61E05477EA3B0FF15768F808139CB4A47AC0EF7CD069C320

Function 00007FF71942BA6C Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942BA87
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: 9e0d51dcfc0545f2b543adc0b166927530af7f31deb9a641adf30ad7243433b8
Instruction ID: 98ba99584ea333f67e71642c2dac659d88de7370b57a3004f3b534faba39890a
Opcode Fuzzy Hash: 9e0d51dcfc0545f2b543adc0b166927530af7f31deb9a641adf30ad7243433b8
Instruction Fuzzy Hash: 5541F362A1DBC086EB559F21A45437EABA4FB12368F848179CF8A077C1DF7CD069C320

Function 00007FF71942B8B8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32 ref: 00007FF71942B8D3
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC37
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF71942BC68
GetErrorInfo.OLEAUT32 ref: 00007FF71942BC82

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDataErrorInfoSafe$AccessUnaccess
String ID:
API String ID: 1451478150-0
Opcode ID: 85ec932f659e36c967b55d6ed7fb15e434c223552750cfdc22291edf26fa4d94
Instruction ID: 682fe0cd9dbca64a2e39c1483047f1acde9565af024d2ab9d7e14d197b8ef573
Opcode Fuzzy Hash: 85ec932f659e36c967b55d6ed7fb15e434c223552750cfdc22291edf26fa4d94
Instruction Fuzzy Hash: B641F662A1DAC085EB559F21A45437EABB4FB11768F848179CF8A077C1DF7CD059C320

Function 00007FF719435268 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF71943122B,?,?,?,00007FF71942EDF7), ref: 00007FF719435281
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF71943122B,?,?,?,00007FF71942EDF7), ref: 00007FF7194352E3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF71943122B,?,?,?,00007FF71942EDF7), ref: 00007FF71943531D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF71943122B,?,?,?,00007FF71942EDF7), ref: 00007FF719435347

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 96906dac914c5d79378c785f57b2a5b4198e1e8d794d649651befd41343bc211
Instruction ID: b1051381656317ca4f1d721f9a72d2f3d731141e24aa27c075d8ffa6012fd0c9
Opcode Fuzzy Hash: 96906dac914c5d79378c785f57b2a5b4198e1e8d794d649651befd41343bc211
Instruction Fuzzy Hash: B5216F21F08F6181E664AF22A40002EF6B5BF54BE4B884134DE8E63B98DF7CE567C750

Function 00007FF719422910 Relevance: 6.1, APIs: 4, Instructions: 59memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71941604A: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF719416493

HeapFree.KERNEL32 ref: 00007FF71942299C
GetCurrentThread.KERNEL32 ref: 00007FF7194229A4
SetThreadDescription.KERNELBASE ref: 00007FF7194229B7
HeapFree.KERNEL32 ref: 00007FF7194229CB

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap$Thread$CurrentDescription
String ID:
API String ID: 930939367-0
Opcode ID: 5ba36cb3acf3c7e7d388377a9c96a1f8eeb0506e609df2f50faaf38a376364be
Instruction ID: 3dceb298c0cabaeff0b444898d79bce20a09bdeb2dbdb4242261eb8e999cf68c
Opcode Fuzzy Hash: 5ba36cb3acf3c7e7d388377a9c96a1f8eeb0506e609df2f50faaf38a376364be
Instruction Fuzzy Hash: 1D21712570CE4540EA54AF16A5042BBA3B1FB89BE8F844132DE4D43754DE3CE09AC751

Function 00007FF719432F40 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF71943233D,?,?,?,?,?,?,?,00007FF719431CE9), ref: 00007FF719432F4A
SetLastError.KERNEL32(?,?,?,00007FF71943233D,?,?,?,?,?,?,?,00007FF719431CE9), ref: 00007FF719432FB2
SetLastError.KERNEL32(?,?,?,00007FF71943233D,?,?,?,?,?,?,?,00007FF719431CE9), ref: 00007FF719432FC8
abort.LIBCMT ref: 00007FF719432FCE

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 8c4c7ae263a411009b50842c4ae19e061d9cdaf03a431022a05234066bb798d6
Instruction ID: c1d1f3499e21f964f054a3988999d75ce2c2d493d6f3175d246784b1a35d0afa
Opcode Fuzzy Hash: 8c4c7ae263a411009b50842c4ae19e061d9cdaf03a431022a05234066bb798d6
Instruction Fuzzy Hash: 91017914B08E6342FA587F30911513AA1B15F687F8F940538EC0E027C6ED2CE66BC220

Function 00007FF719430978 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7194309A2
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF71942EDB5), ref: 00007FF7194309C3

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe, xrefs: 00007FF7194309B1

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe
API String ID: 3307058713-2976275561
Opcode ID: 2cb6af66799282c28b3ae81ca4b1448fa77e54f869e87fb80d816531250c722b
Instruction ID: 542f02989390a99e7e37d9a5c37944e421b806c456ac50435ee4baef44681f66
Opcode Fuzzy Hash: 2cb6af66799282c28b3ae81ca4b1448fa77e54f869e87fb80d816531250c722b
Instruction Fuzzy Hash: FF416E36A18E2285F714BF35A4400BAA7B4EF54BE8BD44235ED4E47B45DE3CE56AC320

Function 00007FF71940C8F0 Relevance: 5.2, APIs: 4, Instructions: 199memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF71940C93D
HeapFree.KERNEL32 ref: 00007FF71940CA61
HeapFree.KERNEL32 ref: 00007FF71940CB05
HeapFree.KERNEL32 ref: 00007FF71940CB2D

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2413cbd768be31ab29fc4464c6f2fc475fc70107517709abfdd608485f533fcb
Instruction ID: ad4551450c823d3bc9d2d1ae8212c71ef922498941ec55ed4e43425f129275f6
Opcode Fuzzy Hash: 2413cbd768be31ab29fc4464c6f2fc475fc70107517709abfdd608485f533fcb
Instruction Fuzzy Hash: 9081A322A19F8181E6519B1994043FAA370BB457B9F898331DEBC167D1DF39D49BC350

Function 00007FF719427630 Relevance: 5.1, APIs: 4, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF71942768C
HeapFree.KERNEL32 ref: 00007FF7194276F6
HeapFree.KERNEL32 ref: 00007FF71942772C
HeapFree.KERNEL32 ref: 00007FF719427796

Memory Dump Source

Source File: 00000000.00000002.1823456841.00007FF7193F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7193F0000, based on PE: true

Associated: 00000000.00000002.1823436966.00007FF7193F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823504103.00007FF71943F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823584926.00007FF7194D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823610690.00007FF7194DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1823636795.00007FF7194DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7193f0000_SecuriteInfo.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bbd5740b09c0ea2fd7747fcd1db78b812c2b2e1f8e1f08b3e7dc715fb1686647
Instruction ID: 9eaf5d5750052c9164c7fa26349f08782593588e8ba1ec6bbdf2de92ecbe121f
Opcode Fuzzy Hash: bbd5740b09c0ea2fd7747fcd1db78b812c2b2e1f8e1f08b3e7dc715fb1686647
Instruction Fuzzy Hash: 91414126605E4181E665DF12B5407ABA3B1FB98BA8F884435CF9D43750DF3CF4A6C220

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exePID: 3736, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exePID: 3736, Parent PID: 4056COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF719427CE5 Relevance: 84.8, APIs: 47, Strings: 1, Instructions: 795memorytimenativeCOMMON

Function 00007FF7193F6FBF Relevance: 79.2, APIs: 35, Strings: 9, Instructions: 2187memoryCOMMON

Windows Analysis Report
SecuriteInfo.com.Win64.PWSX-gen.2890.22012.exe

Function 00007FF7193F4790 Relevance: 31.9, APIs: 21, Instructions: 355
memoryCOMMON

Function 00007FF719428391 Relevance: 21.4, APIs: 14, Instructions: 373
memoryCOMMON

Function 00007FF7193F2760 Relevance: 14.8, APIs: 6, Strings: 2, Instructions: 757
memoryCOMMON

Function 00007FF7193F9368 Relevance: 14.7, APIs: 6, Strings: 2, Instructions: 660
memoryCOMMON

Function 00007FF719424740 Relevance: 12.4, APIs: 8, Instructions: 401
memorytimeCOMMON

Function 00007FF719429EB0 Relevance: 11.0, APIs: 7, Instructions: 455
COMMON

Function 00007FF7194240F5 Relevance: 10.9, APIs: 7, Instructions: 356
memoryCOMMON

Function 00007FF71942B510 Relevance: 10.6, APIs: 7, Instructions: 125
comCOMMON

Function 00007FF719429620 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
memorynativeCOMMON

Function 00007FF71943B3D0 Relevance: 9.4, APIs: 6, Instructions: 441
COMMON

Function 00007FF7193F1C9D Relevance: 15.2, APIs: 10, Instructions: 193
COMMON

Function 00007FF719410F60 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 294
memoryCOMMON

Function 00007FF7194292F0 Relevance: 9.1, APIs: 6, Instructions: 73
COMMON

Function 00007FF71942A743 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 157
COMMON

Function 00007FF7193FD450 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
threadCOMMON