Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Analysis ID:	1431466
MD5:	dda215e4c93c5bcd1626d798a9114052
SHA1:	686205c045db9236cb7a76cc48a4759f3a775bed
SHA256:	786c781885708a2dd6f66a997cda19fa13f06542a1c5f35c50619494d45d2cb9
Tags:	exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample is not signed and drops a device driver

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to load drivers

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables driver privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Spawns drivers

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe (PID: 2444 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe" MD5: DDA215E4C93C5BCD1626D798A9114052)

conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bugado.exe (PID: 5060 cmdline: "C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys MD5: 34CFBE3FF70461820CCC31A1AFEEC0B3)

conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5372 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	ReversingLabs: Detection: 62%
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Virustotal: Detection: 67%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Virustotal: Detection: 48%			Perma Link

Machine Learning detection for dropped file

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\ESP Valorant C++\Cheat Valorant ESP - Private Store\x64\Release\YARREAK PROJE.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source:	Binary string: D:\XD\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb11 source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr
Source:	Binary string: eD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\ESP Valorant C++\Cheat Valorant ESP - Private Store\x64\Release\YARREAK PROJE.pdb3,,GCTL source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source:	Binary string: C:\Users\textx\source\repos\democ_free\kernelmod\x64\Release\drv.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.sys.0.dr
Source:	Binary string: D:\XD\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr
Source:	Binary string: PwC:\Users\textx\source\repos\democ_free\kernelmod\x64\Release\drv.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.sys.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: bugado.exe, 00000003.00000002.2096634574.0000013A43F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.veH
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF725803F10 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF725803F10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF725803F10 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF725803F10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF725803CC0 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,malloc,memmove,free,GlobalUnlock,CloseClipboard,

0_2_00007FF725803CC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF7258340A0 SleepEx,SleepEx,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetAsyncKeyState,AllocConsole,FindWindowA,ShowWindow,MessageBoxA,Sleep,

0_2_00007FF7258340A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF725832D90 GetClientRect,QueryPerformanceCounter,GetKeyState,GetKeyState,GetKeyState,ClientToScreen,SetCursorPos,GetActiveWindow,GetCursorPos,ScreenToClient,GetAsyncKeyState,

0_2_00007FF725832D90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF61758D520 RegCreateKeyW,RegSetKeyValueW,RegCloseKey,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,RegSetKeyValueW,RegCloseKey,RegCloseKey,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlInitUnicodeString,NtLoadDriver,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	3_2_00007FF61758D520
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF617582A90 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,	3_2_00007FF617582A90
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF61758DF00 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,	3_2_00007FF61758DF00

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF725834EC0: DeviceIoControl,

0_2_00007FF725834EC0

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

Code function: 3_2_00007FF61758D520 RegCreateKeyW,RegSetKeyValueW,RegCloseKey,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,RegSetKeyValueW,RegCloseKey,RegCloseKey,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlInitUnicodeString,NtLoadDriver,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

3_2_00007FF61758D520

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

File created: C:\Windows\SoftwareDistribution\Download\bugado.sys

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File created: C:\Windows\SoftwareDistribution\Download\bugado.sys			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File created: C:\Windows\SoftwareDistribution\Download\bugado.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7258016C0	0_2_00007FF7258016C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7258202E0	0_2_00007FF7258202E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7258082E0	0_2_00007FF7258082E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72580AAE0	0_2_00007FF72580AAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72580EA30	0_2_00007FF72580EA30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725811650	0_2_00007FF725811650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72582CA40	0_2_00007FF72582CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72580B660	0_2_00007FF72580B660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725828DB0	0_2_00007FF725828DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7257FF1D0	0_2_00007FF7257FF1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725826210	0_2_00007FF725826210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7257FC615	0_2_00007FF7257FC615
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725807210	0_2_00007FF725807210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725818120	0_2_00007FF725818120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7257F2D70	0_2_00007FF7257F2D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725824160	0_2_00007FF725824160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725809D60	0_2_00007FF725809D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725832D90	0_2_00007FF725832D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72580A580	0_2_00007FF72580A580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7258174D0	0_2_00007FF7258174D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72580B8F0	0_2_00007FF72580B8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725836050	0_2_00007FF725836050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725801C50	0_2_00007FF725801C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725812870	0_2_00007FF725812870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7258283E0	0_2_00007FF7258283E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725827B30	0_2_00007FF725827B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725809730	0_2_00007FF725809730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725818F20	0_2_00007FF725818F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72580DB50	0_2_00007FF72580DB50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725814B50	0_2_00007FF725814B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725805B50	0_2_00007FF725805B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725813340	0_2_00007FF725813340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72581CB70	0_2_00007FF72581CB70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725827F60	0_2_00007FF725827F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725821760	0_2_00007FF725821760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72580BB80	0_2_00007FF72580BB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF72580BF80	0_2_00007FF72580BF80
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF617581780	3_2_00007FF617581780
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF617582A90	3_2_00007FF617582A90

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh 4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

Code function: String function: 00007FF617585EE0 appears 80 times

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000002.4517630062.0000023F9BA64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000003.2394822838.0000023F9BA54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000003.2394565534.0000023F9BA54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000000.2074111889.00007FF7258AD000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000003.2394918831.0000023F9BA63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000003.2394884952.0000023F9BA5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\uKPwkwKUWlbmzgNfgIh

Jump to behavior

Source: bugado.exe.0.dr	Binary string: Unknown exceptionbad array new lengthstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xMmAllocatePagesForMdl[!] Failed to find MmAlocatePagesForMdlMmMapLockedPagesSpecifyCache[!] Failed to find MmMapLockedPagesSpecifyCacheMmProtectMdlSystemAddress[!] Failed to find MmProtectMdlSystemAddressMmUnmapLockedPages[!] Failed to find MmUnmapLockedPagesMmFreePagesFromMdl[!] Failed to find MmFreePagesFromMdlExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x
Source: uKPwkwKUWlbmzgNfgIh.3.dr	Binary string: \Device\Nal
Source: bugado.sys.0.dr	Binary string: \Device\VGK_G091H

Source: classification engine

Classification label: mal72.evad.winEXE@7/5@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF72582A410 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,CloseHandle,CloseHandle,

0_2_00007FF72582A410

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

File created: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh

Jump to behavior

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Virustotal: Detection: 48%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Process created: C:\Windows\SoftwareDistribution\Download\bugado.exe "C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Process created: C:\Windows\SoftwareDistribution\Download\bugado.exe "C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\ESP Valorant C++\Cheat Valorant ESP - Private Store\x64\Release\YARREAK PROJE.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source:	Binary string: D:\XD\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb11 source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr
Source:	Binary string: eD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\ESP Valorant C++\Cheat Valorant ESP - Private Store\x64\Release\YARREAK PROJE.pdb3,,GCTL source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source:	Binary string: C:\Users\textx\source\repos\democ_free\kernelmod\x64\Release\drv.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.sys.0.dr
Source:	Binary string: D:\XD\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr
Source:	Binary string: PwC:\Users\textx\source\repos\democ_free\kernelmod\x64\Release\drv.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.sys.0.dr

Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Executable created and started: C:\Windows\SoftwareDistribution\Download\bugado.exe

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

File created: C:\Windows\SoftwareDistribution\Download\bugado.sys

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File created: C:\Windows\SoftwareDistribution\Download\bugado.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File created: C:\Windows\SoftwareDistribution\Download\bugado.sys	Jump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	File created: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File created: C:\Windows\SoftwareDistribution\Download\bugado.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File created: C:\Windows\SoftwareDistribution\Download\bugado.sys			Jump to dropped file

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

File created: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh

Jump to dropped file

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uKPwkwKUWlbmzgNfgIh

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

Code function: 3_2_00007FF617582A90 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,

3_2_00007FF617582A90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Dropped PE file which has not been started: C:\Windows\SoftwareDistribution\Download\bugado.sys			Jump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

API coverage: 1.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF725836D18 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF725836D18

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

Code function: 3_2_00007FF61758EAC4 GetLastError,IsDebuggerPresent,OutputDebugStringW,

3_2_00007FF61758EAC4

Source: C:\Windows\SoftwareDistribution\Download\bugado.exe

3_2_00007FF617582A90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF725833B70 system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,exit,GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapReAlloc,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,exit,

0_2_00007FF725833B70

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725836EC0 SetUnhandledExceptionFilter,	0_2_00007FF725836EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF7258371F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7258371F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Code function: 0_2_00007FF725836D18 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF725836D18
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF617589D10 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	3_2_00007FF617589D10
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF61758F884 SetUnhandledExceptionFilter,	3_2_00007FF61758F884
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF61758F6D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF61758F6D8
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe	Code function: 3_2_00007FF61758F140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF61758F140

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Process created: C:\Windows\SoftwareDistribution\Download\bugado.exe "C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Code function: 0_2_00007FF725836F74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF725836F74

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Windows Service	2 Windows Service	13 Masquerading	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 LSASS Driver	11 Process Injection	11 Process Injection	LSASS Memory	14 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	2 LSASS Driver	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	39%	ReversingLabs	Win64.Trojan.Doina
SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	49%	Virustotal		Browse
SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\SoftwareDistribution\Download\bugado.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh	0%	Virustotal		Browse
C:\Windows\SoftwareDistribution\Download\bugado.exe	62%	ReversingLabs	Win64.PUA.GameHack
C:\Windows\SoftwareDistribution\Download\bugado.exe	68%	Virustotal		Browse
C:\Windows\SoftwareDistribution\Download\bugado.sys	0%	ReversingLabs
C:\Windows\SoftwareDistribution\Download\bugado.sys	3%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.veH	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr	false		high
http://ocsp.thawte.com0	SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr	false	URL Reputation: safe	unknown
http://ocsp.veH	bugado.exe, 00000003.00000002.2096634574.0000013A43F3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431466
Start date and time:	2024-04-25 08:24:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@7/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 147
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh	SecuriteInfo.com.Win64.TrojanX-gen.7904.11956.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.PWS.Siggen3.25256.942.20710.exe	Get hash	malicious	Exela Stealer, Xmrig	Browse
	ZO8e0mOW67.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.CrypterX-gen.7296.19136.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Trojan.Agent.3OT2P9.21817.2775.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Trojan.Agent.3OT2P9.21817.2775.exe	Get hash	malicious	Unknown	Browse
	6e.exe	Get hash	malicious	XWorm	Browse
	ShellExperienceHost.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Lazy.257709.2840.8582.exe	Get hash	malicious	Unknown	Browse
	client.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh

Download File

Process:	C:\Windows\SoftwareDistribution\Download\bugado.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34568
Entropy (8bit):	6.458050812199268
Encrypted:	false
SSDEEP:	384:gxdNvW7C8naMYCjizSO/YWwhtSgvNR0m1us7pfBMRKr+PLDRfvgXifBMRg6PWNTj:gHNwmJ/7UtSwR317uPPlvgXiu/6Tbf
MD5:	1898CEDA3247213C084F43637EF163B3
SHA1:	D04E5DB5B6C848A29732BFD52029001F23C3DA75
SHA-256:	4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B
SHA-512:	84C3CCC657F83725B24A20F83B87577603F580993920CC42D6DA58648C6888D950FD19FBB8B404CE51A3EAB674066C5CEFE275763FBDB32E1AE1BA98097AB377
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.TrojanX-gen.7904.11956.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Siggen3.25256.942.20710.exe, Detection: malicious, Browse Filename: ZO8e0mOW67.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.CrypterX-gen.7296.19136.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Trojan.Agent.3OT2P9.21817.2775.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Trojan.Agent.3OT2P9.21817.2775.exe, Detection: malicious, Browse Filename: 6e.exe, Detection: malicious, Browse Filename: ShellExperienceHost.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Lazy.257709.2840.8582.exe, Detection: malicious, Browse Filename: client.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..............$..uy.....uy.....uy............uy.....Rich...................PE..d.....R.........."......P....\......"]......................................@].....*2......................................................."].<....0].......]......h..............Pa...............................................`..H............................text....F.......H.................. ..h.rdata.......`.......L..............@..H.data.....\..p.......T..............@....pdata........]......V..............@..HINIT......... ]......\.............. ....rsrc........0]......d..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\Download\bugado.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	137728
Entropy (8bit):	6.140567886686446
Encrypted:	false
SSDEEP:	3072:rOUDtpXnRNEvhxNyatnKl9rGmJTQSaMm5/6TYfEBjgQ:rOUDDXnRNEv7wEo9WlTfYjg
MD5:	34CFBE3FF70461820CCC31A1AFEEC0B3
SHA1:	5D32E91C039C9A6F723BA3C04C1179D02E6A0CE9
SHA-256:	6EBCC6896B243C761DA4FC28A26249B0C146AE17AFF7697C09BC447008E831DF
SHA-512:	1CA4661BE645E7E954D89C83F1FD126A5E936533052D4E330C9FACCB83BB5942D28265375CEE743E468B1625A0C1F10888E7957FE88C718E8501A86A78CDC06E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 68%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.qE....................^.......^.......^...-...^...............................................Rich............PE..d...a..b.........."..........&......<..........@.............................`............`.....................................................@....@.......0...............P..........p.......................(...P...8............................................text............................... ..`.rdata..v...........................@..@.data........ ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\Download\bugado.sys

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.182795808297679
Encrypted:	false
SSDEEP:	96:UqxuHKt7sSeDUWtASg/SHWj7kxDPiNO+R0yV:UmuHKt7ZiUWtAlYcIPoI
MD5:	CC8345CC34491CB11C1E0167B87B97E1
SHA1:	0E80DA0B3E6131A65EE381F6920264AFDC9C9D3C
SHA-256:	0168C3E04491B63E71D1FE4B5882F255B7711050FD79C00F1E86D042BE0A221C
SHA-512:	B5C651433D7422BA4FFE559AAA0FAAE09B6BDCA123B77AEEE941574EBE2198C5D10C84EA3690F8D7884A99E561A8C180DE219FAD748D5EEDC362FEBD76D5D1FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@V.w...w...w..../..w...w/..w....-..w....*..w..c.+..w..c.,..w..Rich.w..........PE..d.....e.........."............................@.............................p...........`A.................................................P..(............@...............`....... ..8............................ ............... ..x............................text............................... ..h.rdata..\.... ......................@..H.data...0....0......................@....pdata.......@......................@..HINIT.........P...................... ..b.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SoftwareDistribution\Download\bugado.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.887021118820729
Encrypted:	false
SSDEEP:	3:m4FkwF40XGA7cqQ9FUOdwyjes6v+pfh2DaG/dv4FBOBFRecWgFmWErXTMGGMFU2x:m4Gw4uX7cFXyHCYDaiv4FBK3WgFmDrXn
MD5:	7A676D29958CB647591BEE2046756C5B
SHA1:	45EFB36F106E4DF9E936CF0B7946C1AA09611FB6
SHA-256:	EB005EB16FD6683D017C1826A35FB865CD44A67F7624F2BB574D7514E6E47303
SHA-512:	51E0F1D28451AD23F6D99A2D8793B5D76DF8A523B0BE0AFD6CBC0DA42666A0A0801D40CDF8444730E7DDAED9A412C0F84E29E3BA5B3A8AEC814F3A1AB79FC83A
Malicious:	false
Reputation:	low
Preview:	[<] Loading vulnerable driver, Name: uKPwkwKUWlbmzgNfgIh..[+] NtLoadDriver Status 0xc0000001..[-] Failed to register and start service for the vulnerable driver..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.9333901239069
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
File size:	925'696 bytes
MD5:	dda215e4c93c5bcd1626d798a9114052
SHA1:	686205c045db9236cb7a76cc48a4759f3a775bed
SHA256:	786c781885708a2dd6f66a997cda19fa13f06542a1c5f35c50619494d45d2cb9
SHA512:	e92305408df77d52e506aa4b4a40f0dcb7c77cd54ba6201d98c210db6ec1df61dc4fd5193f6cbd59c1ce83f6da771c0f97facf976d99b79473148f32424c55ca
SSDEEP:	24576:qEI9/9HoYVM+ptl7ho60OegX7AoCnhIaXnMvQoT:K/9DPdf0ErvCnhI
TLSH:	5F15DF46B2E900E9EF77A1389455A707E6713C48072097CF23D584AA1FB3BE05EBE752
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}GV...V...V..._...D....W..P....W..t....W..\....W..R.......Y...V...a....T..Q....T..W....T..W...RichV...................PE..d..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140046b3c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66037DF6 [Wed Mar 27 02:01:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	571a41d92490b89061d9804d7222266a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBE255D6244h
dec eax
add esp, 28h
jmp 00007FBE255D5C87h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov edx, edx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor edx, 49656E69h
inc esp
mov ecx, ebx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]
inc ebp
or edx, eax
cpuid
inc ecx
xor ecx, 756E6547h
mov dword ptr [esp], eax
inc ebp
or edx, ecx
mov dword ptr [esp+04h], ebx
mov edi, ecx
mov dword ptr [esp+08h], ecx
mov dword ptr [esp+0Ch], edx
jne 00007FBE255D5E6Dh
dec eax
or dword ptr [00076467h], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [0007644Fh], 00008000h
cmp eax, 000106C0h
je 00007FBE255D5E3Ah
cmp eax, 00020660h
je 00007FBE255D5E33h
cmp eax, 00020670h
je 00007FBE255D5E2Ch
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007FBE255D5E36h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007FBE255D5E26h
inc esp
mov eax, dword ptr [0009A4E5h]
inc ecx
or eax, 01h
inc esp
mov dword ptr [0009A4DAh], eax
jmp 00007FBE255D5E19h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbae8c	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe5000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe2000	0x2d60	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe6000	0xe4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb47e0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb4880	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb46a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x49000	0x5f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x47123	0x47200	d36dd11f7417941ce412fc600f6cb7b9	False	0.5297740004393673	data	6.477224967043687	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x49000	0x73470	0x73600	9a6d9a1e61c59e849ab38d9cc04b31e0	False	0.7894624356717227	data	6.98058169062055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbd000	0x24e60	0x24200	d264e26b42e3ef881f70c53c4f01f8c4	False	0.44513678633217996	data	6.010620594232772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe2000	0x2d60	0x2e00	c0bee1d0700a23ea7be099d12d174f8a	False	0.4639945652173913	data	5.67495349291415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xe5000	0x1e8	0x200	4c46b148bb4aea911ab5b483ffbdedf6	False	0.5390625	data	4.766656762050388	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe6000	0xe4	0x200	98ee10e811a52ccadcb1e3ab68eb02f0	False	0.36328125	data	2.586338644996031	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xe5060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	QueryPerformanceFrequency, QueryPerformanceCounter, GetCurrentProcess, WriteFile, DeviceIoControl, CreateFileW, GetModuleHandleA, CreateToolhelp32Snapshot, Sleep, GetLastError, Process32NextW, Process32FirstW, HeapReAlloc, CloseHandle, CreateThread, HeapAlloc, GetWindowsDirectoryW, GetProcAddress, GetProcessHeap, GetModuleHandleW, lstrcmpiW, AllocConsole, IsDebuggerPresent, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GlobalUnlock, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, GlobalLock, GlobalFree, GetCurrentProcessId, GlobalAlloc, ReleaseSRWLockExclusive
USER32.dll	CloseClipboard, OpenClipboard, GetCursorPos, EmptyClipboard, GetClipboardData, SetCursorPos, ReleaseCapture, GetClientRect, SetCursor, SetClipboardData, LoadCursorW, ClientToScreen, GetCapture, GetActiveWindow, ScreenToClient, GetKeyState, UpdateWindow, RegisterClassExA, FindWindowA, PostQuitMessage, SetCapture, SetWindowLongW, GetWindowLongW, DefWindowProcW, GetWindow, GetWindowRect, DestroyWindow, SetWindowPos, CreateWindowExW, GetSystemMetrics, UnregisterClassW, ShowWindow, IsWindow, GetAsyncKeyState, DispatchMessageW, PeekMessageW, MessageBoxA, GetForegroundWindow, MoveWindow, SetLayeredWindowAttributes, TranslateMessage, LoadIconW
SHELL32.dll	ShellExecuteW
IMM32.dll	ImmReleaseContext, ImmSetCompositionWindow, ImmGetContext
MSVCP140.dll	?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?_Random_device@std@@YAIXZ, ?_Xlength_error@std@@YAXPEBD@Z, _Query_perf_counter, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, _Query_perf_frequency
dwmapi.dll	DwmExtendFrameIntoClientArea
d3d9.dll	Direct3DCreate9Ex
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memmove, memcmp, _CxxThrowException, memset, __C_specific_handler, __current_exception_context, __current_exception, __std_exception_copy, __std_exception_destroy, strstr, __std_terminate, memchr, memcpy
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, fwrite, _set_fmode, __stdio_common_vsprintf_s, fseek, fclose, fflush, __acrt_iob_func, ftell, __p__commode, __stdio_common_vfprintf
api-ms-win-crt-string-l1-1-0.dll	strncpy, isprint, strcmp
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-heap-l1-1-0.dll	free, malloc, _callnewh, _set_new_mode
api-ms-win-crt-convert-l1-1-0.dll	atof
api-ms-win-crt-runtime-l1-1-0.dll	_configure_narrow_argv, _invalid_parameter_noinfo_noreturn, _initialize_narrow_environment, _initialize_onexit_table, _initterm_e, terminate, _exit, _initterm, _get_initial_narrow_environment, _register_thread_local_exe_atexit_callback, system, _c_exit, _set_app_type, _seh_filter_exe, _cexit, __p___argv, _crt_atexit, exit, __p___argc, _register_onexit_function
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, asinf, sin, powf, pow, sinf, sqrtf, atan2f, fmodf, atanf, ceilf, floorf, cos, cosf, tanf
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:24:54
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe"
Imagebase:	0x7ff7257f0000
File size:	925'696 bytes
MD5 hash:	DDA215E4C93C5BCD1626D798A9114052
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	08:24:54
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:24:56
Start date:	25/04/2024
Path:	C:\Windows\SoftwareDistribution\Download\bugado.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys
Imagebase:	0x7ff617580000
File size:	137'728 bytes
MD5 hash:	34CFBE3FF70461820CCC31A1AFEEC0B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 62%, ReversingLabs Detection: 68%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:24:56
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:24:56
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff670020000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	592
Total number of Limit Nodes:	13

Executed Functions

Function 00007FF7258340A0 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 53
sleepkeyboardprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FF7258340BC

Part of subcall function 00007FF72582A360: CreateFileW.KERNELBASE ref: 00007FF72582A3E9

SleepEx.KERNEL32 ref: 00007FF7258340DE
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7258340EB
GetAsyncKeyState.USER32 ref: 00007FF725834110
AllocConsole.KERNEL32 ref: 00007FF72583411F
FindWindowA.USER32 ref: 00007FF72583412E
ShowWindow.USER32 ref: 00007FF725834140
MessageBoxA.USER32 ref: 00007FF725834171
Sleep.KERNEL32 ref: 00007FF72583417C

Strings

ConsoleWindowClass, xrefs: 00007FF725834127
VALORANT-Win64-Shipping.exe, xrefs: 00007FF725834146
BR: Se a overlay nao aparecer ou freezar.. Abra novamente o Valorant Plus para atualizar!, xrefs: 00007FF725834168
Open V4L0R4NT and Press F5 in Lobby.., xrefs: 00007FF7258340F1
cls, xrefs: 00007FF7258340E4
WARNING, xrefs: 00007FF725834161

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Sleep$Window$AllocAsyncConsoleCreateFileFindMessageShowStatesystem
String ID: Open V4L0R4NT and Press F5 in Lobby..$BR: Se a overlay nao aparecer ou freezar.. Abra novamente o Valorant Plus para atualizar!$ConsoleWindowClass$VALORANT-Win64-Shipping.exe$WARNING$cls
API String ID: 3156907467-1264740257
Opcode ID: 851dd180a4fb86d398cec0d5cae248a78a59facbf0162c4da6377f3ed410247c
Instruction ID: 823aa617417c5601fd29501dec49eeb5e979ccf53e5fc864d1ba9fcfadeaf1d5
Opcode Fuzzy Hash: 851dd180a4fb86d398cec0d5cae248a78a59facbf0162c4da6377f3ed410247c
Instruction Fuzzy Hash: B621C520A08A43A2EA10BF61EC591B9A265FF94F04FC04076D94E431B1DFBCA565CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258340D2 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 38
sleepkeyboardprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7258340EB

Part of subcall function 00007FF725834A70: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834BEC
Part of subcall function 00007FF725834A70: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834BF3
Part of subcall function 00007FF725834A70: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834C00

GetAsyncKeyState.USER32 ref: 00007FF725834110
AllocConsole.KERNEL32 ref: 00007FF72583411F
FindWindowA.USER32 ref: 00007FF72583412E
ShowWindow.USER32 ref: 00007FF725834140
MessageBoxA.USER32 ref: 00007FF725834171
Sleep.KERNEL32 ref: 00007FF72583417C

Strings

ConsoleWindowClass, xrefs: 00007FF725834127
VALORANT-Win64-Shipping.exe, xrefs: 00007FF725834146
BR: Se a overlay nao aparecer ou freezar.. Abra novamente o Valorant Plus para atualizar!, xrefs: 00007FF725834168
Open V4L0R4NT and Press F5 in Lobby.., xrefs: 00007FF7258340F1
cls, xrefs: 00007FF7258340E4
WARNING, xrefs: 00007FF725834161

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@Window$?setstate@?$basic_ios@?uncaught_exception@std@@AllocAsyncConsoleFindMessageOsfx@?$basic_ostream@ShowSleepStatesystem
String ID: Open V4L0R4NT and Press F5 in Lobby..$BR: Se a overlay nao aparecer ou freezar.. Abra novamente o Valorant Plus para atualizar!$ConsoleWindowClass$VALORANT-Win64-Shipping.exe$WARNING$cls
API String ID: 3947835035-1264740257
Opcode ID: 0f2b5671dc612fe58e2e59567f21a5b4665937db13cad5d97fa41acf74cc0bbe
Instruction ID: 9bdfe08d32a0cc9ab0360f41e4064e83718d365b683c1f24662894508b3d4094
Opcode Fuzzy Hash: 0f2b5671dc612fe58e2e59567f21a5b4665937db13cad5d97fa41acf74cc0bbe
Instruction Fuzzy Hash: 69119224A08943A2FA14BF61EC591B8A261EF94F44FC14572D91E832B1DFBCE569CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258340D0 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 38
sleepkeyboardprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7258340EB

Part of subcall function 00007FF725834A70: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834BEC
Part of subcall function 00007FF725834A70: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834BF3
Part of subcall function 00007FF725834A70: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834C00

GetAsyncKeyState.USER32 ref: 00007FF725834110
AllocConsole.KERNEL32 ref: 00007FF72583411F
FindWindowA.USER32 ref: 00007FF72583412E
ShowWindow.USER32 ref: 00007FF725834140
MessageBoxA.USER32 ref: 00007FF725834171
Sleep.KERNEL32 ref: 00007FF72583417C

Strings

ConsoleWindowClass, xrefs: 00007FF725834127
VALORANT-Win64-Shipping.exe, xrefs: 00007FF725834146
BR: Se a overlay nao aparecer ou freezar.. Abra novamente o Valorant Plus para atualizar!, xrefs: 00007FF725834168
Open V4L0R4NT and Press F5 in Lobby.., xrefs: 00007FF7258340F1
cls, xrefs: 00007FF7258340E4
WARNING, xrefs: 00007FF725834161

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@Window$?setstate@?$basic_ios@?uncaught_exception@std@@AllocAsyncConsoleFindMessageOsfx@?$basic_ostream@ShowSleepStatesystem
String ID: Open V4L0R4NT and Press F5 in Lobby..$BR: Se a overlay nao aparecer ou freezar.. Abra novamente o Valorant Plus para atualizar!$ConsoleWindowClass$VALORANT-Win64-Shipping.exe$WARNING$cls
API String ID: 3947835035-1264740257
Opcode ID: c9ee154cc69a6af5b94c7a7764e17bb8b2c22c4079e7b67912b6d860e4983b9c
Instruction ID: 9bdfe08d32a0cc9ab0360f41e4064e83718d365b683c1f24662894508b3d4094
Opcode Fuzzy Hash: c9ee154cc69a6af5b94c7a7764e17bb8b2c22c4079e7b67912b6d860e4983b9c
Instruction Fuzzy Hash: 69119224A08943A2FA14BF61EC591B8A261EF94F44FC14572D91E832B1DFBCE569CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258369C0 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7258369E9
__scrt_release_startup_lock.LIBCMT ref: 00007FF725836A57
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725836AA5
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725836AAA
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725836AB2
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725836ABA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725836ADC
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725836B36

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: c3187bb4b08aba025ff43725fd7a4df55c48c25b9f12eada5a1107f155774f80
Instruction ID: 63d106b8dbb9bf9a2113eba359ccc3b4d650cde980953abc9ac4d6b917d47732
Opcode Fuzzy Hash: c3187bb4b08aba025ff43725fd7a4df55c48c25b9f12eada5a1107f155774f80
Instruction Fuzzy Hash: B3316C22A08142A1FB00BF2ADC113B9A691EF45F84FD44034DA4E472D7DEFDE9258E70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725834A70 Relevance: 10.6, APIs: 7, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834B03
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834B57
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834B7E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834BA6
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834BEC
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834BF3
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF725834104), ref: 00007FF725834C00

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: ea4e65ff608239eaf6f194e3838368642b22e1e7e49dc36cda5a9e5d3bcc73db
Instruction ID: 3fcc2f288c12310cbafbfb776467a88341261dc8403c9fc9155945a69080a772
Opcode Fuzzy Hash: ea4e65ff608239eaf6f194e3838368642b22e1e7e49dc36cda5a9e5d3bcc73db
Instruction Fuzzy Hash: 9251743260964191EB209F59E898338E7A0EB85F95F95C531CE5E437B0CFBED4568B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725829AF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF7258359C8,?,?,?,00007FF7257F1124), ref: 00007FF725829AFB

Strings

bugado.exe, xrefs: 00007FF72582A12A
string too long, xrefs: 00007FF725829AF4
bugado.sys, xrefs: 00007FF72582A0F9
runas, xrefs: 00007FF72582A1CB

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Xlength_error@std@@
String ID: bugado.exe$bugado.sys$runas$string too long
API String ID: 1004598685-637167626
Opcode ID: f3167c0f0a00b8d65023d420fcc30cb801589142a364e1eb650c629c50f21d9a
Instruction ID: 952b00572b4349a07d991db00cd23c52681145066bdfcebbf002e084e0e92709
Opcode Fuzzy Hash: f3167c0f0a00b8d65023d420fcc30cb801589142a364e1eb650c629c50f21d9a
Instruction Fuzzy Hash: 54B00220A15545F1E514FF15DC950645234EB54B55FD00435D50D915605E6C5576CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257F11A0 Relevance: 4.6, APIs: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7257F12AC

Part of subcall function 00007FF725836874: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F1094), ref: 00007FF72583688E

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7257F1341
GetSystemMetrics.USER32 ref: 00007FF7257F1356

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskMetricsSystem_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3795263346-0
Opcode ID: 0aead9b5c721c736af0a6a840bf36e2827e88eb0625254b7d215d3d584e69765
Instruction ID: bb12a286a41b4717f49e2058e3d39df99f501b43fa1dc484d37d08d1c38567fb
Opcode Fuzzy Hash: 0aead9b5c721c736af0a6a840bf36e2827e88eb0625254b7d215d3d584e69765
Instruction Fuzzy Hash: FD414D21F4AB4685EA14FFA5EC41178A2D0EF0DFA0FD40235C96D43BE4DEACE0618B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72582B000 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Random_device@std@@YAIXZ.MSVCP140(?,?,?,?,?,00007FF7257F1189), ref: 00007FF72582B0F2

Part of subcall function 00007FF725836474: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF72582B052,?,?,?,?,?,00007FF7257F1189), ref: 00007FF725836484

Part of subcall function 00007FF725836874: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F1094), ref: 00007FF72583688E

Part of subcall function 00007FF725836408: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF72582B0D6,?,?,?,?,?,00007FF7257F1189), ref: 00007FF725836418
Part of subcall function 00007FF725836408: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF72582B0D6,?,?,?,?,?,00007FF7257F1189), ref: 00007FF725836458

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Random_device@std@@Releasemalloc
String ID:
API String ID: 1166360053-0
Opcode ID: 7dda9ca11bc13e7847d9e161f85455b04ea8e112be199c7175721f2e87fc04dd
Instruction ID: 8ad61178f2e6ce2ff739cb785a66da240993c444b8a94f1c18b243b5d14966eb
Opcode Fuzzy Hash: 7dda9ca11bc13e7847d9e161f85455b04ea8e112be199c7175721f2e87fc04dd
Instruction Fuzzy Hash: F071A232A0968286E704EF25ED51279B7A1FF49B44F944235CA4E87291DFBCE465CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72582A360 Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF72582A3E9

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9285b5128434c80968dceaabb5c3f1d532285e032ccb3e5c142f71da5084b2ab
Instruction ID: 7b93c439af6cd1e410febf92d3bcfb54fa46364fc64cb8a1663eb11f8ba50eb1
Opcode Fuzzy Hash: 9285b5128434c80968dceaabb5c3f1d532285e032ccb3e5c142f71da5084b2ab
Instruction Fuzzy Hash: 1F01E13A6157908BE710AF54E40925D7BA0F785B24FD40214D76A277A0C77EC252CF10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF725832D90 Relevance: 98.2, APIs: 11, Strings: 45, Instructions: 204
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32 ref: 00007FF725832DBC
QueryPerformanceCounter.KERNEL32 ref: 00007FF725832DEF
GetKeyState.USER32 ref: 00007FF725832E2D
GetKeyState.USER32 ref: 00007FF725832E43
GetKeyState.USER32 ref: 00007FF725832E59
ClientToScreen.USER32 ref: 00007FF725832EA8
SetCursorPos.USER32 ref: 00007FF725832EB6
GetActiveWindow.USER32 ref: 00007FF725832EC9
GetCursorPos.USER32 ref: 00007FF725832EDD
ScreenToClient.USER32 ref: 00007FF725832EF3
GetAsyncKeyState.USER32 ref: 00007FF725832F52

Part of subcall function 00007FF725815430: memmove.VCRUNTIME140 ref: 00007FF725815525

Strings

AggroBot, xrefs: 00007FF725831EFC
Raze, xrefs: 00007FF725831550
Chamber, xrefs: 00007FF72583105F, 00007FF725831113
[ %.fm ], xrefs: 00007FF72583030E
Private Script, xrefs: 00007FF725832F8E
Thorne, xrefs: 00007FF7258315CD
333?, xrefs: 00007FF7258323B2
Mage, xrefs: 00007FF72583205F
Sprinter, xrefs: 00007FF725831461
Hunter_PC_C, xrefs: 00007FF72583185D
Astra, xrefs: 00007FF725830ACE, 00007FF725830B82
BountyHunter, xrefs: 00007FF725831C50
C:WindowsFontsCalibri.ttf, xrefs: 00007FF72582FAE9
Guide, xrefs: 00007FF725831715
Deadeye, xrefs: 00007FF725831023
Gekko, xrefs: 00007FF725831F38, 00007FF725831FEC
Deadlock, xrefs: 00007FF7258322AB
Brimstone, xrefs: 00007FF725830EF8
None, xrefs: 00007FF725830802
Killjoy, xrefs: 00007FF7258312F6, 00007FF725831332, 00007FF7258313E6
Omen, xrefs: 00007FF7258314C0
Rift, xrefs: 00007FF725830A92
Reyna, xrefs: 00007FF725831598
Neon, xrefs: 00007FF725831478
Deadlock, xrefs: 00007FF7258321F9
Cypher, xrefs: 00007FF7258311CE, 00007FF725831282
Wraith, xrefs: 00007FF7258314A9
Vampire, xrefs: 00007FF725831581
Breach, xrefs: 00007FF725830D58, 00007FF725830D94, 00007FF725830E48
<", xrefs: 00007FF7258306CD
Cable, xrefs: 00007FF7258321C3
Phoenix, xrefs: 00007FF7258314F1, 00007FF725831508
, xrefs: 00007FF725832714
Gumshoe, xrefs: 00007FF725831192
Kay/O, xrefs: 00007FF725830C31, 00007FF725830CE5
Bot, xrefs: 00007FF725831DD4, 00007FF725831E88
Sarge, xrefs: 00007FF725830EBC
Clay, xrefs: 00007FF725831539
Pandemic, xrefs: 00007FF7258319A5
TrainingBot, xrefs: 00007FF725831D98
Harbor, xrefs: 00007FF72583209B, 00007FF72583214F
Wushu, xrefs: 00007FF72583094A
Grenadier, xrefs: 00007FF725830BF5
Viper, xrefs: 00007FF7258319E1, 00007FF725831A95
Stealth, xrefs: 00007FF725831B08

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: State$Client$CursorScreen$ActiveAsyncCounterPerformanceQueryRectWindowmemmove
String ID: $333?$<"$AggroBot$Astra$Bot$BountyHunter$Breach$Brimstone$C:WindowsFontsCalibri.ttf$Cable$Chamber$Clay$Cypher$Deadeye$Deadlock$Deadlock$Gekko$Grenadier$Guide$Gumshoe$Harbor$Hunter_PC_C$Kay/O$Killjoy$Mage$Neon$None$Omen$Pandemic$Phoenix$Private Script$Raze$Reyna$Rift$Sarge$Sprinter$Stealth$Thorne$TrainingBot$Vampire$Viper$Wraith$Wushu$[ %.fm ]
API String ID: 2031384599-2635236292
Opcode ID: aeed4f906d71522da0908baff7fd5f8eb16c0e1059c737abc94525402b9b49ee
Instruction ID: 897acff441504cb80d3a6f6d4a5df41e8d32a72af09f63db734ef3e3b588b6c8
Opcode Fuzzy Hash: aeed4f906d71522da0908baff7fd5f8eb16c0e1059c737abc94525402b9b49ee
Instruction Fuzzy Hash: 62B12B32A19A8696E710EF35EC40279B7A0FF89F84F844131DA4D476A1CFBDE465CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725833B70 Relevance: 56.2, APIs: 18, Strings: 14, Instructions: 248
memoryprocesssleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72582A360: CreateFileW.KERNELBASE ref: 00007FF72582A3E9

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725833BC9
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725833BDB
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725833BE8
Sleep.KERNEL32 ref: 00007FF725833C90
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725833C98
GetModuleHandleA.KERNEL32 ref: 00007FF725833CEC
GetProcAddress.KERNEL32 ref: 00007FF725833CFC
GetProcessHeap.KERNEL32 ref: 00007FF725833D25
HeapAlloc.KERNEL32 ref: 00007FF725833D36
GetProcessHeap.KERNEL32 ref: 00007FF725833D41
HeapReAlloc.KERNEL32 ref: 00007FF725833D5A
GetProcessHeap.KERNEL32 ref: 00007FF725833DA5
HeapReAlloc.KERNEL32 ref: 00007FF725833DCD
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725833EEA
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725833F9E
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725833FAB
Sleep.KERNEL32 ref: 00007FF725834053
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72583405B

Strings

NtQuerySystemInformation, xrefs: 00007FF725833CF2
color c, xrefs: 00007FF725833BE1, 00007FF725833FA4
VALORANT-Win64-Shipping.exe, xrefs: 00007FF725833C9E
Private Script, xrefs: 00007FF7258339F6
ntdll.dll, xrefs: 00007FF725833CE5
2, xrefs: 00007FF72583402A
:($?, xrefs: 00007FF72583396D
ConT, xrefs: 00007FF725833EAE
2, xrefs: 00007FF725833F69
Private Script, xrefs: 00007FF725833A48, 00007FF725833A57
2$*(, xrefs: 00007FF725833964
2, xrefs: 00007FF725833C67
[-] Driver Error. Restart Your Computer.., xrefs: 00007FF725833B8C
cls, xrefs: 00007FF725833BC2, 00007FF725833BD4, 00007FF725833EE3, 00007FF725833F97

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Heapsystem$AllocProcess$Sleepexit$AddressCreateFileHandleModuleProc
String ID: 2$2$2$2$*($:($?$ConT$NtQuerySystemInformation$Private Script$Private Script$VALORANT-Win64-Shipping.exe$[-] Driver Error. Restart Your Computer..$cls$color c$ntdll.dll
API String ID: 1315585560-226998937
Opcode ID: 8ef4994f394f6ac0cba7e61b40c5860b9973d16a0de5411edd625d31e09c9e1c
Instruction ID: b41eedabe4db8b89633d1bd53822412dcd47fa1d79d54a09025fd623df0ed79f
Opcode Fuzzy Hash: 8ef4994f394f6ac0cba7e61b40c5860b9973d16a0de5411edd625d31e09c9e1c
Instruction Fuzzy Hash: DED10E3250DA8695EA60EF15F8443AAF3A0FB84B40F900135EA8E43BA5DFBCD565CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258202E0 Relevance: 50.3, APIs: 1, Strings: 32, Instructions: 799COMMON

Download Yara Rule

Strings

##X, xrefs: 00007FF7258206F8
##picker, xrefs: 00007FF725820E64
#%02X%02X%02X, xrefs: 00007FF725820B66
##ColorButton, xrefs: 00007FF725820CD7
R:%0.3f, xrefs: 00007FF725820797
G:%3d, xrefs: 00007FF725820746
##W, xrefs: 00007FF725820719
H:%0.3f, xrefs: 00007FF7258207B8
_COL3F, xrefs: 00007FF725821011
B:%0.3f, xrefs: 00007FF7258207AD
S:%0.3f, xrefs: 00007FF7258207C3
M:000, xrefs: 00007FF7258205EE
A:%0.3f, xrefs: 00007FF7258206E1
A:%3d, xrefs: 00007FF7258206CC
%02X%02X%02X%02X, xrefs: 00007FF725820C0A
##Text, xrefs: 00007FF725820BB0
V:%0.3f, xrefs: 00007FF7258207D1
#%02X%02X%02X%02X, xrefs: 00007FF725820B15
##Z, xrefs: 00007FF72582070E
V:%3d, xrefs: 00007FF725820772
B:%3d, xrefs: 00007FF725820751
R:%3d, xrefs: 00007FF72582073B
%02X%02X%02X, xrefs: 00007FF725820C27
%0.3f, xrefs: 00007FF725820780
M:0.000, xrefs: 00007FF72582066B
picker, xrefs: 00007FF725820D26, 00007FF725820DD9
%3d, xrefs: 00007FF725820724
##Y, xrefs: 00007FF725820703
_COL4F, xrefs: 00007FF725821036
H:%3d, xrefs: 00007FF72582075C
G:%0.3f, xrefs: 00007FF7258207A2
S:%3d, xrefs: 00007FF725820767

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ##ColorButton$##Text$##W$##X$##Y$##Z$##picker$#%02X%02X%02X$#%02X%02X%02X%02X$%0.3f$%02X%02X%02X$%02X%02X%02X%02X$%3d$A:%0.3f$A:%3d$B:%0.3f$B:%3d$G:%0.3f$G:%3d$H:%0.3f$H:%3d$M:0.000$M:000$R:%0.3f$R:%3d$S:%0.3f$S:%3d$V:%0.3f$V:%3d$_COL3F$_COL4F$picker
API String ID: 0-595615364
Opcode ID: 4ae867652407ff36cfa77cfda984b183e7003ad4facbbc15f9233da66fe65fe6
Instruction ID: 3b90200de24188bc19765c2d0411b21afd617cc21b3845ab178a7b717569aa55
Opcode Fuzzy Hash: 4ae867652407ff36cfa77cfda984b183e7003ad4facbbc15f9233da66fe65fe6
Instruction Fuzzy Hash: FE82B232A18B858AE711DF26D8402F9F7A0FF59B44F944332DA4C536A9DF78E0A58F10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725821760 Relevance: 40.3, APIs: 12, Strings: 10, Instructions: 1773COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF72582193E

Part of subcall function 00007FF7258245A0: memmove.VCRUNTIME140 ref: 00007FF725824748

atan2f.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725821C41
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725821CA4
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725821CB2
memmove.VCRUNTIME140 ref: 00007FF7258224B0
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258229B1
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258229C9
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258229DF
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258229F6
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725822A67
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725822A74

Part of subcall function 00007FF7258044A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258044D3
Part of subcall function 00007FF7258044A0: memmove.VCRUNTIME140 ref: 00007FF7258044EF
Part of subcall function 00007FF7258044A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580450F

memcmp.VCRUNTIME140 ref: 00007FF7258236D0

Strings

##rgb, xrefs: 00007FF7258225B8
##current, xrefs: 00007FF7258223F8
Current, xrefs: 00007FF7258223DD
##hsv, xrefs: 00007FF725822603
Original, xrefs: 00007FF725822432
##hex, xrefs: 00007FF725822638
alpha, xrefs: 00007FF725821FE5
hue, xrefs: 00007FF725822195
hsv, xrefs: 00007FF725821B84
##original, xrefs: 00007FF72582245F

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: cosfmemmovesinf$atan2ffreemallocmemcmp
String ID: ##current$##hex$##hsv$##original$##rgb$Current$Original$alpha$hsv$hue
API String ID: 141762661-1396814860
Opcode ID: 6c723c5ad3708c166068bfdc829d59c0c7bd673ba0a4118511b47adf195c362e
Instruction ID: 3e8d17b3c088ea7343a3441530cc2d0d7c7b18cf7fda1a9e96a5371459ae2d97
Opcode Fuzzy Hash: 6c723c5ad3708c166068bfdc829d59c0c7bd673ba0a4118511b47adf195c362e
Instruction Fuzzy Hash: 17030A32E14B8986E311DE3788411B9F760FF6E784F589722EE44766B5DB78B0A19F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725811650 Relevance: 29.8, APIs: 23, Instructions: 1099COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811732
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811753
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811836
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811867
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811913
memset.VCRUNTIME140 ref: 00007FF725811929
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258119F0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811A15
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811AB4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811AD7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725811B01
memset.VCRUNTIME140 ref: 00007FF725811B15
memset.VCRUNTIME140 ref: 00007FF725811B23
memset.VCRUNTIME140 ref: 00007FF725811B34
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812039
memset.VCRUNTIME140 ref: 00007FF725812052
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812242
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812262
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812283

Part of subcall function 00007FF725812D70: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812DA0
Part of subcall function 00007FF725812D70: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812DC9
Part of subcall function 00007FF725812D70: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812DF2

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72581266E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72581268F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258126B1

Part of subcall function 00007FF725812E30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812E93
Part of subcall function 00007FF725812E30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812EC4

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812817

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free$malloc$memset
String ID:
API String ID: 1620901979-0
Opcode ID: 49ee521f678a7fdf1028608e11429ee34c70b3994334c854cdf0c26ba8b51331
Instruction ID: e2b9401e16f2bf7bc691746715432f4a7fb31755c801b9010c5ca417165d27e0
Opcode Fuzzy Hash: 49ee521f678a7fdf1028608e11429ee34c70b3994334c854cdf0c26ba8b51331
Instruction Fuzzy Hash: CBB2E232A047858AE754EF26E8407BDB7A0FB48F84F449236DE4A57794DF78E4A4CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725807210 Relevance: 15.8, APIs: 10, Instructions: 825COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580733A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258078D9
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725807909
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725807DAA
memmove.VCRUNTIME140 ref: 00007FF725807DCD
memmove.VCRUNTIME140 ref: 00007FF725807DE8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725807E07
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725807E2F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725807E67
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725807E8C

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemmovesqrtf
String ID:
API String ID: 2108133213-0
Opcode ID: fddacb188991418583df7353fbd41f9969c4525992eebd235984d25f53a3e0a3
Instruction ID: 0618e20870c6d3c4016be6709d276c026af4471f9ec1ee8bbca734724f0b2197
Opcode Fuzzy Hash: fddacb188991418583df7353fbd41f9969c4525992eebd235984d25f53a3e0a3
Instruction Fuzzy Hash: 5972AD13E28BE845D3139B36544227AA7D1EF6EB84F1DD722FD44A26B2DB3CE4518B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725803CC0 Relevance: 15.1, APIs: 10, Instructions: 149clipboardCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725803D44
OpenClipboard.USER32 ref: 00007FF725803D53

Part of subcall function 00007FF725836474: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF72582B052,?,?,?,?,?,00007FF7257F1189), ref: 00007FF725836484

GetClipboardData.USER32 ref: 00007FF725803D6F
CloseClipboard.USER32 ref: 00007FF725803D7D

Part of subcall function 00007FF725836408: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF72582B0D6,?,?,?,?,?,00007FF7257F1189), ref: 00007FF725836418
Part of subcall function 00007FF725836408: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF72582B0D6,?,?,?,?,?,00007FF7257F1189), ref: 00007FF725836458

GlobalLock.KERNEL32 ref: 00007FF725803D98
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725803E65
memmove.VCRUNTIME140 ref: 00007FF725803E84
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725803EA7
GlobalUnlock.KERNEL32 ref: 00007FF725803EE6
CloseClipboard.USER32 ref: 00007FF725803EEC

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardLock$Exclusive$AcquireCloseGlobalfree$DataOpenReleaseUnlockmallocmemmove
String ID:
API String ID: 4281195603-0
Opcode ID: c629b6c38c3ed04116a5d93c5700eb0801db02279bb3a7913be814a7ae599146
Instruction ID: 52ae4d502ae4a2bf30f94f905172cd581d33d22b1a8fcaf19e44531983cf47a1
Opcode Fuzzy Hash: c629b6c38c3ed04116a5d93c5700eb0801db02279bb3a7913be814a7ae599146
Instruction Fuzzy Hash: B2515C31E1DA0286EB54BF25EC50679A2E0EF48F81FD44135D99E477A0DEFCE5A18B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72581CB70 Relevance: 14.0, APIs: 5, Strings: 1, Instructions: 3530stringCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF72581D284
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72581EB1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72581EC73
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72581F4E0
fmodf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725820035

Strings

#SCROLLY, xrefs: 00007FF72581D0DE, 00007FF72581F6F9

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: fmodffreemallocmemmovestrncpy
String ID: #SCROLLY
API String ID: 3140659168-1064663049
Opcode ID: f78ac07a314803901bf56fa351b9290d5f923cad6e6cb3c5d81f26fa20a51f1c
Instruction ID: 67fb65629f8be1dcb7dde99110cc38e4b7a6047c7fdd6fecd47b407900822dc6
Opcode Fuzzy Hash: f78ac07a314803901bf56fa351b9290d5f923cad6e6cb3c5d81f26fa20a51f1c
Instruction Fuzzy Hash: 38733733E0968686E711AE3698403B9B7A0EF19B84F85A731DE4D67691DFB8F450CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725824160 Relevance: 14.0, Strings: 11, Instructions: 248COMMON

Download Yara Rule

Strings

Copy, xrefs: 00007FF7258242BB, 00007FF725824307
(%.3ff, %.3ff, %.3ff, %.3ff), xrefs: 00007FF7258243E5
HEX, xrefs: 00007FF725824210
0.00..1.00, xrefs: 00007FF72582425F
0x%02X%02X%02X%02X, xrefs: 00007FF7258244FF
(%d,%d,%d,%d), xrefs: 00007FF72582446C
0x%02X%02X%02X, xrefs: 00007FF7258244E8
context, xrefs: 00007FF72582418C
RGB, xrefs: 00007FF7258241CC
0..255, xrefs: 00007FF72582423F
HSV, xrefs: 00007FF7258241EE

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (%.3ff, %.3ff, %.3ff, %.3ff)$(%d,%d,%d,%d)$0..255$0.00..1.00$0x%02X%02X%02X$0x%02X%02X%02X%02X$Copy$HEX$HSV$RGB$context
API String ID: 0-3068764630
Opcode ID: 1f05e0131807f71ce9cb2c8d3de8fca25cee2f149b733ef8265400c29124e4f5
Instruction ID: 91e6996a1e2872548ddf60d8896954fb0575b2d0f1c31fe47e7dd389d59d1d93
Opcode Fuzzy Hash: 1f05e0131807f71ce9cb2c8d3de8fca25cee2f149b733ef8265400c29124e4f5
Instruction Fuzzy Hash: 61B12632D186C242E620EF26A8403FAA351EF99B40F948332DA4D672A5EF7CD455CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725836D18 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF725836D34
memset.VCRUNTIME140 ref: 00007FF725836D58
RtlCaptureContext.KERNEL32 ref: 00007FF725836D61
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF725836D7B
RtlVirtualUnwind.KERNEL32 ref: 00007FF725836DBC
memset.VCRUNTIME140 ref: 00007FF725836DEF
IsDebuggerPresent.KERNEL32 ref: 00007FF725836E10
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF725836E2D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF725836E38

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: e13a130302212cf3c31a68f3b9d4d4c207aef9ca537039a68ac79f7ffd9fd17b
Instruction ID: aae40df482cad84560ba477ffce09ecc189e22fd0ea86ab93e667f698468eaaa
Opcode Fuzzy Hash: e13a130302212cf3c31a68f3b9d4d4c207aef9ca537039a68ac79f7ffd9fd17b
Instruction Fuzzy Hash: F2315372604B8195EB60AF65E8903FD7364FB84B44F44443ADA4E47B94EFBCD558CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580AAE0 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580ABD2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580AC00
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580AC2F
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580AC5A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580AE58
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580AE86
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580AEB5
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580AEE0

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: db6d56e9b95cda2c96d0dcd2988d5407ce8a5b877bba5a3fc8440e20077ac045
Instruction ID: 19e5a4397cedeef085e6c71e367b5879aac55cc2dc5c80d07bd03158c7c8d198
Opcode Fuzzy Hash: db6d56e9b95cda2c96d0dcd2988d5407ce8a5b877bba5a3fc8440e20077ac045
Instruction Fuzzy Hash: EAB1A522E28BCC41E223AA3754821F5E250EF7F7C5F2DDB23FD84756B2AB6461D15A10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725803F10 Relevance: 12.1, APIs: 8, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF725803F1B
GlobalAlloc.KERNEL32 ref: 00007FF725803F8E
GlobalLock.KERNEL32 ref: 00007FF725803F9F
GlobalUnlock.KERNEL32 ref: 00007FF725803FF1
EmptyClipboard.USER32 ref: 00007FF725803FF7
SetClipboardData.USER32 ref: 00007FF725804005
GlobalFree.KERNEL32 ref: 00007FF725804013
CloseClipboard.USER32 ref: 00007FF725804019

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: 75c3d5495a23fcc16b2952edc665c2ffec0825b35b98fab2fd0664649ad1b3cc
Instruction ID: e63f7e902ac86eb1627d3ac144a199397ad8deaa7d079e8fbb4928c317ad8d98
Opcode Fuzzy Hash: 75c3d5495a23fcc16b2952edc665c2ffec0825b35b98fab2fd0664649ad1b3cc
Instruction Fuzzy Hash: 26318221A1CA4286EA20BF15EC5427AE3E0FF49F94F884531DE4E577A4DEBCE461CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580DB50 Relevance: 9.9, APIs: 6, Instructions: 863COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580DD3E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580DDD2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580DE6C
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580DEFB
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580DFDD
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580E84D

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 93feb957332540da03a289b80d6e79e3a6ec25620199289d93aeb76f5a3b56a7
Instruction ID: 683e268a009756274b2929e2d9fae2babd96a5c4fd8d9d72e390f4e77054205a
Opcode Fuzzy Hash: 93feb957332540da03a289b80d6e79e3a6ec25620199289d93aeb76f5a3b56a7
Instruction Fuzzy Hash: 17924E33920B889AD712CF37C4810A9B7A0FF6DB84719D716EA4927761EB34F1A5DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580EA30 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 409COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580EC0D
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580EC82
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580ED6E

Strings

(, xrefs: 00007FF72580EF8E

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: sqrtf
String ID: (
API String ID: 321154650-3887548279
Opcode ID: 0e42f2ef0a12c85dfbdd18b851c832a13042b35b7c969f8bc351eaeb522b7173
Instruction ID: 93bb13a8994e174008fe01f9dede6d70bb859218c9b34ee3d7541702c99022f5
Opcode Fuzzy Hash: 0e42f2ef0a12c85dfbdd18b851c832a13042b35b7c969f8bc351eaeb522b7173
Instruction Fuzzy Hash: 4302A433D24BC886D312DF3A94421ADB7A1FF6EB84B19D712EA4533665DB34B1A1DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72582A410 Relevance: 9.0, APIs: 6, Instructions: 39processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF72582A425
Process32FirstW.KERNEL32 ref: 00007FF72582A43E
lstrcmpiW.KERNEL32 ref: 00007FF72582A458
Process32NextW.KERNEL32 ref: 00007FF72582A46A
CloseHandle.KERNEL32 ref: 00007FF72582A477
CloseHandle.KERNEL32 ref: 00007FF72582A494

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 3122021977-0
Opcode ID: 74fb313f3834dca26190e467b8e3a4f91e94579d80462521eeb9ab80d5e4f230
Instruction ID: b8fd1fa03deea127f869707b418f1c014ec227974decfe08970d9ef0773daf1e
Opcode Fuzzy Hash: 74fb313f3834dca26190e467b8e3a4f91e94579d80462521eeb9ab80d5e4f230
Instruction Fuzzy Hash: 4111FE21A0C64297EA20AF21FC9836AB7A0FF88F94F884130DD5D47654DEBCD559CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725809D60 Relevance: 7.9, APIs: 6, Instructions: 352COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725809DE8
memset.VCRUNTIME140 ref: 00007FF725809EF5
memset.VCRUNTIME140 ref: 00007FF725809F0C

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memset$malloc
String ID:
API String ID: 1671641884-0
Opcode ID: 2304efacfb66030efa92118b162fd8c91160b8911844af8e0da4140438277a77
Instruction ID: 05684028d1ec032ee068cfda99725b024887353ca126f7303f00a51931b65aaf
Opcode Fuzzy Hash: 2304efacfb66030efa92118b162fd8c91160b8911844af8e0da4140438277a77
Instruction Fuzzy Hash: AEF1F132908BC886D7229F36D4412A9F3A4FF98F84F58D332DA4867665DF38E195CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257FC615 Relevance: 6.7, APIs: 1, Strings: 3, Instructions: 672COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF7257FCC7E

Part of subcall function 00007FF7257F42D0: memchr.VCRUNTIME140 ref: 00007FF7257F442E

Strings

%*s%.*s, xrefs: 00007FF7257FCCD3
%.*s, xrefs: 00007FF7257FCCAE
#COLLAPSE, xrefs: 00007FF7257FC8B5

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memchr
String ID: %*s%.*s$ %.*s$#COLLAPSE
API String ID: 3297308162-3042388618
Opcode ID: 8ecba5b22682bc55eba7fd5183d0e39aa42485bfeb8d73b32063b864d12f01ed
Instruction ID: f893f7ba10101cd65e12f2cb5f226cb7eef3859449ef6370c133496343189b4e
Opcode Fuzzy Hash: 8ecba5b22682bc55eba7fd5183d0e39aa42485bfeb8d73b32063b864d12f01ed
Instruction Fuzzy Hash: 9B72D432A18B859BE719DF3699402E9B3A0FF5D744F488735DB59676A1DB38B0A0CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258283E0 Relevance: 6.3, APIs: 4, Instructions: 346COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258285AC
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582873F
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582879A
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725828821

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 32f68d4f23e0ea9a0e35285ba80386010ded920abd405b2431b40f676bc14e6b
Instruction ID: c5aedf21562dc0e73a0288226338d3b716b24e24900fb82828b44c325c6fe980
Opcode Fuzzy Hash: 32f68d4f23e0ea9a0e35285ba80386010ded920abd405b2431b40f676bc14e6b
Instruction Fuzzy Hash: C7E12922D187C946EE12AE3649062B8E750EF59FD0F5C8732DD0D766A1EFAC74918E20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725827F60 Relevance: 6.3, APIs: 4, Instructions: 270COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725828111
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725828252
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582828B
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258282D2

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 5eb19d377a5b4fc6bbe31d5ff74df7366d8e8f476b34fd5322c45523f07ac6c7
Instruction ID: cf280c2f26f4f6c2d2564c4082372b230d20974cf23945f64de63664691945a7
Opcode Fuzzy Hash: 5eb19d377a5b4fc6bbe31d5ff74df7366d8e8f476b34fd5322c45523f07ac6c7
Instruction Fuzzy Hash: BDC11C22D087C986EA22BF3788051B5E750EF6DF94F5D8732DD48722A1DFB875918E20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725828DB0 Relevance: 6.3, APIs: 4, Instructions: 263COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725828F6C
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258290B1
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258290E5
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725829128

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: e75d448b6089e15ed219ae4b06a159b59fdf6194989a8d32ee92472e4999567d
Instruction ID: 8da551117ccbf9e671f5e0d73698d83e5147e481a8b1f9cd2006751658615f84
Opcode Fuzzy Hash: e75d448b6089e15ed219ae4b06a159b59fdf6194989a8d32ee92472e4999567d
Instruction Fuzzy Hash: 00C10D22D0CBCD46E713BE3648052F9E754EF6AB84F498332ED49761A1DF6875D28E20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725827B30 Relevance: 6.3, APIs: 4, Instructions: 260COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725827CCD
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725827E03
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725827E2E
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725827E73

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 2a62d11f0253fd91c7ebeae8a049c76eae081bd281ec4fd7ce34070a07ba7336
Instruction ID: 1b953dc85c7b6e9080f81555d00a90382a6e8e82b9ea8dcaf9fa7d805dfaab6a
Opcode Fuzzy Hash: 2a62d11f0253fd91c7ebeae8a049c76eae081bd281ec4fd7ce34070a07ba7336
Instruction Fuzzy Hash: AEB12B22D086C942E722AE3788411B9F790EF59F44F9D9732DD48F2265DFB879918F20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580BB80 Relevance: 6.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580BE1B
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580BE3D
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580BE5D
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580BE7F

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: ec08f01372ff2b6156a78224279b82304fe471b6beda03a9781318a68798c0ba
Instruction ID: 083ff63990f5a333996a8d5eafdd553b2d8e03e8ff901310e662200dd6b41be6
Opcode Fuzzy Hash: ec08f01372ff2b6156a78224279b82304fe471b6beda03a9781318a68798c0ba
Instruction Fuzzy Hash: 30A11533A186D486D325DF36A0416AEBBE1FB9D781F058326FAC867615EB3CD5908F10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725836F74 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF725836FA0
GetCurrentThreadId.KERNEL32 ref: 00007FF725836FAE
GetCurrentProcessId.KERNEL32 ref: 00007FF725836FBA
QueryPerformanceCounter.KERNEL32 ref: 00007FF725836FCA

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c118f615d7e4324cea1baf1ea6d6862d0f9c0868f9f4a5a8e662f3125cd93aa8
Instruction ID: 9df84cde9d32d2000167bfb25d8ce14e616a52008d0ba3aa54fc65c541d01230
Opcode Fuzzy Hash: c118f615d7e4324cea1baf1ea6d6862d0f9c0868f9f4a5a8e662f3125cd93aa8
Instruction Fuzzy Hash: 17111C26B15B018AEB00AF60EC542A873A4F759B68F840A31DE6D877A4EFBCD1658750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580BF80 Relevance: 3.4, APIs: 2, Instructions: 392COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580C375
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580C39D

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: floorf
String ID:
API String ID: 2864407545-0
Opcode ID: 132935ed6feb203989319a6457cc423e8e5ce13b9ec1052478f3c63450df463f
Instruction ID: 4b0c32cf012ceef96be8e6bba4ecfb707f240789eaca8bfef6f8c991ffedda20
Opcode Fuzzy Hash: 132935ed6feb203989319a6457cc423e8e5ce13b9ec1052478f3c63450df463f
Instruction Fuzzy Hash: 34022332A186D486D321CF35A4417BAF7A0FF9D785F158326EB8893A55EB3CE590CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725818120 Relevance: 2.9, Strings: 2, Instructions: 402COMMON

Download Yara Rule

Strings

( ), xrefs: 00007FF7258187E2
(x), xrefs: 00007FF7258187DB

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID: ( )$(x)
API String ID: 2537350866-370779237
Opcode ID: b1119f696214d8ba7f90e4ee1f65465eada2cf94fb5f2e8ac11ef52d2bee0a01
Instruction ID: 4df5f2d5f7fb3b0dc9cbaa1721d9c986b15aa9d42a2c595769f4788d3a5d1fcc
Opcode Fuzzy Hash: b1119f696214d8ba7f90e4ee1f65465eada2cf94fb5f2e8ac11ef52d2bee0a01
Instruction Fuzzy Hash: 2F12E833914B8586E302EF3698412BAF350FF5AB94F589731EE58561A5EF78E094CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258174D0 Relevance: 2.9, Strings: 2, Instructions: 399COMMON

Download Yara Rule

Strings

#SCROLLY, xrefs: 00007FF7258174FF
#SCROLLX, xrefs: 00007FF7258174EC

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #SCROLLX$#SCROLLY
API String ID: 0-350977493
Opcode ID: 3a2ae1fc35a0c6b3663d58866bedec34cd2ff3f5de896a73a96108c1447e6ee8
Instruction ID: 56d0e0b3e9f75e6f20663e9352b967fb41de348687e98405e6ae50f13cc1ce04
Opcode Fuzzy Hash: 3a2ae1fc35a0c6b3663d58866bedec34cd2ff3f5de896a73a96108c1447e6ee8
Instruction Fuzzy Hash: CF120833D18BCD85E212DA3784421B9F350EF7E784F18EB26FE45755A2DB65B0A18B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72582CA40 Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF72582CAB3
VUUU, xrefs: 00007FF72582CA93

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: VUUU$VUUU
API String ID: 0-3149182767
Opcode ID: 77fe9609ecf96d010ca7fe66fbe2b1cb7a2d5a82249d9e7db7ce310d1313f0df
Instruction ID: 6674982d3d916944c37c2e397288a2f36c7a550914d4ecec18e1e593f22a6e3e
Opcode Fuzzy Hash: 77fe9609ecf96d010ca7fe66fbe2b1cb7a2d5a82249d9e7db7ce310d1313f0df
Instruction Fuzzy Hash: 57C1B833E10B889AE301CF3AD4415F9B7A1FF6A7C4754A322FA48736A5DF649261DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580A580 Relevance: 2.7, APIs: 2, Instructions: 215COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580A682
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580A8CF

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 0597a6ec58ed58cb5a0342289e735cd12eaeefe31cfe579b4eba10ff15c6e56a
Instruction ID: 636b766119796e4920a1b51dc283756b1e9f109dc8cadf4bd1fff4d24a9592ed
Opcode Fuzzy Hash: 0597a6ec58ed58cb5a0342289e735cd12eaeefe31cfe579b4eba10ff15c6e56a
Instruction Fuzzy Hash: 3391F132A1468586EB12DF3AD8017B9B7A0FF9AB85F45C321DE4963652EF78E051CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725826210 Relevance: 1.8, Strings: 1, Instructions: 566COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF725826AEC

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %.*s
API String ID: 0-572262228
Opcode ID: 33a06cb920a39f5a557a12a0f0f166561f8347c84cec613d82a699375ccd5b91
Instruction ID: dfa1a543186f31df886081de52c999a2862fb77591eacab062aa6d1783ec3c66
Opcode Fuzzy Hash: 33a06cb920a39f5a557a12a0f0f166561f8347c84cec613d82a699375ccd5b91
Instruction Fuzzy Hash: 1D521533A086C587D711DF3698402B9BBA0FF59B58F988335DA4893694DF78E8A1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725818F20 Relevance: 1.8, Strings: 1, Instructions: 513COMMON

Download Yara Rule

Strings

##Combo_%02d, xrefs: 00007FF725819624

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemchrmemmove
String ID: ##Combo_%02d
API String ID: 837623554-4250768120
Opcode ID: 51b8da0754e16ca6ed49bf9c87b0fd8769c69bdc800e2bfdbb1ec51f5f5386f6
Instruction ID: e5b7b528807090d2b7b710165b1314c21aa4f0846cd00d843d94e8417f76c214
Opcode Fuzzy Hash: 51b8da0754e16ca6ed49bf9c87b0fd8769c69bdc800e2bfdbb1ec51f5f5386f6
Instruction Fuzzy Hash: 8C420432918B858AD711EF3698401E9F360FF9AB84F58D331EA49276A5DF78E094DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725814B50 Relevance: 1.7, APIs: 1, Instructions: 482COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF725814E41

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 4f7b991185b24b0044dabcd9d2ac8435f03da6b8d3c902986f39145ea064c1be
Instruction ID: 45ea276a15b7473466b224455ca267504f4d60c351cfbb3e5207fbd2bc8c87ff
Opcode Fuzzy Hash: 4f7b991185b24b0044dabcd9d2ac8435f03da6b8d3c902986f39145ea064c1be
Instruction Fuzzy Hash: 6C424C72A05A8586EB10DF26D8806ADB7B0FF88F88F958232CE4D57724CF79D595CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725812870 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X..., xrefs: 00007FF7258128A9

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...
API String ID: 0-3803095028
Opcode ID: 8a98b12613531deda3b84b58c7e419c2258ca7ce1f358669c1412f3d1e814cf7
Instruction ID: a7d442d3fc0afa2ca4216e1f801d106cb39c31f8b00a6b4383dffe53180b668e
Opcode Fuzzy Hash: 8a98b12613531deda3b84b58c7e419c2258ca7ce1f358669c1412f3d1e814cf7
Instruction Fuzzy Hash: A4D101733046C886C750CF29DCC5A38BBA6F754B41B4AC566DF89823A1EB7EC45AD320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725834EC0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF725834F28

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: 5e436c7c618ddcfe97ff41b77af070d133200f19ece2451dcbd7cd84b46f0d70
Instruction ID: f69ebf8d36af5672cbeaddc64ab8f806866f44779b88c5ea3ee77e8907c78e4a
Opcode Fuzzy Hash: 5e436c7c618ddcfe97ff41b77af070d133200f19ece2451dcbd7cd84b46f0d70
Instruction Fuzzy Hash: 13011736619B8087D310CF69F98426DBBB0FB8CB94F244129EB8883B14CB38D465CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580B8F0 Relevance: 1.4, APIs: 1, Instructions: 192COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF72580B94A

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: cbbaf6f8103f988b8a2f8752187f6acc28d0778a0d3fe7ff94d03d80fdf94d1d
Instruction ID: 9f3b377b5ab6901c1efc8a29abe9bafae50939604ea2d7506eb875b8bd474e4e
Opcode Fuzzy Hash: cbbaf6f8103f988b8a2f8752187f6acc28d0778a0d3fe7ff94d03d80fdf94d1d
Instruction Fuzzy Hash: AB6168A362C2E243E3561F3CA85127DEED0F789749F5C8234FA8AD2B45D97CD9248B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580B660 Relevance: 1.4, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF72580B6BA

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: d135fd24004c43d1fb0230425f54a06654401e16d90db16fab0938014d8dc6ce
Instruction ID: 21c763602625313cf4b17e042888413d5899e943f7be6378c2cbb8f2ef230c02
Opcode Fuzzy Hash: d135fd24004c43d1fb0230425f54a06654401e16d90db16fab0938014d8dc6ce
Instruction Fuzzy Hash: D8614673B1C2E086C3258F38E805A7DEFE4E799749F598235DA8CC3A44EA6ED410CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725801C50 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2594f820eb28785e23387fe864b4c02fcd850b120597eeb9d51f46ad65e422
Instruction ID: 0ea49d957bfecf82f1a5e801712ae5f16c7e79160aa587af246ab399ac9e8a74
Opcode Fuzzy Hash: 5b2594f820eb28785e23387fe864b4c02fcd850b120597eeb9d51f46ad65e422
Instruction Fuzzy Hash: 6612B732E0868596E759AE3689412B9F3D0FF19B90F888635DB1D23291DFB8F475CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725809730 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550d7f578fa8efb45d7f98265d205a47acfded40ff4a96133db6c246f7fdd91b
Instruction ID: 5341e378836d8bc68335f300558d99d1e1e264b431e7a272bd10fa59de262bf4
Opcode Fuzzy Hash: 550d7f578fa8efb45d7f98265d205a47acfded40ff4a96133db6c246f7fdd91b
Instruction Fuzzy Hash: E5F11A33D28BCD45E222AA3358420B5F290EFBF7D4F5DD722FD44365B2DB6861A19A10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257FF1D0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21849b542d8a0108faffead637cc1a935a3f276cdb88bf78b4e29129fabc95a
Instruction ID: 2c2342a2bf6463cc60a1102077d5b6560cc9a5ae550bb698f337610550eda8ff
Opcode Fuzzy Hash: f21849b542d8a0108faffead637cc1a935a3f276cdb88bf78b4e29129fabc95a
Instruction Fuzzy Hash: E2E1A733C4968D85E662FE3748420B8F390EF6EB45F59DB22E948322B1DF2971959F10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258016C0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76961cf7cffd913bb521c43d859a2335e75f083cfe3d3ab8d471a8f6c6ff1668
Instruction ID: 95ee839d3e90b647534d5183010f28b893d6097d924c46457b42264f5b3f2af1
Opcode Fuzzy Hash: 76961cf7cffd913bb521c43d859a2335e75f083cfe3d3ab8d471a8f6c6ff1668
Instruction Fuzzy Hash: DBA1C573D0A24A46E75BAD775C423B8A6C0EF2AB94F9CDB36DD0832491DB6970A44F10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258082E0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bfadc6915836f72785b6658091fa76f3fedbd38edd15623934350950cd77d3
Instruction ID: a8317bca81c2d98615dd14f5386fd3deb8f040facc15c00a3bd91dd8b407c6a4
Opcode Fuzzy Hash: 52bfadc6915836f72785b6658091fa76f3fedbd38edd15623934350950cd77d3
Instruction Fuzzy Hash: 70A1FE32A18AD48EE701DF7A84412BCBBB0FB59749F119324DE4533AA5DB786091CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725805B50 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: 3350b3fd5268165f38e93f62d6810d563dc4b4e23492a6b989eea2332d87af0e
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 285117A6B244B147DA109F2AD8816BC77D0E346B43FD48476D65882F91C22DD51ADF30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725813340 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093c0c678c141f69f859ee4ef7a97c1dc76639bf51f05c946f3d20ac964eea79
Instruction ID: c8182bb51b9872a6ac867f3661d91dd510a7fd4b2a555937be762aa956424e21
Opcode Fuzzy Hash: 093c0c678c141f69f859ee4ef7a97c1dc76639bf51f05c946f3d20ac964eea79
Instruction Fuzzy Hash: 9241E321A1D35982ED22A923594017DE652EFBAF80F98D732ED4C23B84DF78F4918B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725836050 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction ID: 5fde2e12a29efb3e057783fb8cb6f8f36104f1d6776de7066628519585306cf1
Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction Fuzzy Hash: C041A433B1154087E78CCE3EC812AAE33A2F398704F95C23DEA0A83385DA399915CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257F2D70 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091be399d95281020affa886c1377be96a6907edf27ad6ee2b04243e67ba980f
Instruction ID: 9e6c1e2561c8a52542e5cf9526fe7db943f1ac497e96affd8b23ecc437e46e9f
Opcode Fuzzy Hash: 091be399d95281020affa886c1377be96a6907edf27ad6ee2b04243e67ba980f
Instruction Fuzzy Hash: 1C313637774A5643EB48CA34ED22B7866D1E359700FC9A139EE5AC66C2DB2CC0108B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725836EC0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26d8b1ed958d255f5b50142b9c7250c8a25a72d51ba9b926ad44f182f9a5740
Instruction ID: 27494bbbfdac9d2333be27a37eb1e55fe3b43e6f931a6aa3069775592c99debc
Opcode Fuzzy Hash: f26d8b1ed958d255f5b50142b9c7250c8a25a72d51ba9b926ad44f182f9a5740
Instruction Fuzzy Hash: 52A00121918812F4E644AF46EC55024A321FB50B01B940831D45D520A0AEFDA428CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257F7420 Relevance: 34.8, APIs: 23, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7470
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7513
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7545
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7577
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F75B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F75E2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F763E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7670
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F76A2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F76D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7706
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7738
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F776A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F77A8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F77DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F780C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F783E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7882
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F78C0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F78F2
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F7914
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F7922
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F7954

Part of subcall function 00007FF725810730: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF72581076D
Part of subcall function 00007FF725810730: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF72581078E
Part of subcall function 00007FF725810730: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF7258107DA
Part of subcall function 00007FF725810730: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF72581080A
Part of subcall function 00007FF725810730: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF72581082F
Part of subcall function 00007FF725810730: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF725810851
Part of subcall function 00007FF725810730: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF725810873

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free$__acrt_iob_funcfclose
String ID:
API String ID: 3697265371-0
Opcode ID: 43ec6e63a853d254b7b4aff2c9c062fccf9c698fb2bc5de468a399685ae43d26
Instruction ID: e224f6c3308458a7c9b07e6eef6c1e5ba70744052d05ec1ae35bff3c01795d12
Opcode Fuzzy Hash: 43ec6e63a853d254b7b4aff2c9c062fccf9c698fb2bc5de468a399685ae43d26
Instruction Fuzzy Hash: D1E1B435B4AB819AEA59EF61E9506B9B3A4FF48F80F881135DA5D43350CF78B470CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725804E00 Relevance: 29.0, APIs: 23, Instructions: 240COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804E2B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804E50
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804E75
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804E9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804EBF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804EF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804F16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804F3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804F6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804F92
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804FC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804FE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580500E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725805088
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258050AD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258050D2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258050F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580511C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725805141
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725805166
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580518B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258051B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258051D5

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 19660c5b489cd096f097490d703b0e605f09ba65900ec6d3a909f0ef045690e4
Instruction ID: 56942e867eaaabb6ef96cb1e9b58111cbbf660b7ce6394e8944dd95823f31337
Opcode Fuzzy Hash: 19660c5b489cd096f097490d703b0e605f09ba65900ec6d3a909f0ef045690e4
Instruction Fuzzy Hash: E2B1E431A0B64289FF55AF61DC50AB9A2E4FF45F81F885439DD0D472A0CFADA924CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725833350 Relevance: 18.2, APIs: 12, Instructions: 168windowkeyboardCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF72583339D
TranslateMessage.USER32 ref: 00007FF7258333AE
DispatchMessageW.USER32 ref: 00007FF7258333BB
GetForegroundWindow.USER32 ref: 00007FF7258333C1
GetWindow.USER32 ref: 00007FF7258333DB
SetWindowPos.USER32 ref: 00007FF72583340C
GetClientRect.USER32 ref: 00007FF72583342F
ClientToScreen.USER32 ref: 00007FF725833441
GetCursorPos.USER32 ref: 00007FF72583347C
GetAsyncKeyState.USER32 ref: 00007FF7258334B5
SetWindowPos.USER32 ref: 00007FF72583359C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725833680

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Window$Message$Client$AsyncCursorDispatchForegroundPeekRectScreenStateTranslatefree
String ID:
API String ID: 1463819654-0
Opcode ID: a56c3874527efeb2de7a250c9825dd2426064401e171e679e3a9e71128564070
Instruction ID: 262d612f29f1f62a381351021040c3dd024ab1c3afab0974e253985b8694c3d4
Opcode Fuzzy Hash: a56c3874527efeb2de7a250c9825dd2426064401e171e679e3a9e71128564070
Instruction Fuzzy Hash: 43A11331A1AA4296EB51AF35EC40179B7E0FF99F84F884235D94D43664DFBDA4A0CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725810ED0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7257F2ED0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F2FA1

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810F29
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810F3A
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810F55
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810F78
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810F98
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810FA6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810FC1
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810FEE
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7258111A7

Strings

%s, %.0fpx, xrefs: 00007FF7258110EF

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: fclose$fseekmalloc$freadfreeftell
String ID: %s, %.0fpx
API String ID: 3453272378-112515932
Opcode ID: 9ca4947cfa8ba13f6af44724934afc32011fd36ca3fa7351e5989f059c92cda5
Instruction ID: a8157f03e252b86bed4b908062212a8fe689840693e5c8732f86f9e48f5e4f01
Opcode Fuzzy Hash: 9ca4947cfa8ba13f6af44724934afc32011fd36ca3fa7351e5989f059c92cda5
Instruction Fuzzy Hash: 8991C521D08AC085F7129F69AC012F9B3B4FF98B59F44A324EF8913664EF79D295CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258336B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 119threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF7258336CF
Direct3DCreate9Ex.D3D9 ref: 00007FF7258336DF
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7258337B8
QueryPerformanceCounter.KERNEL32 ref: 00007FF7258337CD
CreateThread.KERNEL32 ref: 00007FF7258338FF
UnregisterClassW.USER32 ref: 00007FF72583393A

Strings

imgui_impl_dx9, xrefs: 00007FF7258338C6
Private Script, xrefs: 00007FF725833933
imgui_impl_win32, xrefs: 00007FF7258337E2
, xrefs: 00007FF72583378E

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: CreatePerformanceQueryThread$ClassCounterCreate9Direct3FrequencyUnregister
String ID: $Private Script$imgui_impl_dx9$imgui_impl_win32
API String ID: 1602193124-1029701554
Opcode ID: f4c6d41233951808160fe26b78f58b500ef76acde7880c0ae152761ad606fa5f
Instruction ID: 673fe7234fc9b71a7793bcd6d71b9e0c244e022c798066cbca9c384b25db8773
Opcode Fuzzy Hash: f4c6d41233951808160fe26b78f58b500ef76acde7880c0ae152761ad606fa5f
Instruction Fuzzy Hash: DE71B471A09B4296E750AF61ED44269BBE0FB88F84F858135CA4D47764DFBDA068CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72582E3D0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 433sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF725810ED0: fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810F29
Part of subcall function 00007FF725810ED0: ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810F3A
Part of subcall function 00007FF725810ED0: fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810F55
Part of subcall function 00007FF725810ED0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810F78
Part of subcall function 00007FF725810ED0: fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810F98
Part of subcall function 00007FF725810ED0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725810FA6
Part of subcall function 00007FF725810ED0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810FC1

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72582E4AE
Sleep.KERNEL32 ref: 00007FF72582E61A
Sleep.KERNEL32 ref: 00007FF72582E6EA

Part of subcall function 00007FF725835010: IsWindow.USER32 ref: 00007FF72583502E
Part of subcall function 00007FF725835010: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72583503B
Part of subcall function 00007FF725835010: DeviceIoControl.KERNEL32 ref: 00007FF7258350A8

IsWindow.USER32 ref: 00007FF72582E948
DeviceIoControl.KERNEL32 ref: 00007FF72582E9B8
Sleep.KERNEL32 ref: 00007FF72582EC1C
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72582EC2C

Strings

C:\Windows\Fonts\tahoma.ttf , xrefs: 00007FF72582E417

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Sleep$ControlDeviceWindowexitfseekmalloc$fclosefreadfreeftell
String ID: C:\Windows\Fonts\tahoma.ttf
API String ID: 1017462924-1519395923
Opcode ID: c7fec5a8a563a6466874f5cc60e09391b11d4392dd0a5c4f19accd3ad67db567
Instruction ID: 1a76d32e116a822e12caa426cafcc9d927ab7e9ac7e01a557eb1bfdc0dd9690b
Opcode Fuzzy Hash: c7fec5a8a563a6466874f5cc60e09391b11d4392dd0a5c4f19accd3ad67db567
Instruction Fuzzy Hash: 85227031A09B8286E711EF65EC503B9B7E0FF48B48F844635DA4D577A5DFBCA1608B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725833150 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37sleepCOMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 00007FF72583318C
GetWindowRect.USER32 ref: 00007FF7258331AA
GetWindowLongW.USER32 ref: 00007FF7258331B8
MoveWindow.USER32 ref: 00007FF7258331EB
Sleep.KERNEL32 ref: 00007FF7258331F6

Strings

LM, xrefs: 00007FF725833168
2$*(, xrefs: 00007FF725833180
:($?, xrefs: 00007FF725833160

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Window$FindLongMoveRectSleep
String ID: 2$*($:($?$LM
API String ID: 2523682760-3119022787
Opcode ID: 2f22dbca51cf78f6df468f2e333d91f5735e6a1a29b4bc314ff1357fd56a9cc4
Instruction ID: d92e8345cc3813fcfe2df7829dcbc66e1de472e1dc96a3461fb56ec6141faa4a
Opcode Fuzzy Hash: 2f22dbca51cf78f6df468f2e333d91f5735e6a1a29b4bc314ff1357fd56a9cc4
Instruction Fuzzy Hash: 5A119A31A2974086E750EF20E94012AB761FB89B40F945238EE4A07AA8DFBCE460CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257F30A0 Relevance: 13.6, APIs: 9, Instructions: 76COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F30EB
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F30FC
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F3116
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F3138
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F3154
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F3162
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F317D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F3185
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7257F319B

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: fclose$fseek$freadfreeftellmalloc
String ID:
API String ID: 3246642831-0
Opcode ID: 3d3d642e99e549a710537ff65f137bae60e13888980c79d0a0497c08e71d4a2a
Instruction ID: 2eb0b5526a91c5c7db552c7cc94e2025fb4c6675a192f9b1b86bc839a57e6370
Opcode Fuzzy Hash: 3d3d642e99e549a710537ff65f137bae60e13888980c79d0a0497c08e71d4a2a
Instruction Fuzzy Hash: BB314F21B6AB4291FA54FF26AC44279A3A4EF48FD0FC81034DE0E43795DE7CE4958B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725835EC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,00007FF725834A17,?,?,?,?,?,?,?,?,00007FF7257F112F), ref: 00007FF725835FA8
memmove.VCRUNTIME140(00000000,?,?,00007FF725834A17,?,?,?,?,?,?,?,?,00007FF7257F112F), ref: 00007FF725835FB7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF725834A17,?,?,?,?,?,?,?,?,00007FF7257F112F), ref: 00007FF725835FEB
memmove.VCRUNTIME140(?,?,00007FF725834A17,?,?,?,?,?,?,?,?,00007FF7257F112F), ref: 00007FF725835FF2
memmove.VCRUNTIME140(?,?,00007FF725834A17,?,?,?,?,?,?,?,?,00007FF7257F112F), ref: 00007FF725836001
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF72583602A

Strings

C:\PrivateScript\, xrefs: 00007FF725835F89

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: C:\PrivateScript\
API String ID: 2016347663-2017767010
Opcode ID: edb98895bafe28664e16e0ca35aa64053a06fc17c9fca28eaf6cc120599b75e8
Instruction ID: 078c3040af13eb3e6354e90444495497fa44e244232bd68486acd5424e493cc0
Opcode Fuzzy Hash: edb98895bafe28664e16e0ca35aa64053a06fc17c9fca28eaf6cc120599b75e8
Instruction Fuzzy Hash: D541A062B08A82A5EA10BF16D9442A8E3A5EB04FD0FD44631DE5D0B7D5DFFCE960C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580D080 Relevance: 11.4, APIs: 9, Instructions: 130COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D0B1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D0DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D103
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D138
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D161
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D190
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580D214
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580D247
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580D29C

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4dd49a6edfcdd14641959296d4c90662a24f7a3e0b280b9e12673426ac5c1a2d
Instruction ID: 247713598b7207362145608f8f3ec49e8edf23095fa4fab1709b3f12f995d250
Opcode Fuzzy Hash: 4dd49a6edfcdd14641959296d4c90662a24f7a3e0b280b9e12673426ac5c1a2d
Instruction Fuzzy Hash: 75513736A0AB4186EB45AF61E840279B3E4FF48F84F885935CE4D07754DFB9E4A1CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258345E0 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF72582B9A4), ref: 00007FF7258346A9
memmove.VCRUNTIME140(?,?,?,00007FF72582B9A4), ref: 00007FF7258346CF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7258346F3
memmove.VCRUNTIME140(?,?,?,?,?,?,?,00007FF72582B9A4), ref: 00007FF725834737
memmove.VCRUNTIME140(?,?,?,?,?,?,?,00007FF72582B9A4), ref: 00007FF7258347F3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF72582B9A4), ref: 00007FF72583484E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF72583485B

Part of subcall function 00007FF725836874: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F1094), ref: 00007FF72583688E

Part of subcall function 00007FF725836874: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7258368A4
Part of subcall function 00007FF725836874: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7258368AA

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task$memmove$_invalid_parameter_noinfo_noreturn$malloc
String ID:
API String ID: 2127020159-0
Opcode ID: 6938d0d352403924ae09eea454a35fc79d0112454c1ea2bf79053e00af08e7f5
Instruction ID: 4127664d52f322423b624b33d3e230bd1ccbc463b4a1a476fe51a20ac01dd486
Opcode Fuzzy Hash: 6938d0d352403924ae09eea454a35fc79d0112454c1ea2bf79053e00af08e7f5
Instruction Fuzzy Hash: 9B610322B09B86A1FA14FF11D944378A691EB04FD4FA44631DA6D07BE5EFBCE4A1C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258035D0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580361E
memmove.VCRUNTIME140 ref: 00007FF725803634
memchr.VCRUNTIME140 ref: 00007FF7258036D5
memchr.VCRUNTIME140 ref: 00007FF7258036F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258037DE

Strings

], xrefs: 00007FF7258036B2
Window, xrefs: 00007FF72580370A

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memchr$freemallocmemmove
String ID: Window$]
API String ID: 3276875001-2892678728
Opcode ID: 36a43f774c389e1964aeb66b70d05709343e8fc554d0b0892a314921ea69cd3a
Instruction ID: 67ce2d61df043a338b0576271fed28e055979625d64fb4cdfb0190be29ede33a
Opcode Fuzzy Hash: 36a43f774c389e1964aeb66b70d05709343e8fc554d0b0892a314921ea69cd3a
Instruction Fuzzy Hash: 4451EF65B2D68685EB21AF1699042BAE7D1EF45FD0FC84132DE5D07784DFACE412CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725835340 Relevance: 10.6, APIs: 7, Instructions: 130COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF72583402A), ref: 00007FF7258353A7
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF72583402A), ref: 00007FF725835414
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF72583402A), ref: 00007FF72583543D
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF72583402A), ref: 00007FF72583546F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF72583402A), ref: 00007FF7258354B3
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF72583402A), ref: 00007FF7258354BA
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF72583402A), ref: 00007FF7258354C7

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 2331969452-0
Opcode ID: 28e860d9f5d491b4904d64f60eec2e330c5eb6688bafd401299a477ee1dda245
Instruction ID: 7ff10bcedc1cf03ca78890ae5c004f514ada25d71700c749154b159a895ae723
Opcode Fuzzy Hash: 28e860d9f5d491b4904d64f60eec2e330c5eb6688bafd401299a477ee1dda245
Instruction Fuzzy Hash: F9518172608A4196EF209F1AE89023DE7A0FB85F96F558531CE4E477A0CFBDD856CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725810C50 Relevance: 10.2, APIs: 8, Instructions: 161COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810C88
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810D3C
memmove.VCRUNTIME140 ref: 00007FF725810D5C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810D7C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810E4A
memmove.VCRUNTIME140 ref: 00007FF725810E61
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810E88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725810EA9

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$memmove
String ID:
API String ID: 3069178222-0
Opcode ID: a01212a12e93b461892dcbc4a2c47a001e8e9eb5ae372f1af2016ce4d73f44e4
Instruction ID: 12230427222ad3aa9317a6f272efed515e0c49e0f7666a218ed21b5b22d052ac
Opcode Fuzzy Hash: a01212a12e93b461892dcbc4a2c47a001e8e9eb5ae372f1af2016ce4d73f44e4
Instruction Fuzzy Hash: 78717E32A05B4586EB159F25E940278B3A4FB48F84F88A239CF8D57351DFB8F4A1CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258245A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF725824748
memmove.VCRUNTIME140 ref: 00007FF725824869

Strings

Alpha Bar, xrefs: 00007FF72582490C
##dummypicker, xrefs: 00007FF725824758, 00007FF725824879
##selectable, xrefs: 00007FF72582469E, 00007FF725824798
context, xrefs: 00007FF7258245CD

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID: ##dummypicker$##selectable$Alpha Bar$context
API String ID: 2162964266-2275185138
Opcode ID: dbf433d62967385d54af551ace85a84a12f5211c27b7b76b9de4335464779db7
Instruction ID: a009768c2bca0fada8f5f7dba9102b2dfd8b542d6514d2349f447a7ad0cdd379
Opcode Fuzzy Hash: dbf433d62967385d54af551ace85a84a12f5211c27b7b76b9de4335464779db7
Instruction Fuzzy Hash: 20A1D732A196C586E750EF26D8413E9B7A0FB89F44F898235DE4C572A1CF79D055CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72582BA20 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582BAB7
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582BAC3
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582BAD4
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582BAE5
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582BAF2
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72582BB07

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: cosfsinf
String ID:
API String ID: 3160392742-0
Opcode ID: e87c462fb1772389619be87597759744536cc58cddb125c380d88cf1605a5b41
Instruction ID: 8d428975f2f64554545bcfecb4fcdb345316164744e1b9458e21a42e611bb3ce
Opcode Fuzzy Hash: e87c462fb1772389619be87597759744536cc58cddb125c380d88cf1605a5b41
Instruction Fuzzy Hash: 2D61C512D297CC45E213AB3B64421F8F350AFBE255F5DDB23F94431672EB6931D19A10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725835500 Relevance: 9.1, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,00000000,7FFFFFFFFFFFFFFF,?,00007FF725834202,?,?,?,?,?,00007FF725829BA2), ref: 00007FF725835628
memmove.VCRUNTIME140(?,00000000,7FFFFFFFFFFFFFFF,?,00007FF725834202,?,?,?,?,?,00007FF725829BA2), ref: 00007FF725835636
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,7FFFFFFFFFFFFFFF,?,00007FF725834202,?,?,?,?,?,00007FF725829BA2), ref: 00007FF725835674
memmove.VCRUNTIME140(?,00000000,7FFFFFFFFFFFFFFF,?,00007FF725834202,?,?,?,?,?,00007FF725829BA2), ref: 00007FF72583567E
memmove.VCRUNTIME140(?,00000000,7FFFFFFFFFFFFFFF,?,00007FF725834202,?,?,?,?,?,00007FF725829BA2), ref: 00007FF72583568C

Part of subcall function 00007FF725836874: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F1094), ref: 00007FF72583688E

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7258356C2

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: d1d6e56a386061e3a1846aa7b6f356b59ebc27dedbae6fc0a0a23eab99130c08
Instruction ID: 0449c2c9634a6474d4c3e63573b04fd36b277200835a68daf9e018241e7af489
Opcode Fuzzy Hash: d1d6e56a386061e3a1846aa7b6f356b59ebc27dedbae6fc0a0a23eab99130c08
Instruction Fuzzy Hash: F541B061B09A81A1EA10AF16A9441ADA3A2EB04FF0F940731DE7D47BD5EFBCE461C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725803A90 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 130stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF725803C07

Strings

###, xrefs: 00007FF725803BFD
Collapsed=%d, xrefs: 00007FF725803C6A
[%s][%s], xrefs: 00007FF725803C11
Size=%d,%d, xrefs: 00007FF725803C4E
Pos=%d,%d, xrefs: 00007FF725803C31

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: strstr
String ID: ###$Collapsed=%d$Pos=%d,%d$Size=%d,%d$[%s][%s]
API String ID: 1392478783-2972057365
Opcode ID: a96fffceb183e2ab814f49bf69236778a3983fbab84bfe7730877a63bb0d1e9b
Instruction ID: 4914038cd60790dba51ba7579b1c7f97c67a704bae3d88cb5a32b760d3e52e88
Opcode Fuzzy Hash: a96fffceb183e2ab814f49bf69236778a3983fbab84bfe7730877a63bb0d1e9b
Instruction Fuzzy Hash: 8A51C232A28A9296EB15EF1198454B8B7A0FB88F84F858136DE4D07794DF7CE461CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725810730 Relevance: 8.8, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7258108A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF725810752,?,?,?,00007FF7257F745B), ref: 00007FF7258108F6
Part of subcall function 00007FF7258108A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF725810752,?,?,?,00007FF7257F745B), ref: 00007FF725810999
Part of subcall function 00007FF7258108A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF725810752,?,?,?,00007FF7257F745B), ref: 00007FF7258109C2

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF72581076D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF72581078E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF7258107DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF72581080A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF72581082F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF725810851
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F745B), ref: 00007FF725810873

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e9eac0b18ffbd57bdd49c075846d1cfaa7fe4c0867a31a70b911318509141c36
Instruction ID: 260e11a8790f9b9eb0fbcaf8b9716fea401ff146465f0a149b9a49047c09442c
Opcode Fuzzy Hash: e9eac0b18ffbd57bdd49c075846d1cfaa7fe4c0867a31a70b911318509141c36
Instruction Fuzzy Hash: F0411631A0A641C6EA55AF51EC50239B3A4FF48F80F88A439DE4D13754CFBDE461CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725837FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72583800D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72583807D

Strings

8653421970, xrefs: 00007FF725837FC1
gtnmklafghc, xrefs: 00007FF725838031
Mar 27 2024, xrefs: 00007FF725838094

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 8653421970$Mar 27 2024$gtnmklafghc
API String ID: 3668304517-1909873347
Opcode ID: c0d225b0fb7652a1e91058801a40812ceff8308adfcacf505b6972bd11a21737
Instruction ID: b1b2d94426348c0c5e28d7c93fd1df807e12458d0d4b388a3be2f554e91e8e9c
Opcode Fuzzy Hash: c0d225b0fb7652a1e91058801a40812ceff8308adfcacf505b6972bd11a21737
Instruction Fuzzy Hash: A41160A1E1A58690EA04BF29EC5437CA361EF45F84FC00131D58C06562EFFE65B48F24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257F1820 Relevance: 8.8, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72580D080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D0B1
Part of subcall function 00007FF72580D080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D0DA
Part of subcall function 00007FF72580D080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D103
Part of subcall function 00007FF72580D080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D138
Part of subcall function 00007FF72580D080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D161
Part of subcall function 00007FF72580D080: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7257F182E), ref: 00007FF72580D190
Part of subcall function 00007FF72580D080: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580D214

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F184D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F1872
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F1894
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F18B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F18D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F18FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F191C

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9cf4df31f3cf7e12b30510dffd57f4ba4a6e9bf9f85409581bd15c4f8d6470ee
Instruction ID: 35e6a369134d802e9d14d5068c8b7c092641c7dd6c6853010fb27388ca88fdc3
Opcode Fuzzy Hash: 9cf4df31f3cf7e12b30510dffd57f4ba4a6e9bf9f85409581bd15c4f8d6470ee
Instruction Fuzzy Hash: 4F311820A0B64289FE55EF62EC50675A3A4FF49F90FC85039C80D033A0CFADA954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725823760 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 371stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF725823D2B
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF725823D9E

Part of subcall function 00007FF7258046F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804748
Part of subcall function 00007FF7258046F0: memmove.VCRUNTIME140 ref: 00007FF725804760
Part of subcall function 00007FF7258046F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725804780

Strings

_COL3F, xrefs: 00007FF725823D1D
Color, xrefs: 00007FF725823E21
_COL4F, xrefs: 00007FF725823D90

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: strncpy$freemallocmemmove
String ID: Color$_COL3F$_COL4F
API String ID: 1522325491-432181853
Opcode ID: a9fc3b4aca7670a6152800f58cb9b245c5d8b8e4e0d9987ec1c6e5bcd2afad4b
Instruction ID: 13e40e88ac63cd9983fcab4b45b3a659ccd40acdb949515fa0bd683f3bd9c2a6
Opcode Fuzzy Hash: a9fc3b4aca7670a6152800f58cb9b245c5d8b8e4e0d9987ec1c6e5bcd2afad4b
Instruction Fuzzy Hash: 0E12D332D18AC986E311DF3698412FAF760EFA9784F449332EA88565A5DF78E094DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257F19D0 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7257F2620: memset.VCRUNTIME140(?,?,?,00007FF7257F1A09), ref: 00007FF7257F26BF
Part of subcall function 00007FF7257F2620: memset.VCRUNTIME140(?,?,?,00007FF7257F1A09), ref: 00007FF7257F270F

memset.VCRUNTIME140 ref: 00007FF7257F1E8E

Part of subcall function 00007FF725812D70: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812DA0
Part of subcall function 00007FF725812D70: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812DC9
Part of subcall function 00007FF725812D70: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725812DF2

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F1F6A
memset.VCRUNTIME140 ref: 00007FF7257F224D
memset.VCRUNTIME140 ref: 00007FF7257F227D

Strings

##Overlay, xrefs: 00007FF7257F216A

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memset$free$malloc
String ID: ##Overlay
API String ID: 1393892039-3248624929
Opcode ID: 3da823ba7cc932c641245592aaa1ca3649de3811267b230c418dc4b70a743042
Instruction ID: b0d095f6d3ffe225eb2c064b66be88b34dd4cd6b964fee00ff554d3e34de1e42
Opcode Fuzzy Hash: 3da823ba7cc932c641245592aaa1ca3649de3811267b230c418dc4b70a743042
Instruction Fuzzy Hash: D132D572505BC189D310DF29E8445C87BE9F745F68FAC433AEAA40B398DF74A461CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725804C50 Relevance: 7.6, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F74E0), ref: 00007FF725804C8B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F74E0), ref: 00007FF725804CCF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F74E0), ref: 00007FF725804D0B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F74E0), ref: 00007FF725804D30
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F74E0), ref: 00007FF725804D55
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7257F74E0), ref: 00007FF725804D7E

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 235f98bb549ca0a3c5d7200139b36820fb87847903ebce0eedb6b01f229909e5
Instruction ID: b1444f19c4b7fa6025ccba1bf7badb5ee7fbd5a26429e0eef4c90c62d578f088
Opcode Fuzzy Hash: 235f98bb549ca0a3c5d7200139b36820fb87847903ebce0eedb6b01f229909e5
Instruction Fuzzy Hash: 50311831A4B64186EE95AF52E850279A3A4FF88F80F885435DD0D433A4CFBDE961CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72582BCF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF725834DE0: IsWindow.USER32 ref: 00007FF725834E0E
Part of subcall function 00007FF725834DE0: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725834E1B
Part of subcall function 00007FF725834DE0: DeviceIoControl.KERNEL32 ref: 00007FF725834E83

IsWindow.USER32 ref: 00007FF72582BD7C
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72582BD89
DeviceIoControl.KERNEL32 ref: 00007FF72582BDF0

Strings

0, xrefs: 00007FF72582BDB1

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: ControlDeviceWindowexit
String ID: 0
API String ID: 767674996-4108050209
Opcode ID: 21c54c9de52530badc731f4db1b74821d7298d96c69e7c935026dba2ee18bb3f
Instruction ID: b047a7360a7d29ae70c5e50fd44455507dbddfde7b7ceb94176af7276d035d65
Opcode Fuzzy Hash: 21c54c9de52530badc731f4db1b74821d7298d96c69e7c935026dba2ee18bb3f
Instruction Fuzzy Hash: 7F513E22918BC586E7019F78E9411E9B7B0FFA8748F04A325EB8C13626EF74E6D5C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725834DE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00007FF725834E0E
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725834E1B
DeviceIoControl.KERNEL32 ref: 00007FF725834E83

Strings

0, xrefs: 00007FF725834E76

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: ControlDeviceWindowexit
String ID: 0
API String ID: 767674996-4108050209
Opcode ID: 7c87e550739d189e2264dc05cd52a6de62360eda03a5b097619e68091e6de3cd
Instruction ID: c15ec0732528185778c491427d60732499807b6d0c2f5e04b953f554f99c49a6
Opcode Fuzzy Hash: 7c87e550739d189e2264dc05cd52a6de62360eda03a5b097619e68091e6de3cd
Instruction Fuzzy Hash: EB210E3291DB8482D711DF25F940369B7A0FB99B94F545229EBCC43A25DF78E1E4CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725804040 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF72580406E
ImmSetCompositionWindow.IMM32 ref: 00007FF725804094
ImmReleaseContext.IMM32 ref: 00007FF7258040A0

Strings

, xrefs: 00007FF72580408C

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: Context$CompositionReleaseWindow
String ID:
API String ID: 244372355-3916222277
Opcode ID: 2755660fbc6d1d6f6bb6a8f0b2e933e89d72c006eda80e84d0a862eedb3f2575
Instruction ID: a13bdedef8d656c33ba975643eb9fc517cf71a4a5d3d4b545d8f2a68f9b7a3ad
Opcode Fuzzy Hash: 2755660fbc6d1d6f6bb6a8f0b2e933e89d72c006eda80e84d0a862eedb3f2575
Instruction Fuzzy Hash: 66F0FB76A09B4186DA50AF06B94416AF7A0FB88FD0F4C0575EE8D03B18DFBCD5648B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725837AC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FF725837AF5
__current_exception_context.VCRUNTIME140 ref: 00007FF725837B09
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF725837B11

Strings

csm, xrefs: 00007FF725837AE1

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 48c6614e9414d6450eed7e58c8f94c090f7f682faa98693d8b2e6b0d344e0b21
Instruction ID: 2387ab93b6f94a2fdf69398a4d64c43c62fe0e0e7402a73eff7f2e0859823362
Opcode Fuzzy Hash: 48c6614e9414d6450eed7e58c8f94c090f7f682faa98693d8b2e6b0d344e0b21
Instruction Fuzzy Hash: F0F01737609B45CAD715AF21EC805AC3374F74CB88B895135FA4E87755CF78D9A08B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725815AD0 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 361COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF725815C43
memchr.VCRUNTIME140 ref: 00007FF725815D02
memchr.VCRUNTIME140 ref: 00007FF725815DFE

Strings

..., xrefs: 00007FF725815AD3

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memchr
String ID: ...
API String ID: 3297308162-440645147
Opcode ID: 2e70a7bbbedc58492fabde33a40111deef45b0c5c6e980140d5333ec8b4f81c9
Instruction ID: c192632a566e108305dbf5b687a1915b5dd0d33f6e7596f965fdca3c1e60d2d1
Opcode Fuzzy Hash: 2e70a7bbbedc58492fabde33a40111deef45b0c5c6e980140d5333ec8b4f81c9
Instruction Fuzzy Hash: BF02E732D04BC985E252AF3694412F9F390EF6DB84F58D732EE88365A2DF74A5918F10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725803440 Relevance: 6.3, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258034C2
memmove.VCRUNTIME140 ref: 00007FF7258034E5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725803508
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580358C
memmove.VCRUNTIME140 ref: 00007FF72580359C

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: mallocmemmove$free
String ID:
API String ID: 4023028716-0
Opcode ID: d285b11d3e60afd22528784e3b2e48b8c577cde26f2d8c3f813b462d0fe2696d
Instruction ID: a98a9c5a30c0ef37223ddf4843b7a636774e733daba5de7df5c4610c1d2f6915
Opcode Fuzzy Hash: d285b11d3e60afd22528784e3b2e48b8c577cde26f2d8c3f813b462d0fe2696d
Instruction Fuzzy Hash: 9C41D432A19B8286DB50DF25E8401B8B3A0FB88F95F984136DE4D87395DFBCE450CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257F5390 Relevance: 6.3, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F53B7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F53DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F5401
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F5426
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7257F544B

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1e589f064deab7ac9202539d0ac458520ceb654adc399a32657c1ccef59d91b7
Instruction ID: a0bae26d14e6314e322c519e9a8acff3bebd3851047255ae0012b289efac0714
Opcode Fuzzy Hash: 1e589f064deab7ac9202539d0ac458520ceb654adc399a32657c1ccef59d91b7
Instruction Fuzzy Hash: B3110721A4B64289FE65AF65EC50778A2A4FF48F81F885439CD0D173A0CFADA915CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258189D0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 274COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF725818E00

Strings

--------------------------------, xrefs: 00007FF725818D71
%*s%.*s, xrefs: 00007FF725818E51
%.*s, xrefs: 00007FF725818E2C

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memchr
String ID: %*s%.*s$ %.*s$--------------------------------
API String ID: 3297308162-2326682469
Opcode ID: 69a9e6b4a3605c8d2613ee8575e227afdc2b909768a0bb065499ee4a2f011fe4
Instruction ID: bf60420699da940068cafe3c805259531d5d81899ea2a154b549fd384b5e5585
Opcode Fuzzy Hash: 69a9e6b4a3605c8d2613ee8575e227afdc2b909768a0bb065499ee4a2f011fe4
Instruction Fuzzy Hash: A7E10532A04A8685E751DF35D8053F8B3A0FF69B98F899332DE4C27295DF78A095CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725827710 Relevance: 6.3, APIs: 4, Instructions: 256COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258278AC
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7258279DE
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725827A09
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725827A4D

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 7e3667c006b786619326fa28bd4575b9f9dc849fb53dd47ae7159d56618c8c65
Instruction ID: b7429691b0cd8f731e729e9439395a61187faa0d78316db50cbf8d0af506a6d7
Opcode Fuzzy Hash: 7e3667c006b786619326fa28bd4575b9f9dc849fb53dd47ae7159d56618c8c65
Instruction Fuzzy Hash: CAB13C32E186C946E722BE3788411B9F790EF59B44F499732DD49F21A1DFB87590CE20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725828960 Relevance: 6.3, APIs: 4, Instructions: 253COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725828B0F
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725828C39
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725828C63
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF725828CA2

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: aad5436f182b33bfa7bcaed47e6ee7c03bf8bfe89bade9873feb061160b71d4b
Instruction ID: a0f3e2d0739e2264f220322d47580abd6f866e84066c625c98df4d8dbdad8abe
Opcode Fuzzy Hash: aad5436f182b33bfa7bcaed47e6ee7c03bf8bfe89bade9873feb061160b71d4b
Instruction Fuzzy Hash: EEC11A22D087CD46FB62BE3648012B9F750EF6DB54F4C8732ED48B61A1DFA875958D20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580B370 Relevance: 6.2, APIs: 4, Instructions: 153COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580B4AD
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF72580B4C9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580B5C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580B5DE

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: floorffree
String ID:
API String ID: 3454259225-0
Opcode ID: a2597b17afbbbc8f1061583e7a3378dfaba5c0ff2765dc5a4381bd46670caea4
Instruction ID: 4ce91ba44dfd1271898cc0d853eab53835ca68ce667780e68216ebd8c1a80e96
Opcode Fuzzy Hash: a2597b17afbbbc8f1061583e7a3378dfaba5c0ff2765dc5a4381bd46670caea4
Instruction Fuzzy Hash: 66719332908BC486D6619F22A4403EAF7A4FF99B81F544225EE8823765DF7CE560CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7257F2620 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF7257F1A09), ref: 00007FF7257F26BF
memset.VCRUNTIME140(?,?,?,00007FF7257F1A09), ref: 00007FF7257F270F

Strings

imgui_log.txt, xrefs: 00007FF7257F274D
imgui.ini, xrefs: 00007FF7257F2742

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID: imgui.ini$imgui_log.txt
API String ID: 2221118986-3179804127
Opcode ID: 601d6870312cc3118d53c3604b0d7f90176c3be372efbc744b09003940824b54
Instruction ID: e3761480dca1ccf015d96e7193258f8eea134e0f4269fdcb48280ef26822960b
Opcode Fuzzy Hash: 601d6870312cc3118d53c3604b0d7f90176c3be372efbc744b09003940824b54
Instruction Fuzzy Hash: 87A1D8B2405BC18AC750EF3899603D977A4F765B28F684339DBB80F2E9DB314199CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725825190 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF725825269
memmove.VCRUNTIME140 ref: 00007FF72582528C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7258252AF

Strings

, xrefs: 00007FF7258252F3

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID:
API String ID: 2537350866-3916222277
Opcode ID: 62424ea3d4816debadbad0c1619d99ba518c3be65a5d34ad0d1c8a69992f2c6f
Instruction ID: a38f9f4afdce48fc8dd4ec6b95da453899ee3525e14d8ef9c5b570c1a919ba9b
Opcode Fuzzy Hash: 62424ea3d4816debadbad0c1619d99ba518c3be65a5d34ad0d1c8a69992f2c6f
Instruction Fuzzy Hash: DC61C073A157818BD700DF26D8800BCB7A0FB88B88F495235EE5957699DF78E891CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725834460 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,00000018,00007FF72582B169,?,?,?,?,?,00007FF7257F1189), ref: 00007FF7258344C6
memset.VCRUNTIME140(?,?,00000018,00007FF72582B169,?,?,?,?,?,00007FF7257F1189), ref: 00007FF725834565
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF72583458C

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memset$Concurrency::cancel_current_task
String ID:
API String ID: 3006004123-0
Opcode ID: aa756f49405c172095da7c7e257afb4e5fce8982574c07d6fcab2819975981d0
Instruction ID: 0758c6e35ad3830fa5f35800a2413dd19c50995a4d5c88085e1a849d2580ed64
Opcode Fuzzy Hash: aa756f49405c172095da7c7e257afb4e5fce8982574c07d6fcab2819975981d0
Instruction Fuzzy Hash: 52319221E0978651EA14FF61A9453799291EF49FD0F940634D96D07BE6DEFCA0608B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258356D0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF725829B8A), ref: 00007FF725835716
memmove.VCRUNTIME140(?,?,?,00007FF725829B8A), ref: 00007FF7258357D2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7258357FA

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 89eb4108f071e0619cd2c65ad21e0074e86183586a7f4d57a115aca4f2c6c1e5
Instruction ID: 560202b671cd322fb3197d163243d49fa2e60760ecc00bc05896b5aa070a759c
Opcode Fuzzy Hash: 89eb4108f071e0619cd2c65ad21e0074e86183586a7f4d57a115aca4f2c6c1e5
Instruction Fuzzy Hash: 8131C421B09741E1EA14AF55A980278A7A4EB04FF0FA40730DE7E077D6DEBCE8618710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725834930 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF7257F112F), ref: 00007FF7258349C6
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF7257F112F), ref: 00007FF7258349D4
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF7257F112F), ref: 00007FF7258349EA

Strings

C:\PrivateScript\, xrefs: 00007FF725834992

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID: C:\PrivateScript\
API String ID: 2162964266-2017767010
Opcode ID: 8c4f86710293f25bb4bc5e03f5e313b93c3e7b9517c4e148c60cbecf44845de7
Instruction ID: 218737eaf89c6fcd6a46738fb6204a0647ca32251a763a24cefbe7067a2598be
Opcode Fuzzy Hash: 8c4f86710293f25bb4bc5e03f5e313b93c3e7b9517c4e148c60cbecf44845de7
Instruction Fuzzy Hash: 38319222E097C596E600BF21ED05278A3A5FB44FC0F944235DE8C17B66EFBCE5A58B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258358C0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF7257F1124), ref: 00007FF725835903
memmove.VCRUNTIME140(?,?,?,00007FF7257F1124), ref: 00007FF72583599F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7258359C9

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 5e9cd49211db3afa63012d1057e359778613412ec36aaf383ca3d8ecda74472f
Instruction ID: 7c9d9e0cd98c1ae5b6e130171bca610e6abfd1aea847da093c5d9e987deb871c
Opcode Fuzzy Hash: 5e9cd49211db3afa63012d1057e359778613412ec36aaf383ca3d8ecda74472f
Instruction Fuzzy Hash: 7F21A521A0979595EA14BF41A84037DA3A4EB44FE0F940631DFAD07BC6EFBCE8618B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF725803360 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF725803170: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7258031C9

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF725803399
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7258033AB
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7258033B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580341B

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintffclosefflushfree
String ID:
API String ID: 2759974054-0
Opcode ID: 4807863bc683db5bae73428bdb6a797a4b599005619588b6b3fc80361d811d7c
Instruction ID: 7f5103cb2f321396bfc458df6c3a082068d3ed3ea0fde30f6d47d8e36a607355
Opcode Fuzzy Hash: 4807863bc683db5bae73428bdb6a797a4b599005619588b6b3fc80361d811d7c
Instruction Fuzzy Hash: 0D21422191DA8281EB55AF21EC841BCA3E0FF54F84FC91036CD0D5B654DFB898A0CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72580AF80 Relevance: 5.2, APIs: 4, Instructions: 233COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580B022
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580B087
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580B324
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580B345

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: fc3121723675708bebead792d6c7cf9aacec310986fc211d0fea0d240cee4fa1
Instruction ID: f377034cfd885ea98e8558050ca4c7557a43fe994142b11b2df957f503b105c6
Opcode Fuzzy Hash: fc3121723675708bebead792d6c7cf9aacec310986fc211d0fea0d240cee4fa1
Instruction Fuzzy Hash: 44A1F522E14B8586E321DF3594442BEF7E4FF99F85F449332EE8512654EB78E492CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7258047D0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580484F
memmove.VCRUNTIME140 ref: 00007FF72580486B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF72580488B
memmove.VCRUNTIME140 ref: 00007FF7258048B9

Memory Dump Source

Source File: 00000000.00000002.4517877622.00007FF7257F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7257F0000, based on PE: true

Associated: 00000000.00000002.4517863555.00007FF7257F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF725839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517910217.00007FF7258A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517969079.00007FF7258AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518011747.00007FF7258D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4518025943.00007FF7258D2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7257f0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$freemalloc
String ID:
API String ID: 1763039611-0
Opcode ID: ba81548fa1518a19d0dc2e080028a8c5b0682fd3939d13a6de9beed13b20eaec
Instruction ID: 89e28e170306c74df17c3edaa51088f0de1ac57b540397b60ef0b34cda7171a7
Opcode Fuzzy Hash: ba81548fa1518a19d0dc2e080028a8c5b0682fd3939d13a6de9beed13b20eaec
Instruction Fuzzy Hash: 0731C272B05AC186EA04AF56E9411A8A3A0FB48FC0B888836DF5D57760DF7CE5A1CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: bugado.exePID: 5060, Parent PID: 2444COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1955
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF617589D10 Relevance: 65.4, APIs: 22, Strings: 15, Instructions: 654COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF617589D54
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF617589D9B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF617589DDB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF617589E6B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF617589EAB
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF617589F01
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF617589F29
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF617589F50
memcmp.VCRUNTIME140(?), ref: 00007FF61758A0ED

Part of subcall function 00007FF617589BE0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF617589C56
Part of subcall function 00007FF617589BE0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF617589C8D

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF61758A21D
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758A240
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF61758A278
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF61758A27F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF61758A286
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF61758A3DE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF61758A444
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF61758A48E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758A56F
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758A5FE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758A621
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758A659

Strings

[-] Failed to read image to memory, xrefs: 00007FF61758A4E1
free, xrefs: 00007FF617589D94, 00007FF617589DD4
[+] Mdl memory usage enabled, xrefs: 00007FF617589F0C
PassAllocationPtr, xrefs: 00007FF617589E64, 00007FF617589EA4
mdl, xrefs: 00007FF617589E0D, 00007FF61758A04F
[-] File , xrefs: 00007FF61758A3FE
[+] success, xrefs: 00007FF61758A604
[!] Incorrect Usage!, xrefs: 00007FF61758A200
doesn't exist, xrefs: 00007FF61758A42B
[-] Warning failed to fully unload vulnerable driver , xrefs: 00007FF61758A5E1
[-] Failed to map , xrefs: 00007FF61758A538
[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver, xrefs: 00007FF61758A223
[+] Free pool memory after usage enabled, xrefs: 00007FF617589EE4
.sys, xrefs: 00007FF61758A0E6
[+] Pass Allocation Ptr as first param enabled, xrefs: 00007FF617589F33

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$_invalid_parameter_noinfo_noreturn_wcsicmp$ExceptionFilterUnhandledmemcmp
String ID: [!] Incorrect Usage!$ doesn't exist$.sys$PassAllocationPtr$[+] Free pool memory after usage enabled$[+] Mdl memory usage enabled$[+] Pass Allocation Ptr as first param enabled$[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver$[+] success$[-] Failed to map $[-] Failed to read image to memory$[-] File $[-] Warning failed to fully unload vulnerable driver $free$mdl
API String ID: 2745243099-1302835770
Opcode ID: 6215dc89822ff98d957ce301f8fdb99103dbc0e264c099da4b1e3350ad52609f
Instruction ID: 6ebcf91c61e437bafc112074763b7191e742bc5cda9d2e847640d57a690c05c2
Opcode Fuzzy Hash: 6215dc89822ff98d957ce301f8fdb99103dbc0e264c099da4b1e3350ad52609f
Instruction Fuzzy Hash: 7C529162E28E4286FB109B66D8442BD2371FB54FB4F504235DA6E836EADF7CE585D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617581780 Relevance: 63.3, APIs: 22, Strings: 14, Instructions: 295
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF6175817B6
GetCurrentThreadId.KERNEL32 ref: 00007FF6175817BF
srand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6175817CA
CreateFileW.KERNELBASE ref: 00007FF6175817F7
CloseHandle.KERNEL32 ref: 00007FF61758180A

Part of subcall function 00007FF617585EE0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617586066
Part of subcall function 00007FF617585EE0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758606D
Part of subcall function 00007FF617585EE0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758607A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758182D
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF617581871
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6175818B5
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758192A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758196A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6175819A6

Strings

[-] Failed to ClearKernelHashBucketList, xrefs: 00007FF617581BCA
[-] \Device\Nal is already in use., xrefs: 00007FF617581810
[-] Failed to ClearPiDDBCacheTable, xrefs: 00007FF617581BB5
[<] Loading vulnerable driver, Name: , xrefs: 00007FF6175818E6
[-] Can't find TEMP folder, xrefs: 00007FF617581989
[-] Failed to get ntoskrnl.exe, xrefs: 00007FF617581BA0
[!] Failed to ClearMmUnloadedDrivers, xrefs: 00007FF617581BDF
[-] Failed to get temp path, xrefs: 00007FF617581536
[-] Failed to register and start service for the vulnerable driver, xrefs: 00007FF617581A97
ntoskrnl.exe, xrefs: 00007FF617581B31
gfff, xrefs: 00007FF61758187A
\\.\Nal, xrefs: 00007FF6175817F0, 00007FF617581AF6
[-] Failed to load driver iqvw64e.sys, xrefs: 00007FF617581BE8
[-] Failed to create vulnerable driver file, xrefs: 00007FF617581A4D

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$rand$?setstate@?$basic_ios@_?uncaught_exception@std@@CloseCreateCurrentD@std@@@std@@FileHandleOsfx@?$basic_ostream@ThreadU?$char_traits@_invalid_parameter_noinfo_noreturn_time64srand
String ID: [!] Failed to ClearMmUnloadedDrivers$[-] Can't find TEMP folder$[-] Failed to ClearKernelHashBucketList$[-] Failed to ClearPiDDBCacheTable$[-] Failed to create vulnerable driver file$[-] Failed to get ntoskrnl.exe$[-] Failed to get temp path$[-] Failed to load driver iqvw64e.sys$[-] Failed to register and start service for the vulnerable driver$[-] \Device\Nal is already in use.$[<] Loading vulnerable driver, Name: $\\.\Nal$gfff$ntoskrnl.exe
API String ID: 3610494094-3036430678
Opcode ID: 2b59b04520f9ab686594239d376feb6b6f182a9132356bf31cc9e9aecf889ab3
Instruction ID: 1ac8dc49d5baf1eeaa87019ce094058cef0f6a6651f7817acf77301c20e30747
Opcode Fuzzy Hash: 2b59b04520f9ab686594239d376feb6b6f182a9132356bf31cc9e9aecf889ab3
Instruction Fuzzy Hash: 3CE18C61A28E5292EB00DB26E8542B93361FB95FB4F404239D95E836ABEF3CE544D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758D520 Relevance: 59.8, APIs: 20, Strings: 14, Instructions: 251
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6175812E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617581435

Part of subcall function 00007FF617588780: memcpy.VCRUNTIME140 ref: 00007FF61758887E
Part of subcall function 00007FF617588780: memcpy.VCRUNTIME140 ref: 00007FF61758888E

RegCreateKeyW.ADVAPI32 ref: 00007FF61758D600
RegSetKeyValueW.ADVAPI32 ref: 00007FF61758D645
RegCloseKey.ADVAPI32 ref: 00007FF61758D653

Part of subcall function 00007FF6175811D0: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF6175811DB

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758D676
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758D6C1
RegSetKeyValueW.ADVAPI32 ref: 00007FF61758D6EB
RegCloseKey.ADVAPI32 ref: 00007FF61758D6F9
RegCloseKey.ADVAPI32 ref: 00007FF61758D70B
GetModuleHandleA.KERNEL32 ref: 00007FF61758D718
GetProcAddress.KERNEL32 ref: 00007FF61758D734
GetProcAddress.KERNEL32 ref: 00007FF61758D747
RtlAdjustPrivilege.NTDLL ref: 00007FF61758D75D
RtlInitUnicodeString.NTDLL ref: 00007FF61758D7C4
NtLoadDriver.NTDLL ref: 00007FF61758D7CE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF61758D7EF
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF61758D7FA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758D80A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758D858
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758D8C7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758D91B

Strings

NtLoadDriver, xrefs: 00007FF61758D73D
[+] NtLoadDriver Status 0x, xrefs: 00007FF61758D7D2
Type, xrefs: 00007FF61758D6E2
ImagePath, xrefs: 00007FF61758D638
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF61758D594
ntdll.dll, xrefs: 00007FF61758D711
[-] Can't create 'Type' registry value, xrefs: 00007FF61758D6FF
4, xrefs: 00007FF61758D798
Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator., xrefs: 00007FF61758D763
\??\, xrefs: 00007FF61758D5D6
RtlAdjustPrivilege, xrefs: 00007FF61758D72A
[-] Can't create service key, xrefs: 00007FF61758D60D
[-] Can't create 'ImagePath' registry value, xrefs: 00007FF61758D659
\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF61758D7A1

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$Close$AddressProcV01@@Valuememcpy$AdjustCreateDriverHandleInitLoadModulePrivilegeStringUnicodeV21@@Vios_base@1@Xlength_error@std@@
String ID: 4$Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator.$ImagePath$NtLoadDriver$RtlAdjustPrivilege$SYSTEM\CurrentControlSet\Services\$Type$[+] NtLoadDriver Status 0x$[-] Can't create 'ImagePath' registry value$[-] Can't create 'Type' registry value$[-] Can't create service key$\??\$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 3477860193-3793529226
Opcode ID: b141cd0232939659d324549beaf113f3aa37b57c591dae2b4b39ed28c0b2125d
Instruction ID: cba0a7184e7e2bbfae89f9b3becb6871a10bde0174c47ab08570b741ac7494ed
Opcode Fuzzy Hash: b141cd0232939659d324549beaf113f3aa37b57c591dae2b4b39ed28c0b2125d
Instruction Fuzzy Hash: 26C16061B28F4696FB00DB66E4443AC33B1EB58BB8F400635DA5D936AADF3CE148D344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758F4C0 Relevance: 15.1, APIs: 10, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF61758F4D4
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF61758F4E9
__scrt_release_startup_lock.LIBCMT ref: 00007FF61758F557
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758F5A5
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758F5AA
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758F5B2
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758F5BA
__scrt_is_managed_app.LIBCMT ref: 00007FF61758F5CE
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758F5DC
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758F636

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1038555538-0
Opcode ID: 8099f633f6f678d39012437267c2974ada0ce775aabdfdebe60bf3e181897385
Instruction ID: 7448dd5aabe90af4d5b42e546ce6094c9461fa74e0f1997eb268195f4f22c7b3
Opcode Fuzzy Hash: 8099f633f6f678d39012437267c2974ada0ce775aabdfdebe60bf3e181897385
Instruction Fuzzy Hash: D0314B21A2DD4383FB50AB2794153B92391AF8DFA4F544138DB4EC72E7DE3DE905A211

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617587C70 Relevance: 13.7, APIs: 9, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF617587D05
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF617587D3C
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF617587DAA
?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF617587DFA
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF617587E08
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF617587E3B
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF617587E8B
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF617587E92
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF617587E9F

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@_?uncaught_exception@std@@?widen@?$ctype@_Osfx@?$basic_ostream@V12@Vlocale@2@W@std@@
String ID:
API String ID: 2222884580-0
Opcode ID: ae68b658c52fe95b53231d82350469d6f1f3a2dcea84264f757e533ead7f9a9a
Instruction ID: f18852ae6f454027c5435b55060f174f5e3e2055bf8960d80aa62b65150c9d77
Opcode Fuzzy Hash: ae68b658c52fe95b53231d82350469d6f1f3a2dcea84264f757e533ead7f9a9a
Instruction Fuzzy Hash: 33616062619E8182EB609F5AE580339A7A0FF85FE5F148936CE4E877A2CF3DD455D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175888C0 Relevance: 10.6, APIs: 7, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF61758894D
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF6175889AA
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF6175889D6
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF617588A12
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF617588A46
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF617588A4D
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF617588A5A

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 2558415004-0
Opcode ID: 769fb9137b7f7870149c6c292c35bda7a4246672e8ca47ed797a65c7fa96a35c
Instruction ID: 766b56254580ab5d2250ffd315ecd990749ada1676ce31ba0c5beed6e81e298b
Opcode Fuzzy Hash: 769fb9137b7f7870149c6c292c35bda7a4246672e8ca47ed797a65c7fa96a35c
Instruction Fuzzy Hash: 83514162668E4182EB208F5BE580239A760FB85FE5F158536CE4E87BA5CF3DE546D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617585EE0 Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585F7C
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585FD9
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585FFC
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758601D
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617586066
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758606D
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758607A

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 2558415004-0
Opcode ID: d69801e4877d8ed5eeb335611211a648f6f96d2d6680bce6647c0a3fdc58d57b
Instruction ID: dc4ca16f9a22c03754552406e3d5fa85d7b466bc089681f93e87daaedaebb3d3
Opcode Fuzzy Hash: d69801e4877d8ed5eeb335611211a648f6f96d2d6680bce6647c0a3fdc58d57b
Instruction Fuzzy Hash: 7D519F62618E41C2EB208F1BE584239A7A0FB84FE9F108535DE5E87BA6CF3DD446D304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617585570 Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6175855A3
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6175855C2
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6175855F4
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF617585610

Part of subcall function 00007FF617585B00: ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF617585B2C
Part of subcall function 00007FF617585B00: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF617585B54
Part of subcall function 00007FF617585B00: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF617585B69

?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF61758565A

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@_D@std@@@1@_Fiopen@std@@Init@?$basic_streambuf@U?$char_traits@_U_iobuf@@V?$basic_streambuf@Vlocale@2@W@std@@@std@@
String ID:
API String ID: 612489050-0
Opcode ID: 494154b431bb389ea1037c429a591c6917ead29e63a8b5c15e7c0e8b3c3990cd
Instruction ID: 7c99399621940a03742070041762645ac98f50c4bb002b6f62ba2e3293546fd6
Opcode Fuzzy Hash: 494154b431bb389ea1037c429a591c6917ead29e63a8b5c15e7c0e8b3c3990cd
Instruction Fuzzy Hash: 18210632608B9186EB108F2AF85476A77A4FB99F99F449135DA8D83B25DF3DD005C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617585B00 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF617585B2C

Part of subcall function 00007FF617585990: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,?,00007FF617585B4C), ref: 00007FF6175859C2
Part of subcall function 00007FF617585990: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00007FF617585B4C), ref: 00007FF6175859F0

?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF617585B54

Part of subcall function 00007FF617587EE0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587F08
Part of subcall function 00007FF617587EE0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587F22
Part of subcall function 00007FF617587EE0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587F4C
Part of subcall function 00007FF617587EE0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587F77
Part of subcall function 00007FF617587EE0: std::_Facet_Register.LIBCPMT ref: 00007FF617587F90
Part of subcall function 00007FF617587EE0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587FAF

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF617585B69
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF617585B84

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: 0f35bd83fda0e4e46b3b0bda00aba7a3ecf8b12a79ba364633e4fbfc199bb1d5
Instruction ID: 544170d433db8d37f12a41c67364aa966716ce701060b7db3d82234343f72084
Opcode Fuzzy Hash: 0f35bd83fda0e4e46b3b0bda00aba7a3ecf8b12a79ba364633e4fbfc199bb1d5
Instruction Fuzzy Hash: 42118F21B29E0682EF54DF22E40437963A0AF95FE9F284038CE4E8775ADE3DD844D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175860C0 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF6175860D5
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z.MSVCP140 ref: 00007FF6175860E1
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6175860EA

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@?put@?$basic_ostream@_?widen@?$basic_ios@_D@std@@@std@@U?$char_traits@V12@V12@_
String ID:
API String ID: 1552636710-0
Opcode ID: 8bb6cd1e160a8824b80f01674d483b2bc2420e81a06ea2f8b8372f4244fa5c7d
Instruction ID: 12407a15e7be51bcab3f20b3b19d816eabea195c5228903eb2d8b76ca4fb3731
Opcode Fuzzy Hash: 8bb6cd1e160a8824b80f01674d483b2bc2420e81a06ea2f8b8372f4244fa5c7d
Instruction Fuzzy Hash: 32D01754A84A1A82DE08AF26B8941382361EFADFA2B48A030CD0F87311CE3CD0958204

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617584CE0 Relevance: 3.1, APIs: 2, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF617584D53
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF617584D8A

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: fwritememcpy
String ID:
API String ID: 4173912309-0
Opcode ID: dd7b155a2662c67a1c57eecee65be0a1c87a1d0a6f3bc1967ed8b048e2f0c165
Instruction ID: 4531d0a048de45b372d5047bd2cf0167e0531eff2dd55fb0a277e16ce392530d
Opcode Fuzzy Hash: dd7b155a2662c67a1c57eecee65be0a1c87a1d0a6f3bc1967ed8b048e2f0c165
Instruction Fuzzy Hash: E9215E22B29E8186EB948F5B944076967A0FB88FD4F5C403AEF4D87B5ACF3DE4518700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617585A50 Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF617585AB5
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF617585AD1

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: D@std@@@std@@Init@?$basic_streambuf@U?$char_traits@fclose
String ID:
API String ID: 356833432-0
Opcode ID: 8679cf307676c61e888b200f3cab3b2f6dbf8dc111f72ef9077225ed14305e97
Instruction ID: 5675c81bf697e3e7b885994b22e2718e49b92dab1dcc3a3ea4711ccf77dd6e1e
Opcode Fuzzy Hash: 8679cf307676c61e888b200f3cab3b2f6dbf8dc111f72ef9077225ed14305e97
Instruction Fuzzy Hash: 37112B32618F9581EB408F2AE49036937A4FB98FD8F588036DE4D87769CF38C856C750

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF617582A90 Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 290
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF617582ACC
VirtualFree.KERNEL32 ref: 00007FF617582AEB
VirtualAlloc.KERNEL32 ref: 00007FF617582B00
NtQuerySystemInformation.NTDLL ref: 00007FF617582B19
GetCurrentProcessId.KERNEL32 ref: 00007FF617582B85
VirtualFree.KERNEL32 ref: 00007FF617582BC3
DeviceIoControl.KERNEL32 ref: 00007FF617582C2E
DeviceIoControl.KERNEL32 ref: 00007FF617582CA5
DeviceIoControl.KERNEL32 ref: 00007FF617582D1C
DeviceIoControl.KERNEL32 ref: 00007FF617582D96
memset.VCRUNTIME140 ref: 00007FF617582DE5
DeviceIoControl.KERNEL32 ref: 00007FF617582E4A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582EEB
DeviceIoControl.KERNEL32 ref: 00007FF617582EB9

Part of subcall function 00007FF617585EE0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617586066
Part of subcall function 00007FF617585EE0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758606D
Part of subcall function 00007FF617585EE0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758607A

Part of subcall function 00007FF617585EE0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585F7C
Part of subcall function 00007FF617585EE0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585FD9
Part of subcall function 00007FF617585EE0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585FFC
Part of subcall function 00007FF617585EE0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758601D

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582F1A
VirtualFree.KERNEL32 ref: 00007FF617582F5F

Strings

[!] Failed to read driver name, xrefs: 00007FF617582F22
[!] Failed to find driver_object, xrefs: 00007FF617582F3D
[!] Failed to write driver name length, xrefs: 00007FF617582EFD
[!] Failed to find driver_section, xrefs: 00007FF617582F34
[!] Failed to find driver name, xrefs: 00007FF617582F2B
[!] Failed to find device_object, xrefs: 00007FF617582F46
[+] MmUnloadedDrivers Cleaned: , xrefs: 00007FF617582ECA

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: ControlDevice$U?$char_traits@_W@std@@@std@@$V01@Virtual$D@std@@@std@@FreeU?$char_traits@$??6?$basic_ostream@_?sputc@?$basic_streambuf@_InformationQuerySystemV01@@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@AllocCurrentOsfx@?$basic_ostream@ProcessV12@memset
String ID: [!] Failed to find device_object$[!] Failed to find driver name$[!] Failed to find driver_object$[!] Failed to find driver_section$[!] Failed to read driver name$[!] Failed to write driver name length$[+] MmUnloadedDrivers Cleaned:
API String ID: 3476330072-3011715350
Opcode ID: 554791a905a9ed1b1d893eafea0bf69f6657606d5904096a2d87206383cde52d
Instruction ID: 114783d67b72e542bdcc43128d59b232104241d9056785e97471883a53cb3970
Opcode Fuzzy Hash: 554791a905a9ed1b1d893eafea0bf69f6657606d5904096a2d87206383cde52d
Instruction Fuzzy Hash: 71E18B72B29F419AEB50CF61E4403AD37A4FB48B98F404539EA4D96B59DF38D219D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758DF00 Relevance: 13.6, APIs: 9, Instructions: 140nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF61758DF30
VirtualFree.KERNEL32 ref: 00007FF61758DF50
VirtualAlloc.KERNEL32 ref: 00007FF61758DF66
NtQuerySystemInformation.NTDLL ref: 00007FF61758DF81
VirtualFree.KERNEL32 ref: 00007FF61758DFA2
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF61758E035
VirtualFree.KERNEL32 ref: 00007FF61758E091
VirtualFree.KERNEL32 ref: 00007FF61758E0D3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758E10D

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: Virtual$Free$InformationQuerySystem$Alloc_invalid_parameter_noinfo_noreturn_stricmp
String ID:
API String ID: 562193759-0
Opcode ID: 1522dd4d0bf6989cb67041938a95fef3a02e725a76e680aed42b1916397feb60
Instruction ID: 73bdf98d3c538c1cdbc143217d55ecd4cdba2a56ce3210fdf7830257300c6444
Opcode Fuzzy Hash: 1522dd4d0bf6989cb67041938a95fef3a02e725a76e680aed42b1916397feb60
Instruction Fuzzy Hash: FA519462B18E4183FB208B16E84432972A1FB89FF4F544634DA6EC76DADE3DD481A700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758F6D8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF61758F6F4
memset.VCRUNTIME140 ref: 00007FF61758F718
RtlCaptureContext.KERNEL32 ref: 00007FF61758F721
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF61758F73B
RtlVirtualUnwind.KERNEL32 ref: 00007FF61758F77C
memset.VCRUNTIME140 ref: 00007FF61758F7AF
IsDebuggerPresent.KERNEL32 ref: 00007FF61758F7D0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61758F7F1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF61758F7FC

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 27c1891ec76c73cda5552b3688cbcb8def1b2c8b2b26ff10889f24fdbe2c12a9
Instruction ID: 917b02f0c0f4d2f3490aa76c2af4d5fe3d1233849a17db1ce9aff4018c3f1355
Opcode Fuzzy Hash: 27c1891ec76c73cda5552b3688cbcb8def1b2c8b2b26ff10889f24fdbe2c12a9
Instruction Fuzzy Hash: 25316D72619E8186EB609F61E8403ED73A0FB98B54F44443ADB4E87A99DF38D648C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758EAC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF61758EB25
IsDebuggerPresent.KERNEL32 ref: 00007FF61758EB3D
OutputDebugStringW.KERNEL32 ref: 00007FF61758EB4E

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF61758EB47

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 6dace40f20ee360905f8cc9ad5317248b2015620551232ed4bc329e47bd697d4
Instruction ID: 670508443895389c518b3e609100b1ce969e44af31c01004a4a54f1e0715ef32
Opcode Fuzzy Hash: 6dace40f20ee360905f8cc9ad5317248b2015620551232ed4bc329e47bd697d4
Instruction Fuzzy Hash: 04118F32624F9293E7448B22D6853B933A0FB18BA1F404139C60DC3A92EF3CE478D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175834D0 Relevance: 75.6, APIs: 23, Strings: 20, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF617583DD0: DeviceIoControl.KERNEL32 ref: 00007FF617583E62
Part of subcall function 00007FF617583DD0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617583EF3

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6175835AB
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6175835CE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF61758361E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF61758362E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758363E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF617583661
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF617583671
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617583681

Part of subcall function 00007FF617585EE0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617586066
Part of subcall function 00007FF617585EE0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758606D
Part of subcall function 00007FF617585EE0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758607A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6175836F7

Part of subcall function 00007FF6175812E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617581435

Part of subcall function 00007FF6175832F0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758342C
Part of subcall function 00007FF6175832F0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758347E

DeviceIoControl.KERNEL32 ref: 00007FF61758378D
DeviceIoControl.KERNEL32 ref: 00007FF6175837E7
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617583B6D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617583BB7

Strings

[-] Warning PiDDBLock not found, xrefs: 00007FF617583595
xxxxxx, xrefs: 00007FF617583527
[-] Warning PiDDBCacheTable not found, xrefs: 00007FF6175835FF
[+] PiDDBLock Ptr 0x, xrefs: 00007FF617583608
xxxxxx????xxxxx????xxx????xxxxx????x????xx?x, xrefs: 00007FF617583501
[-] Can't set next entry, xrefs: 00007FF617583B47
[+] PiDDBCacheTable Ptr 0x, xrefs: 00007FF617583644
[!] Failed to find RtlDeleteElementGenericTableAvl, xrefs: 00007FF6175839FA
[+] Found Table Entry = 0x, xrefs: 00007FF617583804
[-] Can't get next entry, xrefs: 00007FF6175837F8
[-] Can't set prev entry, xrefs: 00007FF617583B3E
[+] PiDDBCacheTable Cleaned, xrefs: 00007FF617583B17
[-] Not found in cache, xrefs: 00007FF617583728
[-] Can't get prev entry, xrefs: 00007FF617583B50
xxx????xxxxx????xxx????x????x, xrefs: 00007FF617583560
[+] PiDDBLock found with second pattern, xrefs: 00007FF6175835B8
RtlDeleteElementGenericTableAvl, xrefs: 00007FF61758396B
[+] PiDDBLock Locked, xrefs: 00007FF6175836E1
[-] Can't delete from PiDDBCacheTable, xrefs: 00007FF617583A1D
[-] Can't lock PiDDBCacheTable, xrefs: 00007FF6175836D5

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$V01@@$ControlDevice_invalid_parameter_noinfo_noreturn$V01@_V21@@Vios_base@1@$?setstate@?$basic_ios@_?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@
String ID: RtlDeleteElementGenericTableAvl$[!] Failed to find RtlDeleteElementGenericTableAvl$[+] Found Table Entry = 0x$[+] PiDDBCacheTable Cleaned$[+] PiDDBCacheTable Ptr 0x$[+] PiDDBLock Locked$[+] PiDDBLock Ptr 0x$[+] PiDDBLock found with second pattern$[-] Can't delete from PiDDBCacheTable$[-] Can't get next entry$[-] Can't get prev entry$[-] Can't lock PiDDBCacheTable$[-] Can't set next entry$[-] Can't set prev entry$[-] Not found in cache$[-] Warning PiDDBCacheTable not found$[-] Warning PiDDBLock not found$xxx????xxxxx????xxx????x????x$xxxxxx$xxxxxx????xxxxx????xxx????xxxxx????x????xx?x
API String ID: 3986681254-602910616
Opcode ID: d583605c7b95d75d6afcba2cb90855f4bc63da00dc3abca4284f18ab1e2e8146
Instruction ID: 7f47b3adf3beeb9cc7e53ff211224b5c7ef44fafe5b300377e0255ed63449118
Opcode Fuzzy Hash: d583605c7b95d75d6afcba2cb90855f4bc63da00dc3abca4284f18ab1e2e8146
Instruction Fuzzy Hash: 7A1238B1A19F4296EB00DF62E8503A833A4FB44BA8F404539D94D97BAADF3CE549D350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758B4E0 Relevance: 58.1, APIs: 19, Strings: 14, Instructions: 313
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF61758B56E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B8EB
VirtualFree.KERNEL32 ref: 00007FF61758B8FC
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B9C2

Strings

[-] Image is not 64 bit, xrefs: 00007FF61758B551
[!] Failed to find ExAllocatePool, xrefs: 00007FF61758B699
[+] DriverEntry returned 0x, xrefs: 00007FF61758B921
[+] Image base has been allocated at 0x, xrefs: 00007FF61758B702
[<] Calling DriverEntry 0x, xrefs: 00007FF61758B855
[-] Callback returns false, failed!, xrefs: 00007FF61758B899
[-] Failed to allocate remote image in kernel, xrefs: 00007FF61758B6C0, 00007FF61758B6F6
[-] Invalid format of PE image, xrefs: 00007FF61758B9A5
bytes of PE Header, xrefs: 00007FF61758B7C3
[-] Failed to resolve imports, xrefs: 00007FF61758B815
[-] Failed to call driver entry, xrefs: 00007FF61758B8CE
[-] Failed to write local image to remote image, xrefs: 00007FF61758B842
[+] Skipped 0x, xrefs: 00007FF61758B791
ExAllocatePoolWithTag, xrefs: 00007FF61758B615

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AllocFree
String ID: bytes of PE Header$ExAllocatePoolWithTag$[!] Failed to find ExAllocatePool$[+] DriverEntry returned 0x$[+] Image base has been allocated at 0x$[+] Skipped 0x$[-] Callback returns false, failed!$[-] Failed to allocate remote image in kernel$[-] Failed to call driver entry$[-] Failed to resolve imports$[-] Failed to write local image to remote image$[-] Image is not 64 bit$[-] Invalid format of PE image$[<] Calling DriverEntry 0x
API String ID: 284350539-3204775764
Opcode ID: ebc8a43a5b13ec11043c51ca0cd9d3df41b946e7c73cffafac2e7787980f7c30
Instruction ID: 58abe24b23c268ee10b155780c84c07e5f9bac2c4b0a087c5bb412bcd299ba74
Opcode Fuzzy Hash: ebc8a43a5b13ec11043c51ca0cd9d3df41b946e7c73cffafac2e7787980f7c30
Instruction Fuzzy Hash: 6BE13961F28E4296FB10DB66E8502B933A6BB44FA4F80413ADD4D976ABDE3CE505D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758AFE0 Relevance: 40.5, APIs: 11, Strings: 12, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758B0C5
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B105
DeviceIoControl.KERNEL32 ref: 00007FF61758B1FE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B231
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B331
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758B2F1

Part of subcall function 00007FF617585D50: memcpy.VCRUNTIME140 ref: 00007FF617585D81

Part of subcall function 00007FF6175826A0: memset.VCRUNTIME140 ref: 00007FF6175826FB
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF617582756
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF6175827D3
Part of subcall function 00007FF6175826A0: VirtualAlloc.KERNEL32 ref: 00007FF61758282A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B128

Part of subcall function 00007FF61758ED70: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6175861F9), ref: 00007FF61758ED80

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758B402
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B442
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B465
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758B4B4

Strings

[!] Failed to find MmMapLockedPagesSpecifyCache, xrefs: 00007FF61758B314
[-] Can't read the _MDL : byteCount, xrefs: 00007FF61758B4CB
[-] Couldn't allocate enough memory, cleaning up, xrefs: 00007FF61758B214
[!] Failed to find MmProtectMdlSystemAddress, xrefs: 00007FF61758B425
[-] Can't set mdl pages cache, cleaning up., xrefs: 00007FF61758B337
MmMapLockedPagesSpecifyCache, xrefs: 00007FF61758B294
[!] Failed to find MmAlocatePagesForMdl, xrefs: 00007FF61758B0E8
MmProtectMdlSystemAddress, xrefs: 00007FF61758B3A5
[+] Allocated pages for mdl, xrefs: 00007FF61758B497
MmAllocatePagesForMdl, xrefs: 00007FF61758B068
[-] Can't change protection for mdl pages, cleaning up, xrefs: 00007FF61758B448
[-] Can't allocate pages for mdl, xrefs: 00007FF61758B10B

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$ControlDevice_invalid_parameter_noinfo_noreturn$AllocCriticalEnterSectionVirtualmemcpymemset
String ID: MmAllocatePagesForMdl$MmMapLockedPagesSpecifyCache$MmProtectMdlSystemAddress$[!] Failed to find MmAlocatePagesForMdl$[!] Failed to find MmMapLockedPagesSpecifyCache$[!] Failed to find MmProtectMdlSystemAddress$[+] Allocated pages for mdl$[-] Can't allocate pages for mdl$[-] Can't change protection for mdl pages, cleaning up$[-] Can't read the _MDL : byteCount$[-] Can't set mdl pages cache, cleaning up.$[-] Couldn't allocate enough memory, cleaning up
API String ID: 3475076561-338763861
Opcode ID: ca3dd29647efb5c5e65248918a88330c441370576a3028435841619c038c22f7
Instruction ID: 633cce153d085dc22139c01ac3e5329a5f4065b464d0580adebc17acce9e7082
Opcode Fuzzy Hash: ca3dd29647efb5c5e65248918a88330c441370576a3028435841619c038c22f7
Instruction Fuzzy Hash: A3D13961A28E4296EB10DF26E8553A83365BF44FA8F804235D95D87AABDF3CE145E340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758D960 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 175registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF61758D994
RtlInitUnicodeString.NTDLL ref: 00007FF61758DA07
RegOpenKeyW.ADVAPI32 ref: 00007FF61758DA65
RegCloseKey.ADVAPI32 ref: 00007FF61758DA7E
GetProcAddress.KERNEL32 ref: 00007FF61758DA8E

Part of subcall function 00007FF617587C70: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF617587E8B
Part of subcall function 00007FF617587C70: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF617587E92
Part of subcall function 00007FF617587C70: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF617587E9F

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF61758DAB9
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF61758DAC4
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758DAD4
RegDeleteKeyW.ADVAPI32 ref: 00007FF61758DB35

Part of subcall function 00007FF617587C70: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF617587D05
Part of subcall function 00007FF617587C70: ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF617587D3C
Part of subcall function 00007FF617587C70: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF617587DAA
Part of subcall function 00007FF617587C70: ?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF617587DFA
Part of subcall function 00007FF617587C70: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF617587E08
Part of subcall function 00007FF617587C70: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF617587E3B

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758DAFB
RegDeleteKeyW.ADVAPI32 ref: 00007FF61758DB16
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758DB7C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758DBD1

Strings

[+] NtUnloadDriver Status 0x, xrefs: 00007FF61758DA9C
", xrefs: 00007FF61758DA32
NtUnloadDriver, xrefs: 00007FF61758DA84
[-] Driver Unload Failed!!, xrefs: 00007FF61758DADE
\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF61758D9E4
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF61758DA3B
ntdll.dll, xrefs: 00007FF61758D98D

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_$?sputc@?$basic_streambuf@_$D@std@@@std@@DeleteU?$char_traits@V01@@_invalid_parameter_noinfo_noreturn$?flush@?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@_?uncaught_exception@std@@?widen@?$ctype@_AddressCloseHandleInitModuleOpenOsfx@?$basic_ostream@ProcStringUnicodeV12@V21@@Vios_base@1@Vlocale@2@W@std@@
String ID: "$NtUnloadDriver$SYSTEM\CurrentControlSet\Services\$[+] NtUnloadDriver Status 0x$[-] Driver Unload Failed!!$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 1746233060-3977549460
Opcode ID: 2cdf292f12626b4e133b536ab30b516b4e19748792bd49914833441eebd3c932
Instruction ID: 896c83f9fb8b313239c28a01cd01319311ccca5bfd611f95b37e1b5fae6a9c12
Opcode Fuzzy Hash: 2cdf292f12626b4e133b536ab30b516b4e19748792bd49914833441eebd3c932
Instruction Fuzzy Hash: 69714C61B19F4296EB009F66E4943AC23A1EB58FB5F400635DA5D8379ADF3CE588D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758E7D8 Relevance: 28.7, APIs: 19, Instructions: 200COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF61758E871
GetLastError.KERNEL32 ref: 00007FF61758E87B
__std_fs_open_handle.LIBCPMT ref: 00007FF61758E8D7
CloseHandle.KERNEL32 ref: 00007FF61758E8EC
CloseHandle.KERNEL32 ref: 00007FF61758EA52
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758EA5C

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: CloseHandle$AttributesErrorFileLast__std_fs_open_handleterminate
String ID:
API String ID: 1657120197-0
Opcode ID: 16d2dd352414c68191909dc51ecd308e890caea0bb5010e4d6c69a39b9191b09
Instruction ID: 55311650e9b46c76b9273f2dd5c50b07c1b70ae6beb69f935bfa9565c3174cab
Opcode Fuzzy Hash: 16d2dd352414c68191909dc51ecd308e890caea0bb5010e4d6c69a39b9191b09
Instruction Fuzzy Hash: 20818231B24E5287F7A48B66A84467822B0AF59FB4F180335D97ED66D6EE3CE445A300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175831B0 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 216COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617583280
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF617583B7E), ref: 00007FF6175832C0
GetModuleHandleA.KERNEL32 ref: 00007FF617587541
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617587569

Part of subcall function 00007FF61758ED70: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6175861F9), ref: 00007FF61758ED80

Part of subcall function 00007FF617585D50: memcpy.VCRUNTIME140 ref: 00007FF617585D81

Part of subcall function 00007FF6175826A0: memset.VCRUNTIME140 ref: 00007FF6175826FB
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF617582756
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF6175827D3
Part of subcall function 00007FF6175826A0: VirtualAlloc.KERNEL32 ref: 00007FF61758282A

Strings

[!] Failed to find ExReleaseResourceLite, xrefs: 00007FF6175832A3
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF617587725
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF6175875AD
ntdll.dll, xrefs: 00007FF61758753A
ExReleaseResourceLite, xrefs: 00007FF61758321F
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF61758769B
NtAddAtom, xrefs: 00007FF617587595, 00007FF617587619
[-] Failed to load ntdll.dll, xrefs: 00007FF61758754C

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_ControlDeviceU?$char_traits@_V01@@W@std@@@std@@$AllocCriticalEnterHandleModuleSectionVirtual_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: ExReleaseResourceLite$NtAddAtom$[!] Failed to find ExReleaseResourceLite$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 4274139851-1591343369
Opcode ID: 768cc27bd42aa7a59451d96e32002eda9157a1ab210d3772858ae1feb9700705
Instruction ID: b7fcf21670bda0f99261525efc3d73587fab61521d4e04226dbc7ce671969a28
Opcode Fuzzy Hash: 768cc27bd42aa7a59451d96e32002eda9157a1ab210d3772858ae1feb9700705
Instruction Fuzzy Hash: 66A19B61A1CE4296EB50DB66E8503B833A1FB84BE8F404636D95D83BABDF3CE555D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617582560 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 216COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF61758B24D), ref: 00007FF617582630
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF61758B24D), ref: 00007FF617582670
GetModuleHandleA.KERNEL32 ref: 00007FF617587051
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617587079

Part of subcall function 00007FF61758ED70: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6175861F9), ref: 00007FF61758ED80

Part of subcall function 00007FF617585D50: memcpy.VCRUNTIME140 ref: 00007FF617585D81

Part of subcall function 00007FF6175826A0: memset.VCRUNTIME140 ref: 00007FF6175826FB
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF617582756
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF6175827D3
Part of subcall function 00007FF6175826A0: VirtualAlloc.KERNEL32 ref: 00007FF61758282A

Strings

[!] Failed to find ExAllocatePool, xrefs: 00007FF617582653
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF617587235
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF6175870BD
ntdll.dll, xrefs: 00007FF61758704A
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF6175871AB
NtAddAtom, xrefs: 00007FF6175870A5, 00007FF617587129
ExFreePool, xrefs: 00007FF6175825CF
[-] Failed to load ntdll.dll, xrefs: 00007FF61758705C

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_ControlDeviceU?$char_traits@_V01@@W@std@@@std@@$AllocCriticalEnterHandleModuleSectionVirtual_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: ExFreePool$NtAddAtom$[!] Failed to find ExAllocatePool$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 4274139851-3600435281
Opcode ID: d6ea799b7a59b5f9668bfea1e48fd91ecd1aa4d84522f8d50955b6df98a9fb0d
Instruction ID: acaf17e2b9ee620553d6449bc0347169503620241342e8dd55dd2607a6c6fd34
Opcode Fuzzy Hash: d6ea799b7a59b5f9668bfea1e48fd91ecd1aa4d84522f8d50955b6df98a9fb0d
Instruction Fuzzy Hash: 91A17C71A2CE42D6EB10CB62E8503B833A1BB94BE4F405636D95D83BAADE3CE555D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617581C90 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF617585EE0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617586066
Part of subcall function 00007FF617585EE0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758606D
Part of subcall function 00007FF617585EE0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758607A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617581CD4
CloseHandle.KERNEL32 ref: 00007FF617581CE7

Part of subcall function 00007FF617581780: memset.VCRUNTIME140 ref: 00007FF6175814B2
Part of subcall function 00007FF617581780: GetTempPathW.KERNEL32 ref: 00007FF6175814C0
Part of subcall function 00007FF617581780: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6175815F4

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617581D3E
memset.VCRUNTIME140 ref: 00007FF617581D6D

Part of subcall function 00007FF617585570: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6175855A3
Part of subcall function 00007FF617585570: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6175855C2
Part of subcall function 00007FF617585570: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6175855F4
Part of subcall function 00007FF617585570: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF617585610
Part of subcall function 00007FF617585570: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF61758565A

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF617581D8E
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF617581DD7
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF617581E15
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617581E4E
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF617581E7B
_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF617581E9A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617581EE9

Strings

[+] Vul driver data destroyed before unlink, xrefs: 00007FF617581E38
[<] Unloading vulnerable driver, xrefs: 00007FF617581CB7
[!] Error dumping shit inside the disk, xrefs: 00007FF617581E2F

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$U?$char_traits@_W@std@@@std@@$V01@$?setstate@?$basic_ios@__invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_V01@@memsetrand$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?uncaught_exception@std@@?write@?$basic_ostream@CloseD@std@@@1@_HandleInit@?$basic_streambuf@Osfx@?$basic_ostream@PathTempV12@V?$basic_streambuf@_wremove
String ID: [!] Error dumping shit inside the disk$[+] Vul driver data destroyed before unlink$[<] Unloading vulnerable driver
API String ID: 893052925-4078119036
Opcode ID: 0ea12bb95fce93f6a9b4e14282e7de2139cd23635c301132d8d77501a5b121e7
Instruction ID: 8a97ee3c451da1e1061903af6ca9d75ca23edbe03aec612e67b3187ba78dcf9f
Opcode Fuzzy Hash: 0ea12bb95fce93f6a9b4e14282e7de2139cd23635c301132d8d77501a5b121e7
Instruction Fuzzy Hash: BE619161B29E4683EF009B26E4552797361EB85FF0F40413ADA5E87AAADE3CE445D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617586D90 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF617586DD6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617586DFE
GetProcAddress.KERNEL32 ref: 00007FF617586E34
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617586F0A
DeviceIoControl.KERNEL32 ref: 00007FF617586F87

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF617586FB9
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF617586E42
ntdll.dll, xrefs: 00007FF617586DCF
Thre, xrefs: 00007FF617586FE0
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF617586F2F
NtAddAtom, xrefs: 00007FF617586E2A, 00007FF617586EAD
[-] Failed to load ntdll.dll, xrefs: 00007FF617586DE1

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$Thre$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2969835678
Opcode ID: f941c6a6cd1e9aca624a823072f0ad7957500ea88e410b7070049dbaa69dbb0f
Instruction ID: eba337fea7d4b0864e14fb41b2bff78bb2adbf2dd3d29f12fc07b4c639dfc8af
Opcode Fuzzy Hash: f941c6a6cd1e9aca624a823072f0ad7957500ea88e410b7070049dbaa69dbb0f
Instruction Fuzzy Hash: 93717F61A2CF4296EB50CF62E4502B833A1EB48BA4F844136D94D87BABDF3CD545D350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617582090 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF617582113
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146
DeviceIoControl.KERNEL32 ref: 00007FF6175821B6
DeviceIoControl.KERNEL32 ref: 00007FF617582237
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF61758225A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758226A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF6175822B6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6175822C6

Part of subcall function 00007FF617585EE0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617586066
Part of subcall function 00007FF617585EE0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758606D
Part of subcall function 00007FF617585EE0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758607A

Strings

[-] Failed to translate virtual address 0x, xrefs: 00007FF617582124
[-] Failed to map IO space of 0x, xrefs: 00007FF6175822A4
[!] Failed to unmap IO space of physical address 0x, xrefs: 00007FF617582248

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$ControlDeviceV01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@
String ID: [!] Failed to unmap IO space of physical address 0x$[-] Failed to map IO space of 0x$[-] Failed to translate virtual address 0x
API String ID: 20913588-3202290428
Opcode ID: 768f457529084253f463b37839e8fa1816c7609cc994d824bb27b2bb77239e30
Instruction ID: 381ac2394b35dc000fac2210046e451ac46684db4f37c90a205973a67b38b073
Opcode Fuzzy Hash: 768f457529084253f463b37839e8fa1816c7609cc994d824bb27b2bb77239e30
Instruction Fuzzy Hash: 7F518D72A28F8196EB108F62E8403A933E5FB44BD8F404139DA4E97B6ADF3DD159D314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758EBE8 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF61758EBFE
GetModuleHandleW.KERNEL32 ref: 00007FF61758EC0B
GetModuleHandleW.KERNEL32 ref: 00007FF61758EC20
GetProcAddress.KERNEL32 ref: 00007FF61758EC38
GetProcAddress.KERNEL32 ref: 00007FF61758EC4B
CreateEventW.KERNEL32 ref: 00007FF61758EC77
DeleteCriticalSection.KERNEL32 ref: 00007FF61758ECC3
CloseHandle.KERNEL32 ref: 00007FF61758ECD5

Strings

kernel32.dll, xrefs: 00007FF61758EC19
WakeAllConditionVariable, xrefs: 00007FF61758EC3E
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF61758EC04
SleepConditionVariableCS, xrefs: 00007FF61758EC2E

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: c4ce521b54123e40f2a4c33261a7ee44a6471a2646a2cce499864e056e4be369
Instruction ID: 0e9cc5ef5c5bfbfe776783f3a2d7b4dddd9ca7b568730cacb7802008b7cf86d3
Opcode Fuzzy Hash: c4ce521b54123e40f2a4c33261a7ee44a6471a2646a2cce499864e056e4be369
Instruction Fuzzy Hash: 1A213C60E1DE53D2FF549B22E85617473A0AF98FA0F540439C90EC66A3EE3CE449A310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175826A0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6175826FB
DeviceIoControl.KERNEL32 ref: 00007FF617582756
DeviceIoControl.KERNEL32 ref: 00007FF6175827D3
VirtualAlloc.KERNEL32 ref: 00007FF61758282A
DeviceIoControl.KERNEL32 ref: 00007FF6175828A2
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF617582936
VirtualFree.KERNEL32 ref: 00007FF61758299C
VirtualFree.KERNEL32 ref: 00007FF617582A1A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617582A56
VirtualFree.KERNEL32 ref: 00007FF617582A68

Strings

3, xrefs: 00007FF61758288B

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: Virtual$ControlDeviceFree$Alloc_invalid_parameter_noinfo_noreturn_stricmpmemset
String ID: 3
API String ID: 1424858730-1842515611
Opcode ID: 6213ede2f433992a2591b7b58782d74ce245e1a8d5168f4aa95bd60e5e5d9d76
Instruction ID: baa4ebf0327594c3266986046402564e7ec9b8a3ec7fdd57e3cf6b778a1ed992
Opcode Fuzzy Hash: 6213ede2f433992a2591b7b58782d74ce245e1a8d5168f4aa95bd60e5e5d9d76
Instruction Fuzzy Hash: 52A17332A18F8187E7508B26E48436E77A5FB84BE4F100235DA9D87BA9DF7CD495DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617586380 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6175863C7
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6175863EF
GetProcAddress.KERNEL32 ref: 00007FF617586424
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6175864FA
DeviceIoControl.KERNEL32 ref: 00007FF617586577

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF6175865A9
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF617586432
ntdll.dll, xrefs: 00007FF6175863C0
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF61758651F
NtAddAtom, xrefs: 00007FF61758641A, 00007FF61758649D
[-] Failed to load ntdll.dll, xrefs: 00007FF6175863D2

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: 07a35007ed487b56f4db587970e95c09a46324f4da80d6a941353208fa08caac
Instruction ID: 1554fe4dbc04fdf870eb25a5b0943a11407709ff757f975007c8f737ab75fcc0
Opcode Fuzzy Hash: 07a35007ed487b56f4db587970e95c09a46324f4da80d6a941353208fa08caac
Instruction Fuzzy Hash: CF715D62B1CE529AFB10CBA2E4503BC3771AB54BA4F844135D94D97AABDF3CD509D310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617587770 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00000000), ref: 00007FF6175877BA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00000000), ref: 00007FF6175877E2
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00000000), ref: 00007FF617587812
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00000000), ref: 00007FF6175878E8
DeviceIoControl.KERNEL32 ref: 00007FF617587965

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF617587997
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF617587820
ntdll.dll, xrefs: 00007FF6175877B3
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF61758790D
NtAddAtom, xrefs: 00007FF617587808, 00007FF61758788B
[-] Failed to load ntdll.dll, xrefs: 00007FF6175877C5

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: 81b4bedc38861b05086186993a6f74988c16882a15b613ea5cb71aaaf96ff6c4
Instruction ID: c7d62ee00f22726608506ad8436f232209a19c86c9093e73a1140ead54931415
Opcode Fuzzy Hash: 81b4bedc38861b05086186993a6f74988c16882a15b613ea5cb71aaaf96ff6c4
Instruction Fuzzy Hash: B4619E62F2DE429AFB40CBA2E8503BC33B1AB44FA8F804536DD4D966A7DE3C9115D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175879F0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF617587A3A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617587A62
GetProcAddress.KERNEL32 ref: 00007FF617587A92
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617587B68
DeviceIoControl.KERNEL32 ref: 00007FF617587BE5

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF617587C17
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF617587AA0
ntdll.dll, xrefs: 00007FF617587A33
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF617587B8D
NtAddAtom, xrefs: 00007FF617587A88, 00007FF617587B0B
[-] Failed to load ntdll.dll, xrefs: 00007FF617587A45

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: 84c97eca53465d08e78729226a55af830cb9339d32ed7463627f7794beb48f5d
Instruction ID: dc27a84b499905229fc3d55e16ef3ce98bfba251ca250e2af56912b6d7596853
Opcode Fuzzy Hash: 84c97eca53465d08e78729226a55af830cb9339d32ed7463627f7794beb48f5d
Instruction Fuzzy Hash: B7619D62F2CE429AFB00CBA2E8503BC3372AB54BA8F404535D94D977A6EE3CD615D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617586890 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6175868DA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF617586902
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF617586932
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF617586A08
DeviceIoControl.KERNEL32 ref: 00007FF617586A85

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF617586AB7
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF617586940
ntdll.dll, xrefs: 00007FF6175868D3
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF617586A2D
NtAddAtom, xrefs: 00007FF617586928, 00007FF6175869AB
[-] Failed to load ntdll.dll, xrefs: 00007FF6175868E5

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: 9a4293af2f4150105d48851c55dbca0007aceb5460ac93198b3acfaaf17999c1
Instruction ID: a1848dacbc797ba4ec7666e46af459e9aa370932dc54340dd25616f1d1a5eecd
Opcode Fuzzy Hash: 9a4293af2f4150105d48851c55dbca0007aceb5460ac93198b3acfaaf17999c1
Instruction Fuzzy Hash: 70618C62F2CE52DAFB00CB62E8503BC37A1AB44BA8F444135D95D96AA7DF3CD509E310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617586100 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 153libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF617586147
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758616F
GetProcAddress.KERNEL32 ref: 00007FF6175861A4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758627B
DeviceIoControl.KERNEL32 ref: 00007FF6175862F8

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF61758632A
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF6175861B2
ntdll.dll, xrefs: 00007FF617586140
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF6175862A0
NtAddAtom, xrefs: 00007FF61758619A, 00007FF61758621E
[-] Failed to load ntdll.dll, xrefs: 00007FF617586152

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: d20ad06c7b61c352fce585a0ff8434ccb2eb07d43663d833fa1180daf7105303
Instruction ID: 4a25016c70ecf8101f23b6a7d10f6a8a73cb5b0013bfc12a54041ccaf2d48bac
Opcode Fuzzy Hash: d20ad06c7b61c352fce585a0ff8434ccb2eb07d43663d833fa1180daf7105303
Instruction Fuzzy Hash: 61717B61B1DE529AFB10CB66E8503AC23B1AB54BA8F404136DE4D87BABDF3CE505D350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617587280 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6175872C7
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6175872EF
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF617587324
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6175873FA
DeviceIoControl.KERNEL32 ref: 00007FF617587477

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF6175874A9
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF617587332
ntdll.dll, xrefs: 00007FF6175872C0
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF61758741F
NtAddAtom, xrefs: 00007FF61758731A, 00007FF61758739D
[-] Failed to load ntdll.dll, xrefs: 00007FF6175872D2

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: be05baaf74b1d8d274d14c97ad0e4151864797468fb0b1e4271cb7cd2fbe5eef
Instruction ID: bb924c3d9beb56c155d90feb482ad541ff87cdb90f7f08973ee97d4dc3a574da
Opcode Fuzzy Hash: be05baaf74b1d8d274d14c97ad0e4151864797468fb0b1e4271cb7cd2fbe5eef
Instruction Fuzzy Hash: 2C61BE62B2CE829AFB00CFA6E4403BC37A1AB44BA8F444535D94D876A7DF3DD555D310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758BEF0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF61758BF33
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758BF5B
GetProcAddress.KERNEL32 ref: 00007FF61758BF90
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758C066
DeviceIoControl.KERNEL32 ref: 00007FF61758C0E3

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF61758C115
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF61758BF9E
ntdll.dll, xrefs: 00007FF61758BF2C
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF61758C08B
NtAddAtom, xrefs: 00007FF61758BF86, 00007FF61758C009
[-] Failed to load ntdll.dll, xrefs: 00007FF61758BF3E

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: 75e2e38410f586f35d8dddb7e1d72bdc8479a1fee9ad144a26da23a9d45f23ed
Instruction ID: 9fd0bba6b7f361decf661aee960760f3a6bd054e58d650c6ac341d17eb0a59dc
Opcode Fuzzy Hash: 75e2e38410f586f35d8dddb7e1d72bdc8479a1fee9ad144a26da23a9d45f23ed
Instruction Fuzzy Hash: 87617E62B1CF429AFB40CF66E8503BC33A1AB55BA8F404135E95D86AABDF3CE545D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617586610 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF617586657
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758667F
GetProcAddress.KERNEL32 ref: 00007FF6175866B4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758678A
DeviceIoControl.KERNEL32 ref: 00007FF617586807

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF617586839
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF6175866C2
ntdll.dll, xrefs: 00007FF617586650
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF6175867AF
NtAddAtom, xrefs: 00007FF6175866AA, 00007FF61758672D
[-] Failed to load ntdll.dll, xrefs: 00007FF617586662

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: 39f50019deb99410ad90aec79f35fd3a5a99c60ca9ebc274ef96fc974d90439a
Instruction ID: 335f4aa9d649499728b851fa252330527cd7f296bc26b5312f6ec4268d31651e
Opcode Fuzzy Hash: 39f50019deb99410ad90aec79f35fd3a5a99c60ca9ebc274ef96fc974d90439a
Instruction Fuzzy Hash: 5F613D61B2CE82AAFB40CF62E8513BC37A1EB44BA8F844535D94D866ABDF3CD505D350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617586B10 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF617586B57
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF617586B7F
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF617586BB4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF617586C8A
DeviceIoControl.KERNEL32 ref: 00007FF617586D07

Part of subcall function 00007FF617582090: DeviceIoControl.KERNEL32 ref: 00007FF617582113
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617582136
Part of subcall function 00007FF617582090: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617582146

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF617586D39
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF617586BC2
ntdll.dll, xrefs: 00007FF617586B50
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF617586CAF
NtAddAtom, xrefs: 00007FF617586BAA, 00007FF617586C2D
[-] Failed to load ntdll.dll, xrefs: 00007FF617586B62

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: cead50ffe5b47cfb8cc927cc365ac5db4de201711db484fc60612dd3b6970a6a
Instruction ID: a27c73555aaf4a8d65aeebd9035ae2f40eec23e2a8839880512ac3cf59a13e50
Opcode Fuzzy Hash: cead50ffe5b47cfb8cc927cc365ac5db4de201711db484fc60612dd3b6970a6a
Instruction Fuzzy Hash: 96618F62B2CE4296FB40CF62E8503B837A1EB48BA8F444135D94D87BABDE3CE545D310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617583BF0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,00000000,?,00000000,00007FF617583F0F,00000000,?,?,?,00000000), ref: 00007FF617583C3A
DeviceIoControl.KERNEL32 ref: 00007FF617583CC9
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617583D58
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,00000000,?,00000000,00007FF617583F0F,00000000,?,?,?,00000000), ref: 00007FF617583D9B

Strings

[-] Can't find pattern, xrefs: 00007FF617583D42
[-] No module address to find pattern, xrefs: 00007FF617583C1D
[-] Read failed in FindPatternAtKernel, xrefs: 00007FF617583D85
[-] Can't find pattern, Too big section, xrefs: 00007FF617583C50
3, xrefs: 00007FF617583CAD

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$ControlDevice
String ID: 3$[-] Can't find pattern$[-] Can't find pattern, Too big section$[-] No module address to find pattern$[-] Read failed in FindPatternAtKernel
API String ID: 3608848186-1666346959
Opcode ID: 25de1d027680055c0d75dfb10a8cff5800750f9e1251e320f3cd241881b6fdc3
Instruction ID: 1a98024634ddbcf6854b197f8bb4de9707306df997ee783884b334105f1e6de1
Opcode Fuzzy Hash: 25de1d027680055c0d75dfb10a8cff5800750f9e1251e320f3cd241881b6fdc3
Instruction Fuzzy Hash: ED51A261A2DE9282EB609B12E8503B973A4BB84FF0F904136D98D877A7DE3CD445E700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617589AD0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6175893B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6175894B9

_CxxThrowException.VCRUNTIME140 ref: 00007FF617589B23
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF617589B80
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF617589B8E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF617589B61

Part of subcall function 00007FF617585EE0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585F7C
Part of subcall function 00007FF617585EE0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585FD9
Part of subcall function 00007FF617585EE0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617585FFC
Part of subcall function 00007FF617585EE0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758601D

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617589BB3

Part of subcall function 00007FF617585EE0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF617586066
Part of subcall function 00007FF617585EE0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758606D
Part of subcall function 00007FF617585EE0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF617581549), ref: 00007FF61758607A

Strings

exists, xrefs: 00007FF617589AE4
[!!] Crash, xrefs: 00007FF617589B9D
[!!] Crash at addr 0x, xrefs: 00007FF617589B4B
by 0x, xrefs: 00007FF617589B6A

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_$D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@ExceptionOsfx@?$basic_ostream@ThrowV01@@V12@V21@@Vios_base@1@_invalid_parameter_noinfo_noreturn
String ID: by 0x$[!!] Crash$[!!] Crash at addr 0x$exists
API String ID: 1156142711-3783130642
Opcode ID: 2433a08d44a14ffa2f4b717e79ea06eeccedfbf0a0fe6e1c3e1452175cb43441
Instruction ID: 638a4e2ca5f28aeeac76b890933273ce3f3d5d16c5de8cfe1ea67145771c1466
Opcode Fuzzy Hash: 2433a08d44a14ffa2f4b717e79ea06eeccedfbf0a0fe6e1c3e1452175cb43441
Instruction Fuzzy Hash: BE214DA1A29E47D2EF05DB26E8512B52361BF94FA4F409136D94D872A7EF3CE584D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175894E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF61758953C

Part of subcall function 00007FF61758E5C0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF617589541), ref: 00007FF61758E5C4
Part of subcall function 00007FF61758E5C0: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF617589541), ref: 00007FF61758E5D3

memcpy.VCRUNTIME140 ref: 00007FF617589606
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6175896F1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617589736
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617589784

Strings

: ", xrefs: 00007FF61758966C
", ", xrefs: 00007FF61758969F

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememcpy
String ID: ", "$: "
API String ID: 2077005984-747220369
Opcode ID: 16bf5ebe2fff60483ae1d27a1e0273d33ada5ad7d3949c36599683d03e71c104
Instruction ID: 27dbe00ffb12207c92b5563907a7fa5454a543dc4f8395544f84bb8117072dcf
Opcode Fuzzy Hash: 16bf5ebe2fff60483ae1d27a1e0273d33ada5ad7d3949c36599683d03e71c104
Instruction Fuzzy Hash: 80817C62B24E418AFB04DF66E4443AC2372EB45FA8F404535DE5EA3B9ADF38D591D380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758E170 Relevance: 12.2, APIs: 8, Instructions: 167COMMON

Download Yara Rule

APIs

?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E1B1
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E1DC
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E226
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E250
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E275
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E2BC
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E314
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E35C

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@$?sbumpc@?$basic_streambuf@
String ID:
API String ID: 2679766405-0
Opcode ID: b6f55c8de661949aee00f3984c83d90d78f2788c2d7a99471a7ded81e72e6142
Instruction ID: 3122a69981dcf58aaacadcae26aaa1f15617d094fe37c78bca203c32034d1a76
Opcode Fuzzy Hash: b6f55c8de661949aee00f3984c83d90d78f2788c2d7a99471a7ded81e72e6142
Instruction Fuzzy Hash: 7261272261DEC286EB259B23A5401397670AF29F74F088538DE6A872D3DF3DE464B310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758BB00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61758DF00: NtQuerySystemInformation.NTDLL ref: 00007FF61758DF30
Part of subcall function 00007FF61758DF00: VirtualFree.KERNEL32 ref: 00007FF61758DF50
Part of subcall function 00007FF61758DF00: VirtualAlloc.KERNEL32 ref: 00007FF61758DF66
Part of subcall function 00007FF61758DF00: NtQuerySystemInformation.NTDLL ref: 00007FF61758DF81
Part of subcall function 00007FF61758DF00: VirtualFree.KERNEL32 ref: 00007FF61758DFA2

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758BC19
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758BC74
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758BD89

Strings

wasn't found, xrefs: 00007FF61758BC5B
[-] Failed to resolve import , xrefs: 00007FF61758BBAC
[-] Dependency , xrefs: 00007FF61758BC2F

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$Virtual$??6?$basic_ostream@_FreeInformationQuerySystemU?$char_traits@_V01@@W@std@@@std@@$Alloc_invalid_parameter_noinfo_noreturn
String ID: wasn't found$[-] Dependency $[-] Failed to resolve import
API String ID: 4161254548-3042260135
Opcode ID: b75a786da65429a35c51f41b5eccc472ef01767a1e1ccf5411a84107e1a4d6ea
Instruction ID: 03c5ecc059956ae65b782f836deba387effe95b630a8888bf6d87160b06d6e01
Opcode Fuzzy Hash: b75a786da65429a35c51f41b5eccc472ef01767a1e1ccf5411a84107e1a4d6ea
Instruction Fuzzy Hash: 526171A1B2AF4283EF04DB57E4552B92395AB49FE0B445436DE1D8775BEF3CE4809340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617588570 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF617588604
memcpy.VCRUNTIME140 ref: 00007FF61758864F
memcpy.VCRUNTIME140 ref: 00007FF617588667
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617588702

Part of subcall function 00007FF61758EE80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF617585E2E), ref: 00007FF61758EE9A

memcpy.VCRUNTIME140 ref: 00007FF617588738
memcpy.VCRUNTIME140 ref: 00007FF617588756
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF617588779

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 10da492c311634369be122289dfe6daa27bba4e054799d58432064070a81cbd1
Instruction ID: 74c524ebbed6aca90c100196fded5467f8a18b0ecd4ce6876669586a4523050b
Opcode Fuzzy Hash: 10da492c311634369be122289dfe6daa27bba4e054799d58432064070a81cbd1
Instruction Fuzzy Hash: 19516D32A24F8592EB20AB26E5442686360FB19FE4F544A35DB6D877D2DF3CF194D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758C170 Relevance: 10.6, APIs: 7, Instructions: 134COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF61758C20B
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF61758C266
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF61758C288
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF61758C2A9
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF61758C2F1
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF61758C2F8
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF61758C305

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_V12@W@std@@@std@@
String ID:
API String ID: 1696915518-0
Opcode ID: 7c5af59a61a5901a94b9be4e371c288fb094c82f43e77d766fac9c546b8e14dc
Instruction ID: 8710a9050ca5916f2d86d4fde7c913434a0e5f0d42a190911ebf00ede93cfa21
Opcode Fuzzy Hash: 7c5af59a61a5901a94b9be4e371c288fb094c82f43e77d766fac9c546b8e14dc
Instruction Fuzzy Hash: 27514132618E4182EB208B5BE594278A760FB85FA1F15C575CE9F877E2CF3AD446D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758C460 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF61758C4E7
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF61758C53E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF61758C568
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF61758C5A3
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF61758C5D7
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF61758C5DE
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF61758C5EB

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_V12@W@std@@@std@@
String ID:
API String ID: 1696915518-0
Opcode ID: 6809e7df6b3b435e6e7a0ca89babc5ee645a15c7694824f258ba07736d3164ee
Instruction ID: 085116b623abe581016a614afcde1847296f4df5b07ae0368f421c79b0d9ec62
Opcode Fuzzy Hash: 6809e7df6b3b435e6e7a0ca89babc5ee645a15c7694824f258ba07736d3164ee
Instruction Fuzzy Hash: 20515072A18E4182EF208B1BE594279A7A1FB85FE1F15C675CE4E877A2CF3DD4859300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758DC20 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF61758DC61
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF61758DC80
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF61758DC9F
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF61758DCDD
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF61758DCFD
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF61758DD46

Part of subcall function 00007FF61758E170: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E1B1
Part of subcall function 00007FF61758E170: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E1DC
Part of subcall function 00007FF61758E170: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E226
Part of subcall function 00007FF61758E170: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF61758E2BC

Part of subcall function 00007FF617585A50: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF617585AB5
Part of subcall function 00007FF617585A50: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF617585AD1

?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?), ref: 00007FF61758DDF4

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?sgetc@?$basic_streambuf@$?setstate@?$basic_ios@_Init@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@D@std@@@1@_V?$basic_streambuf@fclosememset
String ID:
API String ID: 3541683867-0
Opcode ID: 7c43e1f59e50279b32c3c19cd75952e97e27e4d7079a0b117e2feb7ed43b3fa7
Instruction ID: 50a402bf2ef81338cd5e5c99aa099943d02b288ba137a4ae20d45aa4c489c06d
Opcode Fuzzy Hash: 7c43e1f59e50279b32c3c19cd75952e97e27e4d7079a0b117e2feb7ed43b3fa7
Instruction Fuzzy Hash: 03516E32628F85C6DB10CB25E4802AEB7B0FB99B54F444526EA8D83B69DF7CD505CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617583DD0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF617583E62
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617583EF3

Strings

[-] Can't find section, xrefs: 00007FF617583ED6
[-] Can't read module headers, xrefs: 00007FF617583E6C
PAGE, xrefs: 00007FF617583EA7
3, xrefs: 00007FF617583E4C

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_ControlDeviceU?$char_traits@_V01@@W@std@@@std@@
String ID: 3$PAGE$[-] Can't find section$[-] Can't read module headers
API String ID: 2444052014-2613856548
Opcode ID: 2462984fb34f65ef7ceb8d57b29be2cf40297862bc9cd2c2b3f74bb965730f32
Instruction ID: 204883810b97e35ee0111951df8c372666f8da6d508bd94b77727f09b5bb9976
Opcode Fuzzy Hash: 2462984fb34f65ef7ceb8d57b29be2cf40297862bc9cd2c2b3f74bb965730f32
Instruction Fuzzy Hash: 3341A472B18F8183EB108F16E44067977A0FB44BA4F900239EA8D837AADF7CD445D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617587EE0 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587F08
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587F22
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587F4C
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587F77
std::_Facet_Register.LIBCPMT ref: 00007FF617587F90
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617587FAF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF617587FD5

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: aac081fb6ab8dc4e0cedd32f07939e52412442d89e45bfb77454185207a42477
Instruction ID: 40224426735d93822e8355abc283b79df85c8a4105a93baf28aada752b2eeb73
Opcode Fuzzy Hash: aac081fb6ab8dc4e0cedd32f07939e52412442d89e45bfb77454185207a42477
Instruction Fuzzy Hash: B7317C22A18E4682EB109F13E440179B760FB98FF4F081635EA9E837AADF3CD441D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617587FE0 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617588008
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617588022
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF61758804C
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF617588077
std::_Facet_Register.LIBCPMT ref: 00007FF617588090
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF617585B63), ref: 00007FF6175880AF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6175880D5

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@W@std@@std::_
String ID:
API String ID: 3972169111-0
Opcode ID: 5c0b4609359dca811e414cc2bdfba58c66f13b7f3c4bdf40a9d3cef80f24584a
Instruction ID: ec71ea2868e6321209fad868728e74b3081824690b2ee256260fd48f3179feea
Opcode Fuzzy Hash: 5c0b4609359dca811e414cc2bdfba58c66f13b7f3c4bdf40a9d3cef80f24584a
Instruction Fuzzy Hash: CF313C22A68F41C2EB149B16F85016977A0FB98FE4B084635DAAE877A6DF3CE441C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617584F20 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF617584FCD

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 2ae6432ab8bce6caa6c654dc9fda8d20a7f15626e7c950d6e5d4c36c8342661c
Instruction ID: 2ebe6670ce9a406cce2765a41bf06da58a7cd02c93916dd13e8be99ef5830761
Opcode Fuzzy Hash: 2ae6432ab8bce6caa6c654dc9fda8d20a7f15626e7c950d6e5d4c36c8342661c
Instruction Fuzzy Hash: 8E816A32B24E41CAEB008F66D4802AC37B1FB48B68F644636DE5D93B9ADF38D495D350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758ACA0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF61758AD8E
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF61758AD9B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF61758ADD4
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF61758ADDE
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF61758ADEB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61758AE19

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpymemset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3189120677-0
Opcode ID: 5bbfdf141c7cbc7c28c36d4fab6bb606404a323813984a4d5d51a7c37aaf269f
Instruction ID: 12f979b1d90d203fe00e6f76c3ade01a12c8aedda939d799d83c0850665da60d
Opcode Fuzzy Hash: 5bbfdf141c7cbc7c28c36d4fab6bb606404a323813984a4d5d51a7c37aaf269f
Instruction Fuzzy Hash: D841C362B29E8142EF64DB17A4042A96255EB49FF0F440B35DF6D877D7DE3CD151A300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758AE30 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,00007FF61758A895), ref: 00007FF61758AF23
memcpy.VCRUNTIME140(?,?,?,?,?,?,00007FF61758A895), ref: 00007FF61758AF31
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00007FF61758A895), ref: 00007FF61758AF6A
memcpy.VCRUNTIME140(?,?,?,?,?,?,00007FF61758A895), ref: 00007FF61758AF74
memcpy.VCRUNTIME140(?,?,?,?,?,?,00007FF61758A895), ref: 00007FF61758AF82
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61758AFB1

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 6e0001885c67a5ca7cbdb1913dfd76d2cca26bbd218eb2987c13fad8a98a0af5
Instruction ID: 6b3cfa073aafb731de444b142230b6909e3389eaf847160a6c24cd804542ebec
Opcode Fuzzy Hash: 6e0001885c67a5ca7cbdb1913dfd76d2cca26bbd218eb2987c13fad8a98a0af5
Instruction Fuzzy Hash: 5241C362729E4146EF249B17A5042696351EB48FF4F440A36EF6D8BBC7CE3CD151A304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617585320 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 00007FF617585368

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@
String ID:
API String ID: 3551493264-0
Opcode ID: e2410bce05d058eee38531beec051a3aa21e569b295d64732deea3f4c073b2e8
Instruction ID: 23dcacd243cf44cd5c2c02895a7765e2acf347416e1c37dfb14510d077f41770
Opcode Fuzzy Hash: e2410bce05d058eee38531beec051a3aa21e569b295d64732deea3f4c073b2e8
Instruction Fuzzy Hash: EC415F32A19F8186DB508F2AE4403AD73A0FB84FA9F644136DA9D877A9DE7CD445D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175832F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758342C
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF61758347E

Part of subcall function 00007FF6175879F0: GetModuleHandleA.KERNEL32 ref: 00007FF617587A3A
Part of subcall function 00007FF6175879F0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF617587A62

Strings

RtlLookupElementGenericTableAvl, xrefs: 00007FF6175833CB
[!] Failed to find RtlLookupElementGenericTableAvl, xrefs: 00007FF617583461

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$HandleModule_invalid_parameter_noinfo_noreturn
String ID: RtlLookupElementGenericTableAvl$[!] Failed to find RtlLookupElementGenericTableAvl
API String ID: 4059861771-1952825546
Opcode ID: f91b4048907dee39513a2d9e2412090ece693978832c89e79cced1154a2d6241
Instruction ID: 24f59a58977e10e6003f85e288d3d5941b55cf47907299459fbeb47ab01ad50b
Opcode Fuzzy Hash: f91b4048907dee39513a2d9e2412090ece693978832c89e79cced1154a2d6241
Instruction Fuzzy Hash: C1415E62A2CF8282EB50DB16E8553696360FB85BB0F540239EA9D837B7DF7CD045DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617583050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6175836CA), ref: 00007FF617583160

Part of subcall function 00007FF61758ED70: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6175861F9), ref: 00007FF61758ED80

Part of subcall function 00007FF617585D50: memcpy.VCRUNTIME140 ref: 00007FF617585D81

Part of subcall function 00007FF6175826A0: memset.VCRUNTIME140 ref: 00007FF6175826FB
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF617582756
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF6175827D3
Part of subcall function 00007FF6175826A0: VirtualAlloc.KERNEL32 ref: 00007FF61758282A

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617583120

Strings

ExAcquireResourceExclusiveLite, xrefs: 00007FF6175830BF
[!] Failed to find ExAcquireResourceExclusiveLite, xrefs: 00007FF617583143

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@_AllocCriticalEnterSectionU?$char_traits@_V01@@VirtualW@std@@@std@@_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: ExAcquireResourceExclusiveLite$[!] Failed to find ExAcquireResourceExclusiveLite
API String ID: 254689191-2131800721
Opcode ID: d56bb215954a491db55e19e084b643cf47709b202a96c0a336a4315cd5726018
Instruction ID: 2f5873be940790ad91f355184462454f7adf3ff1f13e00cb0326325e72c2c50d
Opcode Fuzzy Hash: d56bb215954a491db55e19e084b643cf47709b202a96c0a336a4315cd5726018
Instruction Fuzzy Hash: 2F315C61A2CE4292EB50DB16E8403692361AF84FF0F505231E55EC66B7DF3CE085D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175822E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6175823E8

Part of subcall function 00007FF61758ED70: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6175861F9), ref: 00007FF61758ED80

Part of subcall function 00007FF617585D50: memcpy.VCRUNTIME140 ref: 00007FF617585D81

Part of subcall function 00007FF6175826A0: memset.VCRUNTIME140 ref: 00007FF6175826FB
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF617582756
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF6175827D3
Part of subcall function 00007FF6175826A0: VirtualAlloc.KERNEL32 ref: 00007FF61758282A

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6175823A8

Strings

MmUnmapLockedPages, xrefs: 00007FF617582347
[!] Failed to find MmUnmapLockedPages, xrefs: 00007FF6175823CB

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@_AllocCriticalEnterSectionU?$char_traits@_V01@@VirtualW@std@@@std@@_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: MmUnmapLockedPages$[!] Failed to find MmUnmapLockedPages
API String ID: 254689191-2848997145
Opcode ID: 973acc5280c27da670c3b9094c275da85e44886411f116d0b83930af2ca6f37e
Instruction ID: f0d30d13ea2cf3be4eb4cb6f4d4fc763574dfc3f0867b8b57d7a4bc0f154651c
Opcode Fuzzy Hash: 973acc5280c27da670c3b9094c275da85e44886411f116d0b83930af2ca6f37e
Instruction Fuzzy Hash: D1318D61A2CE4692EB40DB16E8513A92361EB84FF0F501235EA5DC37EBDE3CE485E300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617582420 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF61758B242), ref: 00007FF617582527

Part of subcall function 00007FF61758ED70: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6175861F9), ref: 00007FF61758ED80

Part of subcall function 00007FF617585D50: memcpy.VCRUNTIME140 ref: 00007FF617585D81

Part of subcall function 00007FF6175826A0: memset.VCRUNTIME140 ref: 00007FF6175826FB
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF617582756
Part of subcall function 00007FF6175826A0: DeviceIoControl.KERNEL32 ref: 00007FF6175827D3
Part of subcall function 00007FF6175826A0: VirtualAlloc.KERNEL32 ref: 00007FF61758282A

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF61758B242), ref: 00007FF6175824E7

Strings

[!] Failed to find MmFreePagesFromMdl, xrefs: 00007FF61758250A
MmFreePagesFromMdl, xrefs: 00007FF617582486

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@_AllocCriticalEnterSectionU?$char_traits@_V01@@VirtualW@std@@@std@@_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: MmFreePagesFromMdl$[!] Failed to find MmFreePagesFromMdl
API String ID: 254689191-1029121595
Opcode ID: fa20e3aab8d1f4d46187acd225339f3e817f5b10ade771ad89716a3a21e68c40
Instruction ID: f2256c83f51cc6f6a2fd11a350f3d2b3dd58e1ab743f78395e1789fda7ab3c0f
Opcode Fuzzy Hash: fa20e3aab8d1f4d46187acd225339f3e817f5b10ade771ad89716a3a21e68c40
Instruction Fuzzy Hash: 69317C71A2CE4292EB50DB26F8503692361BB88FF4F501231D69DC7AABDE3CD144D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175897C0 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF6175898D1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6175898FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617589A2B
__std_exception_copy.VCRUNTIME140 ref: 00007FF617589A6D

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 2205cfd6339c9498596a29b3c30bdf12889898d0983d2445d7fbeb32194565aa
Instruction ID: 2aa1b13593c9bfb88dbf2ce3a9568c087ad602f06937f8608198bd9cacb34070
Opcode Fuzzy Hash: 2205cfd6339c9498596a29b3c30bdf12889898d0983d2445d7fbeb32194565aa
Instruction Fuzzy Hash: FF817CB2A14E8292EB049F2AD49436C7335EB45F98F908035D78D47A6AEF78D8D5D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758CF70 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF61758D0D4

Part of subcall function 00007FF61758EE80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF617585E2E), ref: 00007FF61758EE9A

memcpy.VCRUNTIME140 ref: 00007FF61758D0C1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758D16E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61758D17B

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 6b6b4b9d01e2ae7b584df43724403675c4a8dc56640d5bda716cf79e8d65e3d1
Instruction ID: 8481120334a286960d613774e5cb4eade15eb4755782cfacbb325473050e32d9
Opcode Fuzzy Hash: 6b6b4b9d01e2ae7b584df43724403675c4a8dc56640d5bda716cf79e8d65e3d1
Instruction Fuzzy Hash: 1F51ADB2B24F8A82DE04CB26D5441A963E0FB49FD0B448636DE5D87796EF3CE1929340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617585D50 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF617585D81
memcpy.VCRUNTIME140 ref: 00007FF617585E46
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF617585E9A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF617585EA1

Part of subcall function 00007FF61758EE80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF617585E2E), ref: 00007FF61758EE9A

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: e9607e1459929ec6f4067fa4e678572a91a8c4d957252fc830ff298ec4cc2cb7
Instruction ID: 3995f03a9ae1a16a1657e0cc52514f0daaacf57c3d582a3cc26e8ab0a3cda593
Opcode Fuzzy Hash: e9607e1459929ec6f4067fa4e678572a91a8c4d957252fc830ff298ec4cc2cb7
Instruction Fuzzy Hash: 8F41D332B26E4546EF19DB27954427823519B04FF8F644A36DE2D47BDADE3CE4829300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617588250 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF617588357
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758839A
memcpy.VCRUNTIME140 ref: 00007FF6175883A4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6175883DF

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 27f7ce9152dddb5a4e3372883ab6ead06d49ff1432c807abeec17e9e7f9a3675
Instruction ID: e587df09e0137c48cb41f4ab70f6acee9172fc8e9d32b0bc461309fb9bce8024
Opcode Fuzzy Hash: 27f7ce9152dddb5a4e3372883ab6ead06d49ff1432c807abeec17e9e7f9a3675
Instruction Fuzzy Hash: B541CE22B29F4682EB149B13E94416D6265EB08FF4F440735DE6E87BD6DF7CE091A300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617585BD0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,00007FF617581582), ref: 00007FF617585C0B
memcpy.VCRUNTIME140(?,?,00000000,00007FF617581582), ref: 00007FF617585CEC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF617581582), ref: 00007FF617585D35
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF617585D42

Part of subcall function 00007FF61758EE80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF617585E2E), ref: 00007FF61758EE9A

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: ccd7cce03d4ba9b0a9d7e9de07282b700467601af26e8bc8264e1f254a4e127b
Instruction ID: b67706c7f76cc14638ccaff7ad416d898c8ad58e0d812a929f54ee78ea9bfca3
Opcode Fuzzy Hash: ccd7cce03d4ba9b0a9d7e9de07282b700467601af26e8bc8264e1f254a4e127b
Instruction Fuzzy Hash: A231F661B26E4656EF549B1394442BC2290AB04FF4F680B34DF3D877DADE7CE582A300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758A8A0 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF61758A8D5
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF61758A91C
memset.VCRUNTIME140 ref: 00007FF61758A983
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF61758A9B6

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: __std_fs_convert_wide_to_narrow$__std_fs_code_pagememset
String ID:
API String ID: 3622096240-0
Opcode ID: 9d6b2d4985100764f9f83310051530a167f5966a496c08115753a35d81474fc0
Instruction ID: 921bb06f1605c6c5c773292afdd6162e9b6b57afa7bd01128695483dd321c7c2
Opcode Fuzzy Hash: 9d6b2d4985100764f9f83310051530a167f5966a496c08115753a35d81474fc0
Instruction Fuzzy Hash: 5E31A262A2CB4287EB249F67A84426AA6A1FB44FD0F454435EFCD87B93DF7CE1419340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758E390 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00007FF61758E354), ref: 00007FF61758E473
memcpy.VCRUNTIME140(?,?,?,00007FF61758E354), ref: 00007FF61758E486
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF61758E354), ref: 00007FF61758E4EC

Part of subcall function 00007FF61758EE80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF617585E2E), ref: 00007FF61758EE9A

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61758E4F9

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: a6601d10cbc77214e642144e2138ecc2b8b28d600f51c286392e5c18081e3651
Instruction ID: 71c6fecdb047124671d983f197e022bba31bb1c792ac2e9507cdf36103963771
Opcode Fuzzy Hash: a6601d10cbc77214e642144e2138ecc2b8b28d600f51c286392e5c18081e3651
Instruction Fuzzy Hash: 8D41A262B29F8686EE14CB6795442796361AB09FE0F184935DBAD877E6DE3CE040E300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175880E0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF6175881D4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758820C
memcpy.VCRUNTIME140 ref: 00007FF617588216
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61758823F

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 110ba8f7703c95fa816d4a4b89f59d4b185b480252ec63a561f4fad6dcc5d99b
Instruction ID: 0bb0b9d1931f43a4e8a0bc5096c8fb1456cadab10c995d4a5fcfc5a4d329a845
Opcode Fuzzy Hash: 110ba8f7703c95fa816d4a4b89f59d4b185b480252ec63a561f4fad6dcc5d99b
Instruction Fuzzy Hash: 0831BF61B29E4686EF249B17A5042B86392EB48FF0F580735DA7E877D6DE7CF0419200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6175883F0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF6175884CF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758850C
memcpy.VCRUNTIME140 ref: 00007FF617588516
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF617588543

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 2357da3bb513d7c9145eee397d78b7431cabcff220944bf8386c1124a6a143d5
Instruction ID: 5bc8432afee3281c609d92d758afa1ff728b1102c37a00bf46abc7e268d85806
Opcode Fuzzy Hash: 2357da3bb513d7c9145eee397d78b7431cabcff220944bf8386c1124a6a143d5
Instruction Fuzzy Hash: 2D41DF22B29B825AEF149B17A5002A86351EB08FF0F580735DE6D47BD7CE7CE091A300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758AB50 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF617589573), ref: 00007FF61758AC2A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF617589573), ref: 00007FF61758AC5E
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF617589573), ref: 00007FF61758AC68
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF61758AC8B

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 817ecf575b1ae1cec1e573c07ef55618db070116d72e27764646cd94895a952f
Instruction ID: 4a7aa31234220a69e7f9491b4482a639ecd8f57a369470cbc5b9f99692dd4672
Opcode Fuzzy Hash: 817ecf575b1ae1cec1e573c07ef55618db070116d72e27764646cd94895a952f
Instruction Fuzzy Hash: 7C31CF61B29E4287EF149B1791041A8A352EB08FF0F584B35EA6E877C7DE3CE581A300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF617588780 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758884D

Part of subcall function 00007FF61758EE80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF617585E2E), ref: 00007FF61758EE9A

memcpy.VCRUNTIME140 ref: 00007FF61758887E
memcpy.VCRUNTIME140 ref: 00007FF61758888E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6175888B1

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 17a6bd0400d76eeebadb61516333b4f4134b382caa0cfac2faaf4219823a850b
Instruction ID: 8719830f7430a65fc3194c8152899e7e781b1cc8c63207bc3aa2856091c6cd72
Opcode Fuzzy Hash: 17a6bd0400d76eeebadb61516333b4f4134b382caa0cfac2faaf4219823a850b
Instruction Fuzzy Hash: 6431AF22B25A8596FB24DB13A5042A962A5EB48FF4F480B35DE7D877D6EE3CE0519300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758E70C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF61758E755
GetLastError.KERNEL32 ref: 00007FF61758E763
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF61758AA72), ref: 00007FF61758E798
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF61758AA72), ref: 00007FF61758E7A6

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 98f79813ac48123c3c75fe13417aac944ec9262fc5e7f647da25030655104f1a
Instruction ID: 9e24f6f3537402ef7b2ecf0ddf0e061fd1d8f5af25a008c4a8db68ede232cd94
Opcode Fuzzy Hash: 98f79813ac48123c3c75fe13417aac944ec9262fc5e7f647da25030655104f1a
Instruction Fuzzy Hash: 47214F76A28B9587E3508F12E84432E76B4FB99FD4F240138DB8993B9ADF3DD4118B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61758D190 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61758D346

Strings

gfffffff, xrefs: 00007FF61758D2CC
gfffffff, xrefs: 00007FF61758D1B1

Memory Dump Source

Source File: 00000003.00000002.2096735620.00007FF617581000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF617580000, based on PE: true

Associated: 00000003.00000002.2096716768.00007FF617580000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096766988.00007FF617591000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096789027.00007FF6175A2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2096803552.00007FF6175A3000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff617580000_bugado.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: gfffffff$gfffffff
API String ID: 3668304517-161084747
Opcode ID: 8ddafdd1b9fa5781b3df14e0202f118e42dc4fa38e85b93b27dca32522a3f3cd
Instruction ID: 324fac90e9939da7bd041268e1c4d33fdbf867bd7b12922595d592b54441b881
Opcode Fuzzy Hash: 8ddafdd1b9fa5781b3df14e0202f118e42dc4fa38e85b93b27dca32522a3f3cd
Instruction Fuzzy Hash: 7B41AFA2714B8A92DE14CB17F94456DA3A6F748FD4B448236DE4DCB759EE3CE181C302

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh

C:\Windows\SoftwareDistribution\Download\bugado.exe

C:\Windows\SoftwareDistribution\Download\bugado.sys

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Function 00007FF7258340A0 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 53
sleepkeyboardprocessCOMMON

Function 00007FF7258340D2 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 38
sleepkeyboardprocessCOMMON

Function 00007FF7258340D0 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 38
sleepkeyboardprocessCOMMON

Function 00007FF7258369C0 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Function 00007FF725834A70 Relevance: 10.6, APIs: 7, Instructions: 133
COMMON

Function 00007FF725829AF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 18
COMMON

Function 00007FF7257F11A0 Relevance: 4.6, APIs: 3, Instructions: 111
COMMON

Function 00007FF72582B000 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Function 00007FF72582A360 Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Function 00007FF725832D90 Relevance: 98.2, APIs: 11, Strings: 45, Instructions: 204
keyboardCOMMON

Function 00007FF725833B70 Relevance: 56.2, APIs: 18, Strings: 14, Instructions: 248
memoryprocesssleepCOMMON