Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.16016.24947.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.16016.24947.exe
Analysis ID:	1538271
MD5:	59a1f2c02e1ad06450edb6a3e66b0b16
SHA1:	d97989ae75a7edf861e3bff3564b6889a09e14f6
SHA256:	55697f96abab3e4d633d3a505f6546d41b3550ea985aa9871df59b68d860f495
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Potential key logger detected (key state polling based)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.16016.24947.exe (PID: 524 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe" MD5: 59A1F2C02E1AD06450EDB6A3E66B0B16)

conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 5656 cmdline: C:\Windows\system32\WerFault.exe -u -p 524 -s 1520 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.1% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000000.2182635446.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_6862268b-2

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.6:49715 version: TLS 1.2

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: "D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Rickz Community\Valorant Plus\x64\Release\Winrar.pdb source: SecuriteInfo.com.FileRepMalware.16016.24947.exe
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Rickz Community\Valorant Plus\x64\Release\Winrar.pdb source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Source: Joe Sandbox View

IP Address: 172.67.72.57 172.67.72.57

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0FBB980 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,

0_2_00007FF6E0FBB980

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: CPlusPlusExample/1.0Host: keyauth.win

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLOpen
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E72440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.keyauth.cc/front/assets/img/favicon.png
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	String found in binary or memory: https://github.com/rsms/inter)InterRegular3.019;RSMS;Inter-RegularInter
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/G
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/S=2O
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E72406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win:443/
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	String found in binary or memory: https://rsms.me/This

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.6:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F58630 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

0_2_00007FF6E0F58630

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F58790 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF6E0F58790

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F58630 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

0_2_00007FF6E0F58630

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F333E0 PeekMessageW,GetForegroundWindow,GetClientRect,ClientToScreen,GetCursorPos,GetAsyncKeyState,SetWindowPos,GetAsyncKeyState,

0_2_00007FF6E0F333E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F703A0 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_00007FF6E0F703A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F36360: _beginthreadex,rand,rand,rand,SetConsoleTitleA,_invalid_parameter_noinfo_noreturn,GetConsoleWindow,GetWindowLongPtrW,SetWindowLongPtrW,SetLayeredWindowAttributes,GetStdHandle,SetConsoleWindowInfo,SetConsoleScreenBufferSize,GetStdHandle,SetConsoleTextAttribute,FindWindowW,SetConsoleTextAttribute,SetConsoleTextAttribute,SleepEx,exit,Sleep,GetStdHandle,SetConsoleTextAttribute,system,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,Sleep,CreateFileA,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,Sleep,system,FindWindowA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,Sleep,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,CloseHandle,DeviceIoControl,DeviceIoControl,GetConsoleWindow,ShowWindow,CreateThread,_Mtx_lock,?_Throw_Cpp_error@std@@YAXH@Z,CloseHandle,?_Throw_Cpp_error@std@@YAXH@Z,_Thrd_id,_Thrd_join,_Mtx_unlock,_invalid_parameter_noinfo_noreturn,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,terminate,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,Sleep,exit,?_Throw_Cpp_error@std@@YAXH@Z,

0_2_00007FF6E0F36360

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F3E990 OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,ControlService,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,Sleep,

0_2_00007FF6E0F3E990

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F34940	0_2_00007FF6E0F34940
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F36360	0_2_00007FF6E0F36360
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F34FE0	0_2_00007FF6E0F34FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F5B260	0_2_00007FF6E0F5B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0FB1280	0_2_00007FF6E0FB1280
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F8EAE0	0_2_00007FF6E0F8EAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F252E0	0_2_00007FF6E0F252E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F612F0	0_2_00007FF6E0F612F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0FBC300	0_2_00007FF6E0FBC300
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F29940	0_2_00007FF6E0F29940
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F5C940	0_2_00007FF6E0F5C940
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F769B0	0_2_00007FF6E0F769B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F5D9E0	0_2_00007FF6E0F5D9E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F749F0	0_2_00007FF6E0F749F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F6EA10	0_2_00007FF6E0F6EA10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F60210	0_2_00007FF6E0F60210
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F6F440	0_2_00007FF6E0F6F440
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0FB0460	0_2_00007FF6E0FB0460
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F5F470	0_2_00007FF6E0F5F470
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F674B0	0_2_00007FF6E0F674B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F5FCB0	0_2_00007FF6E0F5FCB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F854D0	0_2_00007FF6E0F854D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0FA04F0	0_2_00007FF6E0FA04F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F8B510	0_2_00007FF6E0F8B510
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F50360	0_2_00007FF6E0F50360
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F21390	0_2_00007FF6E0F21390
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F703A0	0_2_00007FF6E0F703A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0FBEBE0	0_2_00007FF6E0FBEBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F8A3E0	0_2_00007FF6E0F8A3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F6ABF0	0_2_00007FF6E0F6ABF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F49430	0_2_00007FF6E0F49430
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F72E50	0_2_00007FF6E0F72E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F4EE60	0_2_00007FF6E0F4EE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F62E60	0_2_00007FF6E0F62E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F52E80	0_2_00007FF6E0F52E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F726C0	0_2_00007FF6E0F726C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F6B6E0	0_2_00007FF6E0F6B6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F29F00	0_2_00007FF6E0F29F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F55F00	0_2_00007FF6E0F55F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F2AF10	0_2_00007FF6E0F2AF10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F6FD50	0_2_00007FF6E0F6FD50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F77DC0	0_2_00007FF6E0F77DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F60DD0	0_2_00007FF6E0F60DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F695F0	0_2_00007FF6E0F695F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F82DF0	0_2_00007FF6E0F82DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F93E00	0_2_00007FF6E0F93E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F5EE30	0_2_00007FF6E0F5EE30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F6E840	0_2_00007FF6E0F6E840
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F61060	0_2_00007FF6E0F61060
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F45080	0_2_00007FF6E0F45080
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F440A0	0_2_00007FF6E0F440A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F228A0	0_2_00007FF6E0F228A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F738D0	0_2_00007FF6E0F738D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F81130	0_2_00007FF6E0F81130
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F9C750	0_2_00007FF6E0F9C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F4AF50	0_2_00007FF6E0F4AF50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F90F60	0_2_00007FF6E0F90F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F6CF70	0_2_00007FF6E0F6CF70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F7FFC0	0_2_00007FF6E0F7FFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F44000	0_2_00007FF6E0F44000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Code function: 0_2_00007FF6E0F78810	0_2_00007FF6E0F78810

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: String function: 00007FF6E0F44740 appears 46 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 524 -s 1520

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Binary string: 8\Device\microsoftAudioDriver\DosDevices\microsoftAudioDriverKmdfLibraryDriverEntry failed 0x%x for driver %wZ

Source: classification engine

Classification label: mal60.evad.winEXE@3/6@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,ControlService,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,Sleep,

0_2_00007FF6E0F3E990

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F36360 _beginthreadex,rand,rand,rand,SetConsoleTitleA,_invalid_parameter_noinfo_noreturn,GetConsoleWindow,GetWindowLongPtrW,SetWindowLongPtrW,SetLayeredWindowAttributes,GetStdHandle,SetConsoleWindowInfo,SetConsoleScreenBufferSize,GetStdHandle,SetConsoleTextAttribute,FindWindowW,SetConsoleTextAttribute,SetConsoleTextAttribute,SleepEx,exit,Sleep,GetStdHandle,SetConsoleTextAttribute,system,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,Sleep,CreateFileA,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,Sleep,system,FindWindowA,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,Sleep,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,CloseHandle,DeviceIoControl,DeviceIoControl,GetConsoleWindow,ShowWindow,CreateThread,_Mtx_lock,?_Throw_Cpp_error@std@@YAXH@Z,CloseHandle,?_Throw_Cpp_error@std@@YAXH@Z,_Thrd_id,_Thrd_join,_Mtx_unlock,_invalid_parameter_noinfo_noreturn,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,terminate,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,Sleep,exit,?_Throw_Cpp_error@std@@YAXH@Z,

0_2_00007FF6E0F36360

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F3E8F0 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_00007FF6E0F3E8F0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess524

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\257fbe7b-46d7-456c-bc52-64a7502519b4

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

ReversingLabs: Detection: 55%

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryh~

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 524 -s 1520

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe	Section loaded: dpapi.dll	Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Static file information: File size 1971712 > 1048576

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x131400

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: "D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Rickz Community\Valorant Plus\x64\Release\Winrar.pdb source: SecuriteInfo.com.FileRepMalware.16016.24947.exe
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Rickz Community\Valorant Plus\x64\Release\Winrar.pdb source: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F6FA40 QueryPerformanceFrequency,QueryPerformanceCounter,malloc,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00007FF6E0F6FA40

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F3E8F0 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_00007FF6E0F3E8F0

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: PROCESSHACKER.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: PROCMON.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAG.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: OLLYDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PEID.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: X64DBG.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: REGMON.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: UNKNOWN EXCEPTIONBAD ARRAY NEW LENGTHBAD CASTSTRING TOO LONG%F: FALSETRUE*CMAP/SET TOO LONG] [JSON.EXCEPTION., COLUMN AT LINE \\.\MICROSOFTAUDIODRIVERHEADNECKBODYCORNER2D3DLEFT MOUSERIGHT MOUSECANCELMIDDLE MOUSEMOUSE 5MOUSE 4BACKSPACETABCLEARENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMEARROW LEFTARROW UPARROW RIGHTARROW DOWNPRINTINSERTDELETE0123456789ABDEFGHIJKLMNOPQRSTUVWXYZNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYADDSUBTRACTDECIMALDIVIDEF1F2F3F4F5F6F7F8F9F10F11F12RICKZIMGUIAIMBOTVISUALSMISCCOLORSAIMBOTENABLE VISIBLE CHECK AIMBOTAIMBOT SETTINGS%.3FSMOOTH AIMBOTVISUALSVISUALS OTHERSBOX TYPEMISCMISC SETTINGSCOLOR PICKERLOBIJETTASTRARIFT_TARGETINGFORM_PC_CKAY/OBREACHBRIMSTONECHAMBERCYPHERKAY/OKILLJOYNEONOMENPHOENIXRAZEREYNASAGESKYESOVAVIPERYORUFADEBOTGEKKOHARBORDEADLOCKVYSEMEDALOVERLAYMEDALOVERLAYCLASS [ %.FM ] HEALTH RENDERED][ CR][V4L0R4NT PLUS]CPLUSPLUSEXAMPLE/1.0GETKEYAUTH.WINF692B2828AA525D4513302117535C6C0D0CB304F574A1CD32EF3E1D07129217ADIEC.EXEDWNEJFE.EXEWIN64.EXESYSTEMINFORMER.EXEPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPE-BEAR.EXELORDPE.EXEWIRESHARK.EXETCPVIEW.EXEPROCEXP64.EXEPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATuser-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT user.EXEDNSPY.EXEDNSPY.CONSOLE.EXECLS
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: WINDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEFILE_STRING
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: FIDDLER.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: IDAQ.EXEH
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: PEID.EXEH
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: IDAG.EXEH
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: WIRESHARK.EXE
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe	Binary or memory string: FILEMON.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

API coverage: 5.1 %

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E72440000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E104FA78 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6E104FA78

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E104FA78 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6E104FA78

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F6FA40 QueryPerformanceFrequency,QueryPerformanceCounter,malloc,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00007FF6E0F6FA40

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0F21B20 GetProcessHeap,

0_2_00007FF6E0F21B20

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E104F3F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF6E104F3F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E104E9B8 cpuid

0_2_00007FF6E104E9B8

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E104F8F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6E104F8F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000000.2182635446.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000000.2182635446.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OLLYDBG.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000000.2182635446.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000000.2182635446.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000000.2182635446.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: LordPE.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000000.2182635446.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Tcpview.exe
Source: SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000000.2182635446.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: regmon.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Code function: 0_2_00007FF6E0FBB980 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,

0_2_00007FF6E0FBB980

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	12 Windows Service	12 Windows Service	1 Process Injection	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Service Execution	1 DLL Side-Loading	1 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.FileRepMalware.16016.24947.exe	55%	ReversingLabs	Win64.Trojan.Generic
SecuriteInfo.com.FileRepMalware.16016.24947.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	172.67.72.57	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://keyauth.win/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/rsms/inter)InterRegular3.019;RSMS;Inter-RegularInter	SecuriteInfo.com.FileRepMalware.16016.24947.exe	false		unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://cdn.keyauth.cc/front/assets/img/favicon.png	SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E72440000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win:443/	SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E72406000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/G	SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/docs/http-cookies.html	SecuriteInfo.com.FileRepMalware.16016.24947.exe	false	URL Reputation: safe	unknown
https://curl.haxx.se/docs/http-cookies.html#	SecuriteInfo.com.FileRepMalware.16016.24947.exe	false		unknown
https://keyauth.win/api/1.2/	SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/S=2O	SecuriteInfo.com.FileRepMalware.16016.24947.exe, 00000000.00000002.2549451666.0000026E723BC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://rsms.me/This	SecuriteInfo.com.FileRepMalware.16016.24947.exe	false		unknown
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLOpen	SecuriteInfo.com.FileRepMalware.16016.24947.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.72.57	keyauth.win	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538271
Start date and time:	2024-10-20 23:29:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.FileRepMalware.16016.24947.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@3/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 17 Number of non-executed functions: 168
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, tile-service.weather.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, www.msftconnecttest.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.FileRepMalware.16016.24947.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.72.57	SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.10159.8143.exe	Get hash	malicious	Unknown	Browse
	lvXRlexBnb.exe	Get hash	malicious	Unknown	Browse
	flX5YA1C09.exe	Get hash	malicious	Unknown	Browse
	Iyto7FYCJO.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.74313215.18321.7540.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Tedy.640280.26081.14300.exe	Get hash	malicious	Unknown	Browse
	fox vanguard bypass.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.28454.21428.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	SecuriteInfo.com.FileRepMalware.8628.17723.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.MalwareX-gen.21448.26007.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.DropperX-gen.5372.31408.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Trojan.Generic.36879400.484.7364.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.10159.8143.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.MalwareX-gen.6639.30242.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.25010.24037.exe	Get hash	malicious	Unknown	Browse	104.26.1.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.FileRepMalware.8628.17723.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.MalwareX-gen.21448.26007.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.DropperX-gen.5372.31408.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Trojan.Generic.36879400.484.7364.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.10159.8143.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.MalwareX-gen.6639.30242.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.25010.24037.exe	Get hash	malicious	Unknown	Browse	104.26.1.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Trojan.Generic.36879400.484.7364.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.MalwareX-gen.10159.8143.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.MalwareX-gen.6639.30242.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.MalwareX-gen.25010.24037.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	file.exe	Get hash	malicious	LummaC	Browse	172.67.72.57
	file.exe	Get hash	malicious	LummaC	Browse	172.67.72.57
	file.exe	Get hash	malicious	LummaC	Browse	172.67.72.57
	file.exe	Get hash	malicious	LummaC	Browse	172.67.72.57
	file.exe	Get hash	malicious	LummaC	Browse	172.67.72.57

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_eb2620f6d3d187daf5b73e6fffe3728eece36b_6212d8dd_29dd5dd9-70d6-47d5-a508-1794b1875975\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0343550834427397
Encrypted:	false
SSDEEP:	96:v/F9zOZ6Zs8hPGhiXSKQXIDcQNc6kcE6cw39L6X+HbHg/8BRTf3KoVaSWOUfuNwY:XHzg6ZE0Dgwl68jy5bdzuiFwZ24lO80
MD5:	38E4931CC23169A17C5B73D5F52E9BF5
SHA1:	4A752F9AD42213EADFAD76EF0F0BA56341E2A995
SHA-256:	A253361A6375CFE1CB17312569B3521AC51C65A5249A639C926ACB8500FBECF6
SHA-512:	9DD24FCB53B382F29B3404B64E80CBFA1F2A7BE8DB1470BCD30747218382F2C5A160E0EF25E37E7B339C0664CD81B1012729FC84F9F902BCCD5D133AFEBD4995
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.9.3.3.4.3.6.3.7.0.1.6.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.9.3.3.4.3.7.0.4.2.0.6.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.d.d.5.d.d.9.-.7.0.d.6.-.4.7.d.5.-.a.5.0.8.-.1.7.9.4.b.1.8.7.5.9.7.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.e.f.8.d.b.1.-.0.b.6.e.-.4.a.7.8.-.8.1.8.5.-.3.7.6.f.e.9.7.4.d.3.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...F.i.l.e.R.e.p.M.a.l.w.a.r.e...1.6.0.1.6...2.4.9.4.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.0.c.-.0.0.0.1.-.0.0.1.5.-.d.9.9.e.-.8.3.4.b.3.7.2.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.b.5.e.d.3.c.e.1.2.a.4.e.2.4.a.5.0.4.4.7.3.e.3.c.5.7.6.f.2.f.2.0.0.0.0.f.f.f.f.!.0.0.0.0.d.9.7.9.8.9.a.e.7.5.a.7.e.d.f.8.6.1.e.3.b.f.f.3.5.6.4.b.6.8.8.9.a.0.9.e.1.4.f.6.!.S.e.c.u.r.i.t.e.I.n.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER417C.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Oct 20 21:30:36 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	190468
Entropy (8bit):	1.425057085234611
Encrypted:	false
SSDEEP:	384:jlTjTraQBcvh/I4xgFDQI6RoPrUlrSD/csC6sQJLQpjsRpitcMGW2iFkg:hLaQBdrUlWD/csC6sQJLQhsR5kFkg
MD5:	9F0E122C5D056AC7D3C1D88D152D1A66
SHA1:	CC1FDE296F6CAD45AF7C3FB57C517D9F29AC00AC
SHA-256:	8521593AE7DABE4712E14CC6AFF3A80B10196ABA78F3D8A1549D388677FA4303
SHA-512:	9DDD6247ACC7B351150E00536B9367953AF9777743D38089329313212F98B6A67FAE1D47DC1BE533CA48EB4FDB02003FA2DA9D72D43E2B1D80F603A7F3EF8C1A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......\|v.g............t.......................$...,!...........n..........`.......8...........T............;..l...........P!..........<#..............................................................................eJ.......#......Lw......................T...........yv.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4314.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8948
Entropy (8bit):	3.69966806722499
Encrypted:	false
SSDEEP:	192:R6l7wVeJrmM6Y2DxZbgmfkJFQqG6cpDd89bA9kfkAm:R6lXJ6M6YcZbgmfkbE6LA+fS
MD5:	B98B7411D09556A962734390BAEE5D3A
SHA1:	617A34DC19DF8D6C493813EB164B7A12DB02D971
SHA-256:	38E20FA401EFE1D60867DF22E195006C48461D1F39EB91683ABABF36CA7D35B3
SHA-512:	92500314972C75AA0878C2D5ABC5EC4A7973F94A38FA1E767BED7FCEBCC6AAA74B5F89DC04AFD44033520E97FA7A71C8DF6DD0A47F9C8B12B26914D9EABF0333
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.4.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4353.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4931
Entropy (8bit):	4.510792999518627
Encrypted:	false
SSDEEP:	48:cvIwWl8zseJg771I9ITWpW8VY43NYm8M4J0tJsFy9yq8vytJaovuE+xwd:uIjfUI7ri7VBcJ0Z9WymovuE+xwd
MD5:	07F225712B6D097CCEA30B71392D4D89
SHA1:	73B397773600A1B306A170F24D76E00C7B75D60A
SHA-256:	CD9CFE5D2A904341B1321B16E270F61B9772E31703DAC36F7DC768E11315D3B1
SHA-512:	A26357C92387A30DA9AE12650B314B9F250F8D4099171B4BC69468A11A15120797C03043DD775471CE418CA191994B34237F1FF69A917934CB6F940C9909A431
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="552273" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468912472888815
Encrypted:	false
SSDEEP:	6144:mzZfpi6ceLPx9skLmb0f9ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNvjDH5S:oZHt9ZWOKnMM6bFpNj4
MD5:	08BE87E532FB560BC4C4A2E31C9E0A93
SHA1:	7522028493EF855D71995783EEA56C43981CC0A5
SHA-256:	14B4EEA77C0F5BB9FE7C7D09D8895DAD5F7625556CD7B5239CCFF14E926648E8
SHA-512:	0895FE8FA8E7F3A9993A4BCDA432E4CC2ED76854C7517773FCB341CAA80B66DBEA93188F53A2EAA617AE5163D622CF4686394C55D012D7DAAB4016F1A4951006
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.E+M7#..............................................................................................................................................................................................................................................................................................................................................#.=y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	208
Entropy (8bit):	2.4305258110308814
Encrypted:	false
SSDEEP:	3:rRRqmIEaGj3F/9Dqa+I4AuGLXmuLx:H041lVuGLWm
MD5:	FC51E3860D2A83AD586811F10DFB46C0
SHA1:	14CCE86E0918FA8ED1191D7D7425E44F0EF4138D
SHA-256:	0B1E88DE9B81FA2187463C8465A4C5863402A66AD134CE7CC46E5970FD759BEA
SHA-512:	EFBC52214A547A11EBD8A751EE50CBC1315959A1145538439AF98BB0D4E718ABFB84AB02397386890FC36AC9262C5B3A1A608A85A072F943EDD01C61D61B4026
Malicious:	false
Reputation:	low
Preview:	....##########################################################..[ Selecione uma opcao: ]..##########################################################....[-] Open Your Game...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.675048815541203
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.FileRepMalware.16016.24947.exe
File size:	1'971'712 bytes
MD5:	59a1f2c02e1ad06450edb6a3e66b0b16
SHA1:	d97989ae75a7edf861e3bff3564b6889a09e14f6
SHA256:	55697f96abab3e4d633d3a505f6546d41b3550ea985aa9871df59b68d860f495
SHA512:	e7b094f5e9f433a47fbe075f7731a98cdd4cf695dce1e0efe6c62b9d55c0ac3cad9cce828f3bf44f3cfd9ded775a707827275eb78d4cc2b971fd0884b491799c
SSDEEP:	24576:DLRpkeEUG0EwMIuAiEplGbOcjKc0LH0+kDNaNCvLU0oh1g5Lt82gspwyZw66n1Du:JpJ6dx3BU/NCTog5y2gtHTnSsLm
TLSH:	0E95BF43A3A502EDC16791388257D707E77274051B109BCB67E84AA96FA3BE12F7F390
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......8...\|...\|...\|...u.D.j...z&*.u...z&..v...z&..x...z&..Z...z&..z.......f...............~.......~...7...Y...\|...^....&..v....&(.}..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14012f1bc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x670DC9D0 [Tue Oct 15 01:48:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	36df9176191cadc47b96522ce524f4bc

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FACD9614AD0h
dec eax
add esp, 28h
jmp 00007FACD9614217h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FACD96143B2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FACD96143B5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FACD96143ADh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FACD961443Ah
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FACD9614311h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17b0f0	0x258	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e4000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1d6000	0xd2b4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e5000	0x13c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x166370	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x166400	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x166230	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x133000	0xe48	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x131230	0x131400	70530707e15bedacb71ae1ff17142b8b	False	0.5417682419635544	data	6.49663991165523	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x133000	0x4b918	0x4ba00	ef71dd1e3351f1cc41a8055d44ecbc08	False	0.4512138429752066	data	6.241916934424716	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17f000	0x56c18	0x55a00	f5faac2a3098287b6964b07cd09c04f7	False	0.4868099908759124	data	6.343440381373287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1d6000	0xd2b4	0xd400	2b6a29574f58bbdfc8ca0dd660fcb80c	False	0.47689416273584906	data	6.183872917228116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1e4000	0x1e8	0x200	6c94243ac11a20caa150e2383dfc7606	False	0.541015625	data	4.772037401703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1e5000	0x13c0	0x1400	742753df8f255e9c979ffd7a00d02867	False	0.4158203125	data	5.40694428061472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x1e4060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
d3d11.dll	D3D11CreateDeviceAndSwapChain
D3DCOMPILER_47.dll	D3DCompile
KERNEL32.dll	ReadFile, PeekNamedPipe, WaitForMultipleObjects, GetFileSizeEx, CreateFileMappingA, GetEnvironmentVariableA, WaitForSingleObjectEx, MoveFileExA, GetTickCount, GetModuleFileNameA, GetModuleHandleW, QueryFullProcessImageNameW, SetLastError, FormatMessageA, LocalFree, EnterCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, VerifyVersionInfoA, ReleaseSRWLockExclusive, CreateFileMappingW, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, IsDebuggerPresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, FreeLibrary, VerSetConditionMask, GetProcAddress, QueryPerformanceFrequency, LoadLibraryA, GetModuleHandleA, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, GetLastError, GetFileAttributesW, lstrcmpiW, GetConsoleWindow, WideCharToMultiByte, CreateThread, CloseHandle, Process32FirstW, CreateFileA, CreateFileW, HeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, GetFileType, InitializeCriticalSectionEx, DeleteCriticalSection, GetCurrentProcess, MapViewOfFile, Process32NextW, GetSystemDirectoryA, Sleep, MultiByteToWideChar, CreateToolhelp32Snapshot, SetConsoleWindowInfo, TerminateProcess, DeviceIoControl, GetStdHandle, SetConsoleScreenBufferSize, SetConsoleTitleA, SetConsoleTextAttribute, VirtualProtect, AcquireSRWLockExclusive, SleepEx, UnmapViewOfFile
USER32.dll	SetCursor, SetCursorPos, OpenClipboard, ScreenToClient, GetCursorPos, CloseClipboard, UpdateWindow, FindWindowA, GetClientRect, FindWindowW, TranslateMessage, SetLayeredWindowAttributes, GetForegroundWindow, PeekMessageW, ClientToScreen, DispatchMessageW, LoadCursorW, GetAsyncKeyState, ShowWindow, EmptyClipboard, GetClipboardData, SetClipboardData, GetKeyState, GetWindow, DestroyWindow, SetWindowPos, SetWindowLongPtrW, GetSystemMetrics, GetWindowLongPtrW, MessageBoxA
ADVAPI32.dll	ControlService, StartServiceW, DeleteService, OpenSCManagerW, CloseServiceHandle, QueryServiceStatus, CreateServiceW, OpenProcessToken, AddAccessAllowedAce, GetLengthSid, GetTokenInformation, InitializeAcl, IsValidSid, SetSecurityInfo, CopySid, CryptEncrypt, CryptImportKey, CryptDestroyKey, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA, ConvertSidToStringSidA, OpenServiceW
MSVCP140.dll	?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ, ??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z, ?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?_Incref@facet@locale@std@@UEAAXXZ, ??Bid@locale@std@@QEAA_KXZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, _Mtx_unlock, _Thrd_join, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, _Xtime_get_ticks, _Query_perf_counter, _Thrd_id, _Thrd_sleep, _Cnd_do_broadcast_at_thread_exit, _Mtx_init_in_situ, _Mtx_lock, _Mtx_destroy_in_situ, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ?_Xlength_error@std@@YAXPEBD@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Xbad_function_call@std@@YAXXZ, ?_Xout_of_range@std@@YAXPEBD@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, _Query_perf_frequency, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
dwmapi.dll	DwmExtendFrameIntoClientArea
WINHTTP.dll	WinHttpSendRequest, WinHttpCloseHandle, WinHttpOpenRequest, WinHttpOpen, WinHttpReceiveResponse, WinHttpConnect, WinHttpQueryOption
CRYPT32.dll	CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CertFreeCertificateChainEngine, CryptStringToBinaryA, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CertGetCertificateChain, CertGetCertificateContextProperty, CertFreeCertificateChain, CertFreeCertificateContext
IMM32.dll	ImmReleaseContext, ImmSetCompositionWindow, ImmGetContext, ImmSetCandidateWindow
Normaliz.dll	IdnToAscii
WLDAP32.dll
WS2_32.dll	ntohs, ntohl, closesocket, gethostname, sendto, recvfrom, freeaddrinfo, recv, send, WSAGetLastError, getaddrinfo, select, __WSAFDIsSet, ioctlsocket, listen, htonl, bind, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, connect, socket, setsockopt, accept, htons, getsockopt, getsockname, getpeername
RPCRT4.dll	UuidCreate, UuidToStringA, RpcStringFreeA
PSAPI.DLL	GetModuleInformation
USERENV.dll	UnloadUserProfile
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__current_exception_context, __current_exception, longjmp, strrchr, strchr, memset, memmove, __intrinsic_setjmp, memcmp, memchr, _CxxThrowException, strstr, __std_terminate, __std_exception_copy, __std_exception_destroy, memcpy, __C_specific_handler
api-ms-win-crt-runtime-l1-1-0.dll	exit, _invalid_parameter_noinfo, strerror, __sys_nerr, _resetstkoflw, _errno, terminate, system, _beginthreadex, _getpid, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf_s, fgetc, __p__commode, _lseeki64, __stdio_common_vfprintf, _read, fputc, fwrite, feof, fputs, fopen, _close, _open, __stdio_common_vsprintf, _write, fclose, _popen, _pclose, fgets, fgetpos, setvbuf, __stdio_common_vsscanf, _wfopen, ungetc, fflush, fseek, ftell, _get_stream_buffer_pointers, _set_fmode, _fseeki64, fread, fsetpos, __acrt_iob_func
api-ms-win-crt-heap-l1-1-0.dll	calloc, _callnewh, realloc, free, malloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	asinf, atanf, ceilf, acosf, _dclass, cosf, fmodf, tanf, cos, powf, sin, sinf, sqrtf, __setusermatherr
api-ms-win-crt-string-l1-1-0.dll	strncmp, _strdup, tolower, strpbrk, isupper, strcmp, strcspn, strspn, strncpy
api-ms-win-crt-convert-l1-1-0.dll	atoi, atof, strtoll, strtod, strtoul, strtol, strtoull
api-ms-win-crt-utility-l1-1-0.dll	qsort, rand
api-ms-win-crt-filesystem-l1-1-0.dll	_unlink, _stat64, _fstat64, _lock_file, _access, _unlock_file
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, localeconv
api-ms-win-crt-time-l1-1-0.dll	_time64, _gmtime64
SHELL32.dll	ShellExecuteA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 23:30:35.104823112 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:35.104883909 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:35.104950905 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:35.106821060 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:35.106842041 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:35.879642010 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:35.879841089 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:35.891351938 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:35.891376972 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:35.891664028 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:35.936005116 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:36.295541048 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:36.339426994 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.470427990 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.470482111 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.470506907 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.470531940 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.470556974 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.470585108 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.470596075 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:36.470635891 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.470680952 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:36.471353054 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.471450090 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.471493006 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:36.471502066 CEST	443	49715	172.67.72.57	192.168.2.6
Oct 20, 2024 23:30:36.475470066 CEST	49715	443	192.168.2.6	172.67.72.57
Oct 20, 2024 23:30:36.547420979 CEST	49715	443	192.168.2.6	172.67.72.57

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 23:30:35.087404966 CEST	57124	53	192.168.2.6	1.1.1.1
Oct 20, 2024 23:30:35.094230890 CEST	53	57124	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 20, 2024 23:30:35.087404966 CEST	192.168.2.6	1.1.1.1	0xfa0a	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 20, 2024 23:30:35.094230890 CEST	1.1.1.1	192.168.2.6	0xfa0a	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false
Oct 20, 2024 23:30:35.094230890 CEST	1.1.1.1	192.168.2.6	0xfa0a	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Oct 20, 2024 23:30:35.094230890 CEST	1.1.1.1	192.168.2.6	0xfa0a	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

keyauth.win

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	172.67.72.57	443	524	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-20 21:30:36 UTC	95	OUT	GET / HTTP/1.1 Connection: Keep-Alive User-Agent: CPlusPlusExample/1.0 Host: keyauth.win
2024-10-20 21:30:36 UTC	1124	IN	HTTP/1.1 200 OK Date: Sun, 20 Oct 2024 21:30:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Sun, 20 Oct 2024 20:11:01 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 0 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nVGjom5%2BKgX4p4qqUGl2XBicZ865x5oNQSAK4lXPXqhBJRdB49znhDaSvjOBhPBNGVkQMWf%2BYc8Twgd5hIhSSCPxukXhUnrqnf0xMcsuFTi0jHxCiYQWz%2B3ng2u3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Acknowledge: Credit to VaultCord.com X-Powered-By: VaultCord.com content-security-policy: upgrade-insecure-requests permissions-policy: accelerometer=(), camera=(), fullscreen=, geolocation=(self), gyroscope=(), microphone=(), payment= referrer-policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000; includeSubDomains x-content-security-policy: img-src ; media-src data:; x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block Server: cloudflare CF-RAY: 8d5c1c295a8e0fb1-LAX
2024-10-20 21:30:36 UTC	245	IN	Data Raw: 37 62 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 63 6c 61 73 73 3d 22 62 67 2d 5b 23 30 39 30 39 30 64 5d 20 74 65 78 74 2d 77 68 69 74 65 20 6f 76 65 72 66 6c 6f 77 2d 78 2d 68 69 64 64 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 65 79 41 75 74 68 20 2d 20 4f 70 65 Data Ascii: 7b3a<!DOCTYPE html><html lang="en" class="bg-[#09090d] text-white overflow-x-hidden"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="title" content="KeyAuth - Ope
2024-10-20 21:30:36 UTC	1369	IN	Data Raw: 6e 20 53 6f 75 72 63 65 20 41 75 74 68 22 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 0a 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 79 6f 75 72 20 73 6f 66 74 77 61 72 65 20 61 67 61 69 6e 73 74 20 70 69 72 61 63 79 2c 20 61 6e 20 69 73 73 75 65 20 63 61 75 73 69 6e 67 20 24 34 32 32 20 6d 69 6c 6c 69 6f 6e 20 69 6e 20 6c 6f 73 73 65 73 20 61 6e 6e 75 61 6c 6c 79 20 2d 20 46 61 69 72 20 70 72 69 63 69 6e 67 20 26 20 46 65 61 74 75 72 65 73 20 6e 6f 74 20 73 65 65 6e 20 69 6e 20 63 6f 6d 70 65 74 69 74 6f 72 73 22 0a 20 20 20 20 20 20 20 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4b 65 79 41 75 74 68 22 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 2f 3e Data Ascii: n Source Auth"> <meta content="Secure your software against piracy, an issue causing $422 million in losses annually - Fair pricing & Features not seen in competitors" name="description" /> <meta content="KeyAuth" name="author" />
2024-10-20 21:30:36 UTC	1369	IN	Data Raw: 20 20 20 3c 6d 65 74 61 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6b 65 79 61 75 74 68 2e 63 63 2f 66 72 6f 6e 74 2f 61 73 73 65 74 73 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 54 77 69 74 74 65 72 20 43 61 72 64 20 64 61 74 61 20 2d 2d 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 63 61 72 64 22 20 63 6f 6e 74 65 6e 74 3d 22 70 72 6f 64 75 63 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 4b 65 79 41 75 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 Data Ascii: <meta itemprop="image" content="https://cdn.keyauth.cc/front/assets/img/favicon.png"> ... Twitter Card data --> <meta name="twitter:card" content="product"> <meta name="twitter:site" content="@KeyAuth"> <meta name="twitter:title" cont
2024-10-20 21:30:36 UTC	1369	IN	Data Raw: 6e 74 3d 22 56 49 45 57 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 73 6d 61 72 74 62 61 6e 6e 65 72 3a 62 75 74 74 6f 6e 2d 75 72 6c 2d 67 6f 6f 67 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 74 6f 72 65 2f 61 70 70 73 2f 64 65 74 61 69 6c 73 3f 69 64 3d 63 6f 6d 2e 77 6e 65 6c 73 6f 6e 30 33 2e 72 6e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 73 6d 61 72 74 62 61 6e 6e 65 72 3a 65 6e 61 62 6c 65 64 2d 70 6c 61 74 66 6f 72 6d 73 22 20 63 6f 6e 74 65 6e 74 3d 22 61 6e 64 72 6f 69 64 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 73 6d 61 72 74 62 61 6e 6e 65 72 3a 63 6c 6f 73 65 2d 6c 61 62 65 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6c 6f 73 65 22 3e Data Ascii: nt="VIEW"> <meta name="smartbanner:button-url-google" content="https://play.google.com/store/apps/details?id=com.wnelson03.rn"> <meta name="smartbanner:enabled-platforms" content="android"> <meta name="smartbanner:close-label" content="Close">
2024-10-20 21:30:36 UTC	1369	IN	Data Raw: 61 63 69 74 79 2d 36 30 20 74 72 61 6e 73 69 74 69 6f 6e 20 64 75 72 61 74 69 6f 6e 2d 32 30 30 20 66 6f 63 75 73 3a 6f 75 74 6c 69 6e 65 2d 6e 6f 6e 65 20 66 6f 63 75 73 3a 72 69 6e 67 2d 67 72 61 79 2d 38 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 43 6c 69 65 6e 74 20 41 72 65 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2e 2f 72 65 67 69 73 74 65 72 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 77 68 69 74 65 20 66 6f 63 75 73 3a 72 69 6e 67 2d 30 20 66 6f 6e 74 2d 6d 65 64 69 75 6d 20 72 6f 75 6e 64 65 64 2d 6c 67 20 74 Data Ascii: acity-60 transition duration-200 focus:outline-none focus:ring-gray-800"> Client Area </a> <a href="./register" class="text-white focus:ring-0 font-medium rounded-lg t
2024-10-20 21:30:36 UTC	1369	IN	Data Raw: 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 2d 72 75 6c 65 3d 22 65 76 65 6e 6f 64 64 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 34 2e 32 39 33 20 34 2e 32 39 33 61 31 20 31 20 30 20 30 31 31 2e 34 31 34 20 30 4c 31 30 20 38 2e 35 38 36 6c 34 2e 32 39 33 2d 34 2e 32 39 33 61 31 20 31 20 30 20 31 31 31 2e 34 31 34 20 31 2e 34 31 34 4c 31 31 2e 34 31 34 20 31 30 6c 34 2e 32 39 33 20 34 2e 32 39 33 61 31 20 31 20 30 20 30 31 2d 31 2e 34 31 34 20 31 2e 34 31 34 4c 31 30 20 31 31 2e 34 31 34 6c 2d 34 2e 32 39 33 20 34 2e 32 39 Data Ascii: s="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M4.293 4.293a1 1 0 011.414 0L10 8.586l4.293-4.293a1 1 0 111.414 1.414L11.414 10l4.293 4.293a1 1 0 01-1.414 1.414L10 11.414l-4.293 4.29
2024-10-20 21:30:36 UTC	1369	IN	Data Raw: 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 69 64 3d 22 6d 6d 2d 62 75 74 74 6f 6e 22 20 64 61 74 61 2d 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 3d 22 6d 6d 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 61 73 73 3d 22 66 6c 65 78 20 6a 75 73 74 69 66 79 2d 62 65 74 77 65 65 6e 20 69 74 65 6d 73 2d 63 65 6e 74 65 72 20 70 79 2d 32 20 70 72 2d 34 20 70 6c 2d 33 20 77 2d 66 75 6c 6c 20 66 6f 6e 74 2d 6d 65 64 69 75 6d 20 62 6f 72 64 65 72 2d Data Ascii: </a> </li> <li> <button id="mm-button" data-dropdown-toggle="mm" class="flex justify-between items-center py-2 pr-4 pl-3 w-full font-medium border-
2024-10-20 21:30:36 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 6b 65 79 61 75 74 68 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 61 73 73 3d 22 66 6c 65 78 20 69 74 65 6d 73 2d 63 65 6e 74 65 72 20 70 2d 33 20 72 6f 75 6e 64 65 64 2d 6c 67 20 68 6f 76 65 72 3a 62 67 2d 5b 23 30 66 30 66 31 37 5d 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 Data Ascii: <a href="https://youtube.com/keyauth" target="_blank" class="flex items-center p-3 rounded-lg hover:bg-[#0f0f17]"> <div class
2024-10-20 21:30:36 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 45 78 70 6c 6f 72 65 20 4f 75 72 20 59 6f 75 54 75 62 65 20 43 68 61 6e 6e 65 6c 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 73 6d 20 66 6f 6e 74 2d 6c 69 67 68 74 20 74 65 78 74 2d 67 72 61 79 2d 34 30 30 22 3e 57 61 74 63 68 20 46 65 61 74 75 72 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: Explore Our YouTube Channel </div> <div class="text-sm font-light text-gray-400">Watch Feature

Target ID:	0
Start time:	17:30:33
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16016.24947.exe"
Imagebase:	0x7ff6e0f20000
File size:	1'971'712 bytes
MD5 hash:	59A1F2C02E1AD06450EDB6A3E66B0B16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:30:33
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:30:36
Start date:	20/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 524 -s 1520
Imagebase:	0x7ff6f72a0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.3%
Total number of Nodes:	345
Total number of Limit Nodes:	15

Executed Functions

Function 00007FF6E0F36360 Relevance: 149.5, APIs: 70, Strings: 15, Instructions: 786
sleepprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F363BA
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6E0F363CD
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6E0F3640A
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6E0F36440
SetConsoleTitleA.KERNEL32 ref: 00007FF6E0F364C0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F364FB
GetConsoleWindow.KERNELBASE ref: 00007FF6E0F36507
GetWindowLongPtrW.USER32 ref: 00007FF6E0F36518
SetWindowLongPtrW.USER32 ref: 00007FF6E0F3652E
SetLayeredWindowAttributes.USER32 ref: 00007FF6E0F36542
GetStdHandle.KERNEL32 ref: 00007FF6E0F3654D
SetConsoleWindowInfo.KERNELBASE ref: 00007FF6E0F3657F
SetConsoleScreenBufferSize.KERNELBASE ref: 00007FF6E0F3658E
GetStdHandle.KERNEL32 ref: 00007FF6E0F3659E
SetConsoleTextAttribute.KERNELBASE ref: 00007FF6E0F365AA

Part of subcall function 00007FF6E0F3BD80: memmove.VCRUNTIME140(?,?,?,?,?,00000007,?,00007FF6E0F399EC), ref: 00007FF6E0F3BE64

FindWindowW.USER32 ref: 00007FF6E0F365B9
SleepEx.KERNELBASE ref: 00007FF6E0F36665
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F3666E
Sleep.KERNEL32 ref: 00007FF6E0F3667A
GetStdHandle.KERNEL32 ref: 00007FF6E0F36685
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F36693
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F366A5
GetStdHandle.KERNEL32 ref: 00007FF6E0F366B5
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F366C3
GetStdHandle.KERNEL32 ref: 00007FF6E0F366DA
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F366E8
GetStdHandle.KERNEL32 ref: 00007FF6E0F366FF
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F3670D
GetStdHandle.KERNEL32 ref: 00007FF6E0F36724
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F36732
Sleep.KERNEL32 ref: 00007FF6E0F36749
CreateFileA.KERNEL32 ref: 00007FF6E0F36776
GetStdHandle.KERNEL32 ref: 00007FF6E0F367A7
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F367B5
GetStdHandle.KERNEL32 ref: 00007FF6E0F367CC
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F367DA
GetStdHandle.KERNEL32 ref: 00007FF6E0F367F1
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F367FF
Sleep.KERNEL32 ref: 00007FF6E0F36816
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F36823
FindWindowA.USER32 ref: 00007FF6E0F3687C

Part of subcall function 00007FF6E0F340A0: GetStdHandle.KERNEL32 ref: 00007FF6E0F340AE

Part of subcall function 00007FF6E0F21CA0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F21CC4
Part of subcall function 00007FF6E0F21CA0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F21CE5

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6E0F36897
Sleep.KERNEL32 ref: 00007FF6E0F36A5F
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F36A7A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6E0F36A8E
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6E0F36C64
Process32FirstW.KERNEL32 ref: 00007FF6E0F36C7B
lstrcmpiW.KERNEL32 ref: 00007FF6E0F36C90
Process32NextW.KERNEL32 ref: 00007FF6E0F36CA5
CloseHandle.KERNEL32 ref: 00007FF6E0F36CB2
DeviceIoControl.KERNEL32 ref: 00007FF6E0F36D0C
DeviceIoControl.KERNEL32 ref: 00007FF6E0F36D6A
GetConsoleWindow.KERNEL32 ref: 00007FF6E0F36D70
ShowWindow.USER32 ref: 00007FF6E0F36D7B

Part of subcall function 00007FF6E0F2AE10: GetClientRect.USER32 ref: 00007FF6E0F2AE2B
Part of subcall function 00007FF6E0F2AE10: ClientToScreen.USER32 ref: 00007FF6E0F2AE3D
Part of subcall function 00007FF6E0F2AE10: FindWindowA.USER32 ref: 00007FF6E0F2AE8E
Part of subcall function 00007FF6E0F2AE10: DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FF6E0F2AEC1
Part of subcall function 00007FF6E0F2AE10: SetLayeredWindowAttributes.USER32 ref: 00007FF6E0F2AED9
Part of subcall function 00007FF6E0F2AE10: ShowWindow.USER32 ref: 00007FF6E0F2AEEB
Part of subcall function 00007FF6E0F2AE10: UpdateWindow.USER32 ref: 00007FF6E0F2AEF8

Part of subcall function 00007FF6E0F2AB40: D3D11CreateDeviceAndSwapChain.D3D11 ref: 00007FF6E0F2AC19

CreateThread.KERNEL32 ref: 00007FF6E0F36DA2

Part of subcall function 00007FF6E0F333E0: PeekMessageW.USER32 ref: 00007FF6E0F3342C

_Mtx_lock.MSVCP140 ref: 00007FF6E0F36DBE
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F36DCD
CloseHandle.KERNEL32 ref: 00007FF6E0F36DD4
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F36E02
_Thrd_id.MSVCP140 ref: 00007FF6E0F36E4C
_Thrd_join.MSVCP140 ref: 00007FF6E0F36E64
_Mtx_unlock.MSVCP140 ref: 00007FF6E0F36E80
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F36EB9
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F36EC5
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F36ED1
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F36EE8
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6E0F36EFD
Sleep.KERNEL32 ref: 00007FF6E0F370C8
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F370D0
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F370F7

Strings

\\.\microsoftAudioDriver, xrefs: 00007FF6E0F3676F
vgk.sys, xrefs: 00007FF6E0F36CC6
Driver Vthread Initialized., xrefs: 00007FF6E0F36805
[ Selecione uma opcao: ], xrefs: 00007FF6E0F365F0
Open Your Game... , xrefs: 00007FF6E0F36654
VALORANT-Win64-Shipping.exe, xrefs: 00007FF6E0F36C85
cls, xrefs: 00007FF6E0F3669E, 00007FF6E0F3681C, 00007FF6E0F36A73
,!'-jFM, xrefs: 00007FF6E0F36AA2
##########################################################, xrefs: 00007FF6E0F36604
.exe, xrefs: 00007FF6E0F363D6
##########################################################, xrefs: 00007FF6E0F365DC
VALORANT , xrefs: 00007FF6E0F365B0
5)'>eFM, xrefs: 00007FF6E0F368AB
Starting Vthread., xrefs: 00007FF6E0F36738
kl, xrefs: 00007FF6E0F36850

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Console$HandleWindow$AttributeText$SleepV01@$Cpp_error@std@@Throw_$Create$??6?$basic_ostream@ClientD@std@@@std@@DeviceFindU?$char_traits@V01@@randsystem$AttributesCloseControlLayeredLongProcess32ScreenShow_invalid_parameter_noinfo_noreturnexit$AreaBufferChainExtendFileFirstFrameInfoIntoMessageMtx_lockMtx_unlockNextPeekRectSizeSnapshotSwapThrd_idThrd_joinThreadTitleToolhelp32Update__acrt_iob_func__stdio_common_vfprintf_beginthreadexlstrcmpimallocmemmoveterminate
String ID: Driver Vthread Initialized.$ Open Your Game... $ Starting Vthread.$##########################################################$##########################################################$,!'-jFM$.exe$5)'>eFM$VALORANT $VALORANT-Win64-Shipping.exe$[ Selecione uma opcao: ]$\\.\microsoftAudioDriver$cls$kl$vgk.sys
API String ID: 1943210890-3947519506
Opcode ID: 9f36b3f606e20f4bfcc886b315925da258238f699dc3a02ce909f7a4397846c4
Instruction ID: f490e9b225bbc4f764f82ec644821951395edaeefd1ad24bafe514a547316328
Opcode Fuzzy Hash: 9f36b3f606e20f4bfcc886b315925da258238f699dc3a02ce909f7a4397846c4
Instruction Fuzzy Hash: 77820827E1D7425AF7129B34E8053B86364EF95790F40C336E90DA67A5EF3EE085930A

Function 00007FF6E0F34FE0 Relevance: 77.5, APIs: 3, Strings: 41, Instructions: 502
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E0F37650: ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z.MSVCP140(00000000,0000000826299E00,7FFFFFFFFFFFFFFF,00007FF6E0F35004), ref: 00007FF6E0F37670
Part of subcall function 00007FF6E0F37650: ??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z.MSVCP140 ref: 00007FF6E0F376C4
Part of subcall function 00007FF6E0F37650: ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z.MSVCP140 ref: 00007FF6E0F376E0
Part of subcall function 00007FF6E0F37650: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF6E0F376F0
Part of subcall function 00007FF6E0F37650: ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z.MSVCP140 ref: 00007FF6E0F376FF
Part of subcall function 00007FF6E0F37650: ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z.MSVCP140 ref: 00007FF6E0F37713

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6E0F35038

Strings

cheatuser-x86_64.exe, xrefs: 00007FF6E0F35BB6
fiddler.exe, xrefs: 00007FF6E0F35C2E
lighthouse.exe, xrefs: 00007FF6E0F35BA2
FileAlyzer2.exe, xrefs: 00007FF6E0F3525F
cffexplorer.exe, xrefs: 00007FF6E0F35BF2
dnSpy.exe, xrefs: 00007FF6E0F35C92
reclass.exe, xrefs: 00007FF6E0F35B7A
die.exe, xrefs: 00007FF6E0F35306
win64.exe, xrefs: 00007FF6E0F3522C
dwnejfe.exe, xrefs: 00007FF6E0F3521B
diel.exe, xrefs: 00007FF6E0F352D2
HxD.exe, xrefs: 00007FF6E0F357F6
idaw.exe, xrefs: 00007FF6E0F3591A
4.exe, xrefs: 00007FF6E0F35AC8
winhex.exe, xrefs: 00007FF6E0F35C06
x32dbg.exe, xrefs: 00007FF6E0F359EE
ida-x86emu.exe, xrefs: 00007FF6E0F35BDE
diec.exe, xrefs: 00007FF6E0F3520A
heyrays.exe, xrefs: 00007FF6E0F35B8E
idaq.exe, xrefs: 00007FF6E0F358E5
4.exe, xrefs: 00007FF6E0F35505
pexplorer.exe, xrefs: 00007FF6E0F352BE
idag.exe, xrefs: 00007FF6E0F3594F
Cheat user.exe, xrefs: 00007FF6E0F35C7E
httpdebugger.exe, xrefs: 00007FF6E0F35C42
reclass.net.exe, xrefs: 00007FF6E0F35B66
ida.exe, xrefs: 00007FF6E0F35B4C
.exe, xrefs: 00007FF6E0F35873
SystemInformer.exe, xrefs: 00007FF6E0F3523D
scylla.exe, xrefs: 00007FF6E0F35C6A
k.exe, xrefs: 00007FF6E0F35463
dnSpy.Console.exe, xrefs: 00007FF6E0F35CA6
classinformer.exe, xrefs: 00007FF6E0F35BCA
64.exe, xrefs: 00007FF6E0F356E1
ResourceHacker.exe, xrefs: 00007FF6E0F35270
86.exe, xrefs: 00007FF6E0F35690
PPEE.exe, xrefs: 00007FF6E0F35352
processhacker.exe, xrefs: 00007FF6E0F3524E
httpdebuggerpro.exe, xrefs: 00007FF6E0F35C56
PEiD.exe, xrefs: 00007FF6E0F3541E
hiew.exe, xrefs: 00007FF6E0F35C1A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Locimp@locale@std@@$??0?$codecvt@_??4?$_Addfac@_Bid@locale@std@@CreateD@std@@Init@locale@std@@Locimp@12@_Locimp@_Mbstatet@@@std@@New_SnapshotToolhelp32V01@V123@V123@@Vfacet@23@_Yarn@
String ID: .exe$4.exe$4.exe$64.exe$86.exe$Cheat user.exe$FileAlyzer2.exe$HxD.exe$PEiD.exe$PPEE.exe$ResourceHacker.exe$SystemInformer.exe$cffexplorer.exe$cheatuser-x86_64.exe$classinformer.exe$die.exe$diec.exe$diel.exe$dnSpy.Console.exe$dnSpy.exe$dwnejfe.exe$fiddler.exe$heyrays.exe$hiew.exe$httpdebugger.exe$httpdebuggerpro.exe$ida-x86emu.exe$ida.exe$idag.exe$idaq.exe$idaw.exe$k.exe$lighthouse.exe$pexplorer.exe$processhacker.exe$reclass.exe$reclass.net.exe$scylla.exe$win64.exe$winhex.exe$x32dbg.exe
API String ID: 2343168805-1961145104
Opcode ID: c3e03b8adf3b7e16675a791af24489203777c2b2a839e617e2b3a63e8da767cf
Instruction ID: dc0ce595441b5b84d562b02536896cadb6cbd99c2d68e6d91356a92f88753d59
Opcode Fuzzy Hash: c3e03b8adf3b7e16675a791af24489203777c2b2a839e617e2b3a63e8da767cf
Instruction Fuzzy Hash: D1622E33919BC699E371DF34D8443E93761FB99308F005226E64C9AA9AEF7D92C4D306

Function 00007FF6E0F34940 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 257
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinHttpOpen.WINHTTP ref: 00007FF6E0F349A6
WinHttpConnect.WINHTTP ref: 00007FF6E0F349CB
WinHttpOpenRequest.WINHTTP ref: 00007FF6E0F349FF
WinHttpSendRequest.WINHTTP ref: 00007FF6E0F34A2B
WinHttpReceiveResponse.WINHTTP ref: 00007FF6E0F34A3E
WinHttpQueryOption.WINHTTP ref: 00007FF6E0F34A71
CertGetCertificateContextProperty.CRYPT32 ref: 00007FF6E0F34AA7
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F34AC4
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6E0F34AE1
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F34B12
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF6E0F34B39
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140 ref: 00007FF6E0F34B6A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF6E0F34B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F34CC9
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6E0F34D09
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6E0F34D13
CertFreeCertificateContext.CRYPT32 ref: 00007FF6E0F34D20
WinHttpCloseHandle.WINHTTP ref: 00007FF6E0F34D29
WinHttpCloseHandle.WINHTTP ref: 00007FF6E0F34D32
WinHttpCloseHandle.WINHTTP ref: 00007FF6E0F34D3B

Strings

CPlusPlusExample/1.0, xrefs: 00007FF6E0F3499F
GET, xrefs: 00007FF6E0F349F5
keyauth.win, xrefs: 00007FF6E0F349C1

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Http$U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@CertCertificateContextOpenRequestV01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?setw@std@@ConnectD@std@@@1@_FreeJ@1@_OptionPropertyQueryReceiveResponseSendSmanip@_U?$_V21@@V?$basic_streambuf@Vios_base@1@_invalid_parameter_noinfo_noreturn
String ID: CPlusPlusExample/1.0$GET$keyauth.win
API String ID: 2344859291-1529245692
Opcode ID: 76fb52107803df46b426446c85598395f463a36c9e26fae472db02fe6bd6d13d
Instruction ID: 1c6405800ee6d382fe10d36dc3c8a824e9859f96b3ecc22af9b203ce4d542803
Opcode Fuzzy Hash: 76fb52107803df46b426446c85598395f463a36c9e26fae472db02fe6bd6d13d
Instruction Fuzzy Hash: A5C1AD73A08B8299EB20CB28E8443AD77A0FB85798F009135CE4D97764DF3EE585C705

Function 00007FF6E104E9B8 Relevance: 4.6, APIs: 3, Instructions: 127
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E104E9E8

Part of subcall function 00007FF6E104F6AC: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6E104F6B5
Part of subcall function 00007FF6E104F6AC: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF6E104E9ED,?,?,?,00007FF6E0F3CAAF,?,?,?), ref: 00007FF6E104F6C6

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E104E9EE

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task$ExceptionThrowmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 594857686-0
Opcode ID: 53d6e03f930659f355d0cf4d5bf5eb3ddbb1491ea649c811fe1b954bc48458ff
Instruction ID: 7526537ae43a38d984e46c97be8b29d1aea52f8539f572ce9eacfd2ddc26af0a
Opcode Fuzzy Hash: 53d6e03f930659f355d0cf4d5bf5eb3ddbb1491ea649c811fe1b954bc48458ff
Instruction Fuzzy Hash: 4651F673D1C20286F7649F29B8913753A94FBA8360F108135E96DC37D0CE3EE4519B5A

Function 00007FF6E0F34DD0 Relevance: 87.6, APIs: 7, Strings: 43, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcmp.VCRUNTIME140 ref: 00007FF6E0F34E63
_Mtx_lock.MSVCP140 ref: 00007FF6E0F34E77
_Mtx_unlock.MSVCP140 ref: 00007FF6E0F34ECB

Part of subcall function 00007FF6E0F21E20: _Query_perf_frequency.MSVCP140 ref: 00007FF6E0F21E2D
Part of subcall function 00007FF6E0F21E20: _Query_perf_counter.MSVCP140 ref: 00007FF6E0F21E36

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F34FAD
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F34FC3
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F34FCF
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F34FD8

Part of subcall function 00007FF6E0F34940: WinHttpOpen.WINHTTP ref: 00007FF6E0F349A6
Part of subcall function 00007FF6E0F34940: WinHttpConnect.WINHTTP ref: 00007FF6E0F349CB
Part of subcall function 00007FF6E0F34940: WinHttpOpenRequest.WINHTTP ref: 00007FF6E0F349FF
Part of subcall function 00007FF6E0F34940: WinHttpSendRequest.WINHTTP ref: 00007FF6E0F34A2B
Part of subcall function 00007FF6E0F34940: WinHttpReceiveResponse.WINHTTP ref: 00007FF6E0F34A3E
Part of subcall function 00007FF6E0F34940: WinHttpQueryOption.WINHTTP ref: 00007FF6E0F34A71
Part of subcall function 00007FF6E0F34940: CertGetCertificateContextProperty.CRYPT32 ref: 00007FF6E0F34AA7
Part of subcall function 00007FF6E0F34940: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F34AC4
Part of subcall function 00007FF6E0F34940: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6E0F34AE1

Strings

cheatuser-x86_64.exe, xrefs: 00007FF6E0F35BB6
fiddler.exe, xrefs: 00007FF6E0F35C2E
lighthouse.exe, xrefs: 00007FF6E0F35BA2
FileAlyzer2.exe, xrefs: 00007FF6E0F3525F
cffexplorer.exe, xrefs: 00007FF6E0F35BF2
dnSpy.exe, xrefs: 00007FF6E0F35C92
reclass.exe, xrefs: 00007FF6E0F35B7A
die.exe, xrefs: 00007FF6E0F35306
win64.exe, xrefs: 00007FF6E0F3522C
dwnejfe.exe, xrefs: 00007FF6E0F3521B
diel.exe, xrefs: 00007FF6E0F352D2
f692b2828aa525d4513302117535c6c0d0cb304f574a1cd32ef3e1d07129217a, xrefs: 00007FF6E0F34E5C
HxD.exe, xrefs: 00007FF6E0F357F6
idaw.exe, xrefs: 00007FF6E0F3591A
4.exe, xrefs: 00007FF6E0F35AC8
winhex.exe, xrefs: 00007FF6E0F35C06
x32dbg.exe, xrefs: 00007FF6E0F359EE
ida-x86emu.exe, xrefs: 00007FF6E0F35BDE
diec.exe, xrefs: 00007FF6E0F3520A
heyrays.exe, xrefs: 00007FF6E0F35B8E
idaq.exe, xrefs: 00007FF6E0F358E5
4.exe, xrefs: 00007FF6E0F35505
pexplorer.exe, xrefs: 00007FF6E0F352BE
idag.exe, xrefs: 00007FF6E0F3594F
Cheat user.exe, xrefs: 00007FF6E0F35C7E
httpdebugger.exe, xrefs: 00007FF6E0F35C42
reclass.net.exe, xrefs: 00007FF6E0F35B66
ida.exe, xrefs: 00007FF6E0F35B4C
.exe, xrefs: 00007FF6E0F35873
SystemInformer.exe, xrefs: 00007FF6E0F3523D
scylla.exe, xrefs: 00007FF6E0F35C6A
k.exe, xrefs: 00007FF6E0F35463
dnSpy.Console.exe, xrefs: 00007FF6E0F35CA6
classinformer.exe, xrefs: 00007FF6E0F35BCA
64.exe, xrefs: 00007FF6E0F356E1
ResourceHacker.exe, xrefs: 00007FF6E0F35270
@, xrefs: 00007FF6E0F34E4A
86.exe, xrefs: 00007FF6E0F35690
PPEE.exe, xrefs: 00007FF6E0F35352
processhacker.exe, xrefs: 00007FF6E0F3524E
httpdebuggerpro.exe, xrefs: 00007FF6E0F35C56
PEiD.exe, xrefs: 00007FF6E0F3541E
hiew.exe, xrefs: 00007FF6E0F35C1A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Http$U?$char_traits@$Cpp_error@std@@D@std@@@std@@OpenRequestThrow_$??0?$basic_ios@??0?$basic_ostream@CertCertificateConnectContextD@std@@@1@_Mtx_lockMtx_unlockOptionPropertyQueryQuery_perf_counterQuery_perf_frequencyReceiveResponseSendV?$basic_streambuf@_invalid_parameter_noinfo_noreturnexitmemcmp
String ID: .exe$4.exe$4.exe$64.exe$86.exe$@$Cheat user.exe$FileAlyzer2.exe$HxD.exe$PEiD.exe$PPEE.exe$ResourceHacker.exe$SystemInformer.exe$cffexplorer.exe$cheatuser-x86_64.exe$classinformer.exe$die.exe$diec.exe$diel.exe$dnSpy.Console.exe$dnSpy.exe$dwnejfe.exe$f692b2828aa525d4513302117535c6c0d0cb304f574a1cd32ef3e1d07129217a$fiddler.exe$heyrays.exe$hiew.exe$httpdebugger.exe$httpdebuggerpro.exe$ida-x86emu.exe$ida.exe$idag.exe$idaq.exe$idaw.exe$k.exe$lighthouse.exe$pexplorer.exe$processhacker.exe$reclass.exe$reclass.net.exe$scylla.exe$win64.exe$winhex.exe$x32dbg.exe
API String ID: 1146069243-3170461996
Opcode ID: 70b7c1f5f14d12319fcd2ddff2011f0e98d7ceb3c5dfc6a4770faa5bb569fafe
Instruction ID: 7855eda4492a7d499f08c83e7407ee00ca3c579efb404664713ba0c8edb098fb
Opcode Fuzzy Hash: 70b7c1f5f14d12319fcd2ddff2011f0e98d7ceb3c5dfc6a4770faa5bb569fafe
Instruction Fuzzy Hash: 49510333A0C98291EF20DB25E4543B96361FB88BB5F180231DA6DC77E4DE2EF451870A

Function 00007FF6E0F3AD10 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

_Mtx_lock.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00007FF6E0F3AD70
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00007FF6E0F3AD7F
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00007FF6E0F3ADA0
_Mtx_unlock.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00007FF6E0F3ADC0
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F3AE6B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F3AE92
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F3AEE2

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Mtx_lockMtx_unlock_beginthreadexmallocterminate
String ID:
API String ID: 3634671060-0
Opcode ID: 28c52da82be45505f6009b59e4fe53fcb42fbfb8414ee4bac3e47d65a4b3d3d1
Instruction ID: 462b123894674cf56bc304537ac92ca6423c985c95305e9b3dd432df9f97c7bc
Opcode Fuzzy Hash: 28c52da82be45505f6009b59e4fe53fcb42fbfb8414ee4bac3e47d65a4b3d3d1
Instruction Fuzzy Hash: 58517033908B819AE310CF15F8843A9B7A4FB88765F158139EA8D837A4DF3DE494DB05

Function 00007FF6E0F3AEF0 Relevance: 10.6, APIs: 7, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

_Mtx_lock.MSVCP140 ref: 00007FF6E0F3AF4D
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F3AF5C
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F3AF7D
_Mtx_unlock.MSVCP140 ref: 00007FF6E0F3AF9D
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F3B033
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F3B05A
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F3B0AD

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Mtx_lockMtx_unlock_beginthreadexmallocterminate
String ID:
API String ID: 3634671060-0
Opcode ID: bcceb0cec1f97f0602c2d04aace7fefc6d1f041fe6b017a56f27343bfc1d7e7d
Instruction ID: 5dc6210550f4cad43ef50524934ddf26ccfc3d5595ba4510c0f78f71406dac2b
Opcode Fuzzy Hash: bcceb0cec1f97f0602c2d04aace7fefc6d1f041fe6b017a56f27343bfc1d7e7d
Instruction Fuzzy Hash: 47515333918B8196E3108F14F85036AB3A4FB88755F648139EB9D837A4DF3EE494CB45

Function 00007FF6E0F37650 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z.MSVCP140(00000000,0000000826299E00,7FFFFFFFFFFFFFFF,00007FF6E0F35004), ref: 00007FF6E0F37670

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z.MSVCP140 ref: 00007FF6E0F376C4
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z.MSVCP140 ref: 00007FF6E0F376E0
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF6E0F376F0
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z.MSVCP140 ref: 00007FF6E0F376FF
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z.MSVCP140 ref: 00007FF6E0F37713

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Locimp@locale@std@@$??0?$codecvt@_??4?$_Addfac@_Bid@locale@std@@D@std@@Init@locale@std@@Locimp@12@_Locimp@_Mbstatet@@@std@@New_V01@V123@V123@@Vfacet@23@_Yarn@malloc
String ID:
API String ID: 3292048638-0
Opcode ID: 66e093aeb6dd807e91febac5bf55b77bf205a372f9930f4f0adf4d41f8fe1b5a
Instruction ID: c3122f3debc85d358a3cfd675cdaf75d329c838a08b3d057e4fdb4219dce57eb
Opcode Fuzzy Hash: 66e093aeb6dd807e91febac5bf55b77bf205a372f9930f4f0adf4d41f8fe1b5a
Instruction Fuzzy Hash: B5314C37A09B4196DB21CF22E854269B7A0FB98B84F548135CB8E47B60EF3DF094C345

Function 00007FF6E0F346D0 Relevance: 6.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Mtx_lock.MSVCP140 ref: 00007FF6E0F34735
_Mtx_unlock.MSVCP140 ref: 00007FF6E0F34789

Part of subcall function 00007FF6E0F21E20: _Query_perf_frequency.MSVCP140 ref: 00007FF6E0F21E2D
Part of subcall function 00007FF6E0F21E20: _Query_perf_counter.MSVCP140 ref: 00007FF6E0F21E36

?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F34832
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F3483E

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Mtx_lockMtx_unlockQuery_perf_counterQuery_perf_frequency
String ID:
API String ID: 481711783-0
Opcode ID: c492696b3c5f280ab61053ad421f802069850a95b8c839fb6dcf88c2f72e2f6e
Instruction ID: 71be1ef49ad82820dbc5041d81275c79f828211111e66bf79ba0e59550764f22
Opcode Fuzzy Hash: c492696b3c5f280ab61053ad421f802069850a95b8c839fb6dcf88c2f72e2f6e
Instruction Fuzzy Hash: BD51E333A0CA8192EB008B25E4543B973A0FB89BB5F184231DE6D873E4DE2EF451C746

Function 00007FF6E0F3BD80 Relevance: 6.1, APIs: 4, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memmove.VCRUNTIME140(?,?,?,?,?,00000007,?,00007FF6E0F399EC), ref: 00007FF6E0F3BE64
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000007,?,00007FF6E0F399EC), ref: 00007FF6E0F3BEA2
memmove.VCRUNTIME140(?,?,?,?,?,00000007,?,00007FF6E0F399EC), ref: 00007FF6E0F3BEAC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3BEE5

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: b54864fce6e6956a27d2ec706ea50c6ee376890324503eb0eb48e0f0e4d485de
Instruction ID: 9243efff9d0e281f292d6cbe9895983e3e546503403ea4231ded53a706bbf930
Opcode Fuzzy Hash: b54864fce6e6956a27d2ec706ea50c6ee376890324503eb0eb48e0f0e4d485de
Instruction Fuzzy Hash: 5531E723B0C782A4EB10DB1AA5583EDA355EB08BE4F580635DF6D477D5CE7DD0A1830A

Function 00007FF6E0F39540 Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF6E0F3387F,00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F39609

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

memmove.VCRUNTIME140(?,?,?,00007FF6E0F3387F,00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F3962F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F39653
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F3387F,00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F39679

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ??1?$codecvt@_Concurrency::cancel_current_taskMbstatet@@@std@@_invalid_parameter_noinfo_noreturnmallocmemmove
String ID:
API String ID: 3548894795-0
Opcode ID: 955c87368599865223c2b5a780084534dba9531e1e6c5db3102cb5423f5dbde1
Instruction ID: 50b04f75ac36b770068d09b732419188c54b96be643817c8d1d6d0599d993b2f
Opcode Fuzzy Hash: 955c87368599865223c2b5a780084534dba9531e1e6c5db3102cb5423f5dbde1
Instruction Fuzzy Hash: 9531F523E0EB4191EB54DB11E1453B96391EB58BA4F248230DE6D87BD5DE3EE4E28306

Function 00007FF6E0F387B0 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,00000000,00007FF6E0F35CDE), ref: 00007FF6E0F38836
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F388B7

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1934640635-0
Opcode ID: 21e97d7132631db130ee94c7dcc0a1b601b24c5ff6f0871c3160112d850cf02e
Instruction ID: 7120bed96ee9a325043dcc21c3b4f7a54dbf7c1a98ea12a2f3162acf9fdc3100
Opcode Fuzzy Hash: 21e97d7132631db130ee94c7dcc0a1b601b24c5ff6f0871c3160112d850cf02e
Instruction Fuzzy Hash: E721A233A09B5195E6209F15F4442ADB264FB48BB0F984634DEAC87BD9CF3DE462C306

Function 00007FF6E0F3CCC0 Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E0F21E20: _Query_perf_frequency.MSVCP140 ref: 00007FF6E0F21E2D
Part of subcall function 00007FF6E0F21E20: _Query_perf_counter.MSVCP140 ref: 00007FF6E0F21E36

_Xtime_get_ticks.MSVCP140(7FFFFFFFFFFFFFFF), ref: 00007FF6E0F3CD0F
_Thrd_sleep.MSVCP140 ref: 00007FF6E0F3CD66

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Query_perf_counterQuery_perf_frequencyThrd_sleepXtime_get_ticks
String ID:
API String ID: 3083224308-0
Opcode ID: e55f8217efe52587a9eb3d69aa0afc5f58ed2a7be70e2a3f10f11b99176606c8
Instruction ID: 421a7c890678f29bdcc2caca53d057188ff0bff594a75452ea5117560caf2de2
Opcode Fuzzy Hash: e55f8217efe52587a9eb3d69aa0afc5f58ed2a7be70e2a3f10f11b99176606c8
Instruction Fuzzy Hash: 80113323A1CA8092D6218F29A5041EAE361BF887D0F489132EE8E97B54DF3DE152C785

Function 00007FF6E0F21CA0 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F21CC4
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F21CE5

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 0d18e9739dffa28ebcd644bd9cce1527354edc6baae798023aa3f60e661aa744
Instruction ID: c899aa3097a190ff41e69c39a4c90955722f18567cb34c5f2290ef51c79c1040
Opcode Fuzzy Hash: 0d18e9739dffa28ebcd644bd9cce1527354edc6baae798023aa3f60e661aa744
Instruction Fuzzy Hash: A5E01C32608B8192D6109B50F81459AB7A4FB987D4F804035EA8C47A24CF7CC5A4C744

Function 00007FF6E0F3DBE0 Relevance: 1.7, APIs: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 00007FF6E0F3DE3B

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: c97caf807c03d534e82afa8e46687a87471c788bb32c9a3c2b8cdc60ff39adb9
Instruction ID: f7a0183d269a97d5f956a799fd1ee8da7a688283f2bd778111c82ec8f235ce5b
Opcode Fuzzy Hash: c97caf807c03d534e82afa8e46687a87471c788bb32c9a3c2b8cdc60ff39adb9
Instruction Fuzzy Hash: 3C61DF23A18B8492DB208F15E8445AAB3A0F75CBE0F940231EF9D87B44DF3DE5A1C705

Function 00007FF6E0F3E380 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 00007FF6E0F3E3C3

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: 51b7f34fb4583c8c12e8e64e5b1cdabec0da864f52199f707b232726c7501472
Instruction ID: 7b5f28ca8525cd62caf5e8dc4dcc91b0a08d11ef389a4517309a63b66160229c
Opcode Fuzzy Hash: 51b7f34fb4583c8c12e8e64e5b1cdabec0da864f52199f707b232726c7501472
Instruction Fuzzy Hash: 6E111C37609B9482DB608F2AE44026D77A0FB88FA4B298535DE9D477A8CF3DC853C745

Function 00007FF6E0F3E420 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 00007FF6E0F3E460

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: 728eb66af6d14cdb95bd68163becb7ffc302ba5c84f1b9362943bbf9aedee035
Instruction ID: 90ec6b9081ab44fba777ca0144f65ff2f0cb010e5b269613c3e3b5614d29b42d
Opcode Fuzzy Hash: 728eb66af6d14cdb95bd68163becb7ffc302ba5c84f1b9362943bbf9aedee035
Instruction Fuzzy Hash: 90114C37A08B4482DB50CF29E4842697760FB48FA4B188535EE9D477A8CF3DC852C745

Non-executed Functions

Function 00007FF6E0F90F60 Relevance: 58.7, APIs: 21, Strings: 12, Instructions: 908windowthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF6E0F90FBF
UuidCreate.RPCRT4 ref: 00007FF6E0F91010
UuidToStringA.RPCRT4 ref: 00007FF6E0F9102B
RpcStringFreeA.RPCRT4 ref: 00007FF6E0F91060
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F911AE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F9124D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F9149E

Part of subcall function 00007FF6E0F8FF10: memmove.VCRUNTIME140 ref: 00007FF6E0F8FF8C
Part of subcall function 00007FF6E0F8FF10: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8FFEB
Part of subcall function 00007FF6E0F8FF10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F90025
Part of subcall function 00007FF6E0F8FF10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F90077

Part of subcall function 00007FF6E0F392F0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,00007FF6E0F94F3A), ref: 00007FF6E0F39348

memcmp.VCRUNTIME140 ref: 00007FF6E0F91709
MessageBoxA.USER32 ref: 00007FF6E0F917A1
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F917A9
memset.VCRUNTIME140 ref: 00007FF6E0F91867
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF6E0F91932
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140 ref: 00007FF6E0F91951
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF6E0F9196F
memcmp.VCRUNTIME140 ref: 00007FF6E0F919D0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F9128C

Part of subcall function 00007FF6E0F3A420: memmove.VCRUNTIME140(?,00000000,?,00007FF6E0F22793), ref: 00007FF6E0F3A457

Part of subcall function 00007FF6E0F3C4F0: memmove.VCRUNTIME140 ref: 00007FF6E0F3C57B
Part of subcall function 00007FF6E0F3C4F0: memmove.VCRUNTIME140 ref: 00007FF6E0F3C589
Part of subcall function 00007FF6E0F3C4F0: memmove.VCRUNTIME140 ref: 00007FF6E0F3C59F

MessageBoxA.USER32 ref: 00007FF6E0F92009
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F92011

Strings

BFTG, xrefs: 00007FF6E0F91C9F
9/0$, xrefs: 00007FF6E0F91F28
Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00007FF6E0F919F4, 00007FF6E0F92F35
B@QU, xrefs: 00007FF6E0F91D93
GN_^, xrefs: 00007FF6E0F917ED
WA, xrefs: 00007FF6E0F91CA7
CEJB, xrefs: 00007FF6E0F930AF
^R\H, xrefs: 00007FF6E0F91312
K\C, xrefs: 00007FF6E0F92F78
ND[C, xrefs: 00007FF6E0F91D89
YN_^, xrefs: 00007FF6E0F91AD4
W]GP, xrefs: 00007FF6E0F92E88

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$??6?$basic_ostream@CreateD@std@@@std@@MessageStringU?$char_traits@UuidV01@exitmemcmp$?setw@std@@FreeJ@1@_Smanip@_ThreadU?$_V21@@Vios_base@1@memsetsystem
String ID: 9/0$$B@QU$BFTG$CEJB$GN_^$K\C$ND[C$Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $WA$W]GP$YN_^$^R\H
API String ID: 2665268123-4031576690
Opcode ID: 84d8ac5d04904a86b068fe9a76ba00aba98256ddf3035747397dafdd42d7b1e4
Instruction ID: 1bd7dda0f3de592b798ecc423353724d2414bf20b2298433e5c88aaadf5ab9ec
Opcode Fuzzy Hash: 84d8ac5d04904a86b068fe9a76ba00aba98256ddf3035747397dafdd42d7b1e4
Instruction Fuzzy Hash: A1A2C023A18BC299E720CF74D8843ED7760FB95748F405235DA8D8BAAADF79D284C345

Function 00007FF6E0FA04F0 Relevance: 58.5, APIs: 14, Strings: 19, Instructions: 793stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000000,?,00000000,?,?,00007FF6E0FA1D47), ref: 00007FF6E0FA0560
strchr.VCRUNTIME140 ref: 00007FF6E0FA05C7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6E0FA0747
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6E0FA0768
strchr.VCRUNTIME140 ref: 00007FF6E0FA0A3F
strchr.VCRUNTIME140 ref: 00007FF6E0FA0A59
strchr.VCRUNTIME140 ref: 00007FF6E0FA0B78
strrchr.VCRUNTIME140 ref: 00007FF6E0FA0B8A
memmove.VCRUNTIME140 ref: 00007FF6E0FA0BC4
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6E0FA0C38
strchr.VCRUNTIME140 ref: 00007FF6E0FA0C5B
strchr.VCRUNTIME140 ref: 00007FF6E0FA0C70

Strings

#HttpOnly_, xrefs: 00007FF6E0FA0C2E
expires, xrefs: 00007FF6E0FA09D5
secure, xrefs: 00007FF6E0FA07BE
TRUE, xrefs: 00007FF6E0FA0CA7
domain, xrefs: 00007FF6E0FA0871
max-age, xrefs: 00007FF6E0FA09A8
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 00007FF6E0FA1177
__Host-, xrefs: 00007FF6E0FA0761
__Secure-, xrefs: 00007FF6E0FA0740
Replaced, xrefs: 00007FF6E0FA1161
path, xrefs: 00007FF6E0FA081D
httponly, xrefs: 00007FF6E0FA07F6
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 00007FF6E0FA0ACF
skipped cookie with bad tailmatch domain: %s, xrefs: 00007FF6E0FA095E
%4095[^;=] =%4095[^;], xrefs: 00007FF6E0FA0606
version, xrefs: 00007FF6E0FA097B
FALSE, xrefs: 00007FF6E0FA0CAE, 00007FF6E0FA0EAB
localhost, xrefs: 00007FF6E0FA089F
Added, xrefs: 00007FF6E0FA116D

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: strchr$strncmp$_time64memmovestrrchr
String ID: #HttpOnly_$%4095[^;=] =%4095[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$domain$expires$httponly$localhost$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 3256620195-3844637060
Opcode ID: 16576fa84bea6d26a76e9a8794d52b39e2e09696c3e62eb049dea14e279902f6
Instruction ID: 099916036095ed115fa5420acebbb5471d4be5c4fd62ae20198c094c2316953d
Opcode Fuzzy Hash: 16576fa84bea6d26a76e9a8794d52b39e2e09696c3e62eb049dea14e279902f6
Instruction Fuzzy Hash: 3472AF23A0C78295EB608B65E4503F967B0EF85798F244131CE8E83795DF3EE4A5C71A

Function 00007FF6E0F695F0 Relevance: 55.3, APIs: 36, Instructions: 1294COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F6C250: cosf.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6E0F6964E), ref: 00007FF6E0F6C372

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6967C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6969D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F69709
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F69759
memset.VCRUNTIME140 ref: 00007FF6E0F6977F
memset.VCRUNTIME140 ref: 00007FF6E0F69791
memset.VCRUNTIME140 ref: 00007FF6E0F69949
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6A986
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6A9A7

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free$memset$malloc$cosf
String ID:
API String ID: 808227049-0
Opcode ID: 7a3fe2de1d4b1883a80e2197b072b6e89e11bb6a7a8cfff877e234bd224e51df
Instruction ID: 1f4625cc2574ab7963426c8465a47613b4b2afc43a90e27dbca71cd4070e277d
Opcode Fuzzy Hash: 7a3fe2de1d4b1883a80e2197b072b6e89e11bb6a7a8cfff877e234bd224e51df
Instruction Fuzzy Hash: CCC2EF33A28A858AE7558F36E4443B937A4FF48B84F098236DE4D93794DF3AE850C745

Function 00007FF6E0F45080 Relevance: 48.3, APIs: 15, Strings: 12, Instructions: 1085fileCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F4510B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F451CD
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F4525B
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F45264
acosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F455E3
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F455F2
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F45635
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F45C25
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F45C63
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F45C95
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F45CC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F45D5A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F45D93
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F45EB8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F45EEA

Strings

NewFrame(): ClearActiveID() because it isn't marked alive anymore!, xrefs: 00007FF6E0F457D5
Right, xrefs: 00007FF6E0F46117
Remap w/ Ctrl+Shift: click anywhere to select new mouse button., xrefs: 00007FF6E0F46137
HoveredId: 0x%08X, xrefs: 00007FF6E0F460F3
333?, xrefs: 00007FF6E0F460D9
Middle, xrefs: 00007FF6E0F46123
(Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming), xrefs: 00007FF6E0F462B3
Click %s Button to break in debugger! (remap w/ Ctrl+Shift), xrefs: 00007FF6E0F4614D
Press ESC to abort picking., xrefs: 00007FF6E0F460FF
Debug##Default, xrefs: 00007FF6E0F462CD
Left, xrefs: 00007FF6E0F4610B
gfff, xrefs: 00007FF6E0F4633B

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free$acosfceilfcosffclosefwritememmove
String ID: (Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming)$333?$Click %s Button to break in debugger! (remap w/ Ctrl+Shift)$Debug##Default$HoveredId: 0x%08X$Left$Middle$NewFrame(): ClearActiveID() because it isn't marked alive anymore!$Press ESC to abort picking.$Remap w/ Ctrl+Shift: click anywhere to select new mouse button.$Right$gfff
API String ID: 496961473-1374454768
Opcode ID: b9ba409065f7aa6e5d3206db531ad31327c954d1ff867caa5d99e44aa73589b1
Instruction ID: be0dcfafbb43a10be0f2c45b20604d6f56be5590f509e8ffdedc02d65942bb83
Opcode Fuzzy Hash: b9ba409065f7aa6e5d3206db531ad31327c954d1ff867caa5d99e44aa73589b1
Instruction Fuzzy Hash: 21C22133A08AC2A6E725DF3595403F977A0EF44B85F088236CF499B396DF3AE5528705

Function 00007FF6E0F228A0 Relevance: 46.6, APIs: 1, Strings: 29, Instructions: 1625COMMON

Download Yara Rule

Strings

4., xrefs: 00007FF6E0F2453A
Misc, xrefs: 00007FF6E0F2356F
"<&$, xrefs: 00007FF6E0F246E7
*!(=, xrefs: 00007FF6E0F23E80
Colors, xrefs: 00007FF6E0F235BD
Enable Visible Check Aimbot, xrefs: 00007FF6E0F237EB
VISUALS, xrefs: 00007FF6E0F23B47, 00007FF6E0F23B7F, 00007FF6E0F23B98
8*, xrefs: 00007FF6E0F24655
Smooth Aimbot, xrefs: 00007FF6E0F23A7D
180v, xrefs: 00007FF6E0F245ED
*#), xrefs: 00007FF6E0F23E13
IMGUI, xrefs: 00007FF6E0F2293A
COLOR PICKER, xrefs: 00007FF6E0F244AE, 00007FF6E0F244E7, 00007FF6E0F24500
Aimbot, xrefs: 00007FF6E0F234DB
##Background, xrefs: 00007FF6E0F229D1, 00007FF6E0F22A8A, 00007FF6E0F22B7C, 00007FF6E0F22C5F, 00007FF6E0F22D52, 00007FF6E0F22E2A, 00007FF6E0F22F25, 00007FF6E0F23017, 00007FF6E0F23113
", xrefs: 00007FF6E0F246F7
%.3f, xrefs: 00007FF6E0F23A18
Box Type, xrefs: 00007FF6E0F24084
VISUALS OTHERS, xrefs: 00007FF6E0F23FC2, 00007FF6E0F23FFA, 00007FF6E0F24013
MISC SETTINGS, xrefs: 00007FF6E0F242C2, 00007FF6E0F242FA, 00007FF6E0F24313
RICKZ, xrefs: 00007FF6E0F23389
AIMBOT SETTINGS, xrefs: 00007FF6E0F23902, 00007FF6E0F2393A, 00007FF6E0F23953
), xrefs: 00007FF6E0F245FD
$((, xrefs: 00007FF6E0F243BE
Visuals, xrefs: 00007FF6E0F23527
9, xrefs: 00007FF6E0F2473C
AIMBOT, xrefs: 00007FF6E0F23721, 00007FF6E0F23759, 00007FF6E0F23772
;7+, xrefs: 00007FF6E0F24595
MISC, xrefs: 00007FF6E0F24147, 00007FF6E0F2417F, 00007FF6E0F24198

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$mallocmemset
String ID: *#)$ "$"<&$$##Background$$(($%.3f$)$*!(=$180v$4.$8*$9$;7+$AIMBOT$AIMBOT SETTINGS$Aimbot$Box Type$COLOR PICKER$Colors$Enable Visible Check Aimbot$IMGUI$MISC$MISC SETTINGS$Misc$RICKZ$Smooth Aimbot$VISUALS$VISUALS OTHERS$Visuals
API String ID: 2103313550-2615508459
Opcode ID: f758b9b3785119462f334ef5deed0f718ed258b91a0e77849f0bda2ace06ff41
Instruction ID: 8820408340076f384bb40f5dd38cc91f7c57db1f80b9198877b8287d9cd00fcd
Opcode Fuzzy Hash: f758b9b3785119462f334ef5deed0f718ed258b91a0e77849f0bda2ace06ff41
Instruction Fuzzy Hash: 3313477381C7869AD311CF36D4412E9B760FF9A788F248332EA08576A6DF3AE055DB05

Function 00007FF6E0F3E990 Relevance: 42.1, APIs: 22, Strings: 2, Instructions: 130servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF6E0F3E9B1
OpenServiceW.ADVAPI32 ref: 00007FF6E0F3E9D3
GetLastError.KERNEL32 ref: 00007FF6E0F3E9E1
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3E9F1
OpenSCManagerW.ADVAPI32 ref: 00007FF6E0F3EA06
OpenServiceW.ADVAPI32 ref: 00007FF6E0F3EA24
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EA35
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EA3E
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EA47
ControlService.ADVAPI32 ref: 00007FF6E0F3EA75
Sleep.KERNEL32 ref: 00007FF6E0F3EA95
QueryServiceStatus.ADVAPI32 ref: 00007FF6E0F3EAA3
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EAB7
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EAC0
DeleteService.ADVAPI32 ref: 00007FF6E0F3EAD4
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EADF
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EAE8
OpenSCManagerW.ADVAPI32 ref: 00007FF6E0F3EB0C
CreateServiceW.ADVAPI32 ref: 00007FF6E0F3EB74
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EB82
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3EB8B
Sleep.KERNEL32 ref: 00007FF6E0F3EB9F

Strings

C:\Windows\System32\drivers\scraidy.sys, xrefs: 00007FF6E0F3EB50
scraidy, xrefs: 00007FF6E0F3E9C9, 00007FF6E0F3EA1A, 00007FF6E0F3EB20, 00007FF6E0F3EB2C

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Service$CloseHandle$Open$Manager$Sleep$ControlCreateDeleteErrorLastQueryStatus
String ID: C:\Windows\System32\drivers\scraidy.sys$scraidy
API String ID: 836779559-2569390712
Opcode ID: 67e87ac490010f0dc48a8c410b8b72811f01478db05cd7f1016467fd59c6518a
Instruction ID: f5f44bb50c037f9675e18fcae0674035c7e3031b78c8ab5c1a501e0b2f627536
Opcode Fuzzy Hash: 67e87ac490010f0dc48a8c410b8b72811f01478db05cd7f1016467fd59c6518a
Instruction Fuzzy Hash: D4516236E0C74296EF649B11E8283BA23A1BF59B90F045034ED4E87795DF3EE419970B

Function 00007FF6E0FB0460 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 191libraryloadernetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF6E0FB0488
WSACleanup.WS2_32 ref: 00007FF6E0FB04A3
GetModuleHandleA.KERNEL32 ref: 00007FF6E0FB04F4
GetProcAddress.KERNEL32 ref: 00007FF6E0FB0520
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6E0FB053A
LoadLibraryA.KERNEL32 ref: 00007FF6E0FB055D
GetProcAddress.KERNEL32 ref: 00007FF6E0FB057A
GetSystemDirectoryA.KERNEL32 ref: 00007FF6E0FB05A6
GetSystemDirectoryA.KERNEL32 ref: 00007FF6E0FB05D2
LoadLibraryA.KERNEL32 ref: 00007FF6E0FB0640
GetProcAddress.KERNEL32 ref: 00007FF6E0FB0678
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB0701
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB0714
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB0723
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB0732
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB0742
VerifyVersionInfoA.KERNEL32 ref: 00007FF6E0FB0753
QueryPerformanceFrequency.KERNEL32 ref: 00007FF6E0FB076F

Strings

iphlpapi.dll, xrefs: 00007FF6E0FB0526
kernel32, xrefs: 00007FF6E0FB04DB
if_nametoindex, xrefs: 00007FF6E0FB066E
LoadLibraryExA, xrefs: 00007FF6E0FB050E
AddDllDirectory, xrefs: 00007FF6E0FB0570

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$AddressProc$DirectoryLibraryLoadSystem$CleanupFrequencyHandleInfoModulePerformanceQueryStartupVerifyVersionstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
API String ID: 3585141038-2794540096
Opcode ID: 9fe03f96fb5c90b393b8e648a2696e1ae233d7a6a38280bf208fcc91587fc336
Instruction ID: 2ab73feab50ebca1304c7d4ebcf8fdff0140e682cfac6b891410d33701e16a6f
Opcode Fuzzy Hash: 9fe03f96fb5c90b393b8e648a2696e1ae233d7a6a38280bf208fcc91587fc336
Instruction Fuzzy Hash: 6F918F23A0CB8296EB71DB51E4103B963A1FF88B80F448235DD4E87758EF2EE455DB19

Function 00007FF6E0F2AF10 Relevance: 36.1, APIs: 2, Strings: 17, Instructions: 2897sleepCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F2DBE9
Sleep.KERNEL32 ref: 00007FF6E0F2E0D0

Strings

V89:;<=>, xrefs: 00007FF6E0F2C1AC
x\PT;, xrefs: 00007FF6E0F2DA25
<, xrefs: 00007FF6E0F2D1F6
pPVIO<, xrefs: 00007FF6E0F2BDC5
|VP\^<, xrefs: 00007FF6E0F2B105
9, xrefs: 00007FF6E0F2DA3D
uMZQB<, xrefs: 00007FF6E0F2C845
dPVHOE=, xrefs: 00007FF6E0F2B995
uMUV_SZ>rILSKLTPXnolC, xrefs: 00007FF6E0F2CA69
8, xrefs: 00007FF6E0F2DA39
:, xrefs: 00007FF6E0F2DA41
vJ\I;, xrefs: 00007FF6E0F2D815
qJ\TAE=, xrefs: 00007FF6E0F2BBC5
O, xrefs: 00007FF6E0F2DA35
gPXTOSP>, xrefs: 00007FF6E0F2CE69
tTXIHU^>aYW^ZP=, xrefs: 00007FF6E0F2B2E9, 00007FF6E0F2B639
sukex<, xrefs: 00007FF6E0F2CC03

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Sleep_invalid_parameter_noinfo_noreturn
String ID: 8$9$:$<$O$V89:;<=>$dPVHOE=$gPXTOSP>$pPVIO<$qJ\TAE=$sukex<$tTXIHU^>aYW^ZP=$uMUV_SZ>rILSKLTPXnolC$uMZQB<$vJ\I;$x\PT;$|VP\^<
API String ID: 414566877-1996106257
Opcode ID: 4d8d2722a7731c8839438c84c277350b214630ed910fbe7a4f0d50b7dae5bd50
Instruction ID: 13b31c27c0e5000ac6f2eab418afa5b26d8525b236a9d6192aa4b8a87e70a40c
Opcode Fuzzy Hash: 4d8d2722a7731c8839438c84c277350b214630ed910fbe7a4f0d50b7dae5bd50
Instruction Fuzzy Hash: 15534E27D2D7D24AF7039B39D4012E4B764AFA3394F50D326FD5472A97EF3AA1818209

Function 00007FF6E0F8A3E0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 483COMMON

Download Yara Rule

Strings

object separator, xrefs: 00007FF6E0F8B177
array, xrefs: 00007FF6E0F8B078
value, xrefs: 00007FF6E0F8AEE8
object key, xrefs: 00007FF6E0F8B281
object, xrefs: 00007FF6E0F8B38B

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: array$object$object key$object separator$value
API String ID: 0-2448007618
Opcode ID: 5823d4637f92616fc907c012bad67bb41ba6a48abcff3f7fa8da8e3dab4750ee
Instruction ID: 64c8f80b7984838d3e9f39b35da9c5623492d70a5e187978f70803e35c6ae10f
Opcode Fuzzy Hash: 5823d4637f92616fc907c012bad67bb41ba6a48abcff3f7fa8da8e3dab4750ee
Instruction Fuzzy Hash: A122AD23A1CA82A5FB10DF75D4403EE2761FB81388F901131EE8D97A9ADF7AD194C746

Function 00007FF6E0F8B510 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

object separator, xrefs: 00007FF6E0F8C20D
array, xrefs: 00007FF6E0F8B812
value, xrefs: 00007FF6E0F8C07D
object key, xrefs: 00007FF6E0F8C338
object, xrefs: 00007FF6E0F8C442

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: array$object$object key$object separator$value
API String ID: 0-2448007618
Opcode ID: 7c92bce1dafc44309e648fd3fe4aaeab7fe7c782a6e9327f315aa041c84a1c46
Instruction ID: 4944518c6b82577eaf73d75a6e47e033d538d63cc9249855a52bf5525610561e
Opcode Fuzzy Hash: 7c92bce1dafc44309e648fd3fe4aaeab7fe7c782a6e9327f315aa041c84a1c46
Instruction Fuzzy Hash: 8322AF23A0CB8295FB10DB79D4803EE6B60EB81394F901136EE4D97AAADF3DD095C745

Function 00007FF6E0F333E0 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF6E0F3342C
GetForegroundWindow.USER32 ref: 00007FF6E0F33450

Strings

@, xrefs: 00007FF6E0F32FB4
T PLUS], xrefs: 00007FF6E0F33212
I, xrefs: 00007FF6E0F31C94
9, xrefs: 00007FF6E0F31C9E
8, xrefs: 00007FF6E0F31C99
##Foreground, xrefs: 00007FF6E0F33090, 00007FF6E0F3324E
:, xrefs: 00007FF6E0F31CA3
0, xrefs: 00007FF6E0F3310B
~\U_;, xrefs: 00007FF6E0F31C83

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ForegroundMessagePeekWindow
String ID: ##Foreground$0$8$9$:$@$I$T PLUS]$~\U_;
API String ID: 4245416934-4141379543
Opcode ID: a933da07af388c167a161048a47b2f6a3c7a234b850e3e74da31ceb91c1d19bd
Instruction ID: b378a3f6bb447f1a2c2564b7812e818338423612bc9094bd06eb94a6f60b6e92
Opcode Fuzzy Hash: a933da07af388c167a161048a47b2f6a3c7a234b850e3e74da31ceb91c1d19bd
Instruction Fuzzy Hash: 81515D73D0C7869AE720CF25E4457697BA0FB99B44F604235E94C87624DF3EE490DB0A

Function 00007FF6E0F8EAE0 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 358COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF6E0F8EB2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8ECA5
_popen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F8ECEB
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F8ED18
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F8ED62
_pclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F8ED70
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8EDAB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8EDFD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8EE3C

Part of subcall function 00007FF6E0F222B0: __std_exception_copy.VCRUNTIME140 ref: 00007FF6E0F222E9

_CxxThrowException.VCRUNTIME140 ref: 00007FF6E0F8EEAC

Part of subcall function 00007FF6E0F3A420: memmove.VCRUNTIME140(?,00000000,?,00007FF6E0F22793), ref: 00007FF6E0F3A457

Part of subcall function 00007FF6E0F93E00: memmove.VCRUNTIME140 ref: 00007FF6E0F93FBA

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8EF9E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8EFF1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8F06F

Strings

certutil -hashfile ", xrefs: 00007FF6E0F8EBA1
out_of_range, xrefs: 00007FF6E0F8EF0C
>, xrefs: 00007FF6E0F8ECD5

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$fgetsmemmove$ExceptionFileModuleNameThrow__std_exception_copy_pclose_popen
String ID: >$certutil -hashfile "$out_of_range
API String ID: 3288468681-3897552408
Opcode ID: ae311d6acf6e5820f62504ef5730a52cd4cf7bbf61ed38fb7a7b19f93776a18b
Instruction ID: 63fb2a5ed55b4099d862cb6e76041d7a9a9ba5c336145885755824d1156419ee
Opcode Fuzzy Hash: ae311d6acf6e5820f62504ef5730a52cd4cf7bbf61ed38fb7a7b19f93776a18b
Instruction Fuzzy Hash: 6AF1AC63A18B8195FB10CB29E4443ED7761FB897A8F504225EAAC87BE9DF3DD184C305

Function 00007FF6E0F6FA40 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FF6E0F6FA59
QueryPerformanceCounter.KERNEL32 ref: 00007FF6E0F6FA6F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6FA9E
LoadLibraryA.KERNEL32 ref: 00007FF6E0F6FB65
GetProcAddress.KERNEL32 ref: 00007FF6E0F6FB9D
GetProcAddress.KERNEL32 ref: 00007FF6E0F6FBB1

Strings

imgui_impl_win32, xrefs: 00007FF6E0F6FACF
xinput9_1_0.dll, xrefs: 00007FF6E0F6FB33
xinput1_4.dll, xrefs: 00007FF6E0F6FB1B
XInputGetCapabilities, xrefs: 00007FF6E0F6FB8F
xinput1_1.dll, xrefs: 00007FF6E0F6FB4B
xinput1_3.dll, xrefs: 00007FF6E0F6FB27
xinput1_2.dll, xrefs: 00007FF6E0F6FB3F
XInputGetState, xrefs: 00007FF6E0F6FBA3

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: AddressPerformanceProcQuery$CounterFrequencyLibraryLoadmalloc
String ID: XInputGetCapabilities$XInputGetState$imgui_impl_win32$xinput1_1.dll$xinput1_2.dll$xinput1_3.dll$xinput1_4.dll$xinput9_1_0.dll
API String ID: 1729990740-3912092517
Opcode ID: 3504972cad6316302ccbdf8e1658faa8b5c8abde5378ace13538d3abd605a44e
Instruction ID: 1355c40a40b3ec720b040db43cb5613ed2cb26b5b1912c6a2d9b76553ae4b03e
Opcode Fuzzy Hash: 3504972cad6316302ccbdf8e1658faa8b5c8abde5378ace13538d3abd605a44e
Instruction Fuzzy Hash: 38414832A19F8296E7108B11F8402A973A4FB88794F945236CA8D83B20EF3DE0B5D705

Function 00007FF6E0FBB980 Relevance: 24.1, APIs: 16, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF6E0FBB9C1
htonl.WS2_32 ref: 00007FF6E0FBB9EE
setsockopt.WS2_32 ref: 00007FF6E0FBBA25
bind.WS2_32 ref: 00007FF6E0FBBA40
getsockname.WS2_32 ref: 00007FF6E0FBBA5C
listen.WS2_32 ref: 00007FF6E0FBBA71
socket.WS2_32 ref: 00007FF6E0FBBA88
connect.WS2_32 ref: 00007FF6E0FBBAA7
accept.WS2_32 ref: 00007FF6E0FBBABE
send.WS2_32 ref: 00007FF6E0FBBB0C
recv.WS2_32 ref: 00007FF6E0FBBB2A
memcmp.VCRUNTIME140 ref: 00007FF6E0FBBB45
closesocket.WS2_32 ref: 00007FF6E0FBBB51

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: socket$acceptbindclosesocketconnectgetsocknamehtonllistenmemcmprecvsendsetsockopt
String ID:
API String ID: 3699910901-0
Opcode ID: 6182b86126bcbac7ec0c1654095f1545cd7ad02fcdf2edb2c867b35b54c51bd3
Instruction ID: 1d64456f022ad8f2b4599c4f999019e5b84c8ce9519f09f37678c962412a2be0
Opcode Fuzzy Hash: 6182b86126bcbac7ec0c1654095f1545cd7ad02fcdf2edb2c867b35b54c51bd3
Instruction Fuzzy Hash: E9519033A0CA4295D7209F25E4942A97361FB84BB4F505330EA7E87BE8DF7ED4498B05

Function 00007FF6E0F674B0 Relevance: 23.7, APIs: 12, Strings: 1, Instructions: 901COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67733
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F677B2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67832
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F678B3
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67990
acosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67A10
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67A25
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67B41
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67C6F
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67DAE
acosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67DF7
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F67DFC

Strings

gfffffff, xrefs: 00007FF6E0F68335

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: sqrtf$acosf$cosfsinf
String ID: gfffffff
API String ID: 915383915-1523873471
Opcode ID: d7c4a7cd7d24c42470b9602795911318349488b6c4366f69ea06f1890aca6901
Instruction ID: 0155053faa62a1777c83494822cf015ca171256995e85ca8944f5210f806223f
Opcode Fuzzy Hash: d7c4a7cd7d24c42470b9602795911318349488b6c4366f69ea06f1890aca6901
Instruction Fuzzy Hash: 4D928233D24B8C9AD312CF3794821E9B360FF6E388B19D712EA05776A1DB35B1A59740

Function 00007FF6E0F6F440 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 267COMMON

Download Yara Rule

APIs

D3DCompile.D3DCOMPILER_47 ref: 00007FF6E0F6F4EE
D3DCompile.D3DCOMPILER_47 ref: 00007FF6E0F6F6A9
memset.VCRUNTIME140 ref: 00007FF6E0F6F71B

Strings

POSITION, xrefs: 00007FF6E0F6F579
main, xrefs: 00007FF6E0F6F4B5
ps_4_0, xrefs: 00007FF6E0F6F683
vs_4_0, xrefs: 00007FF6E0F6F4C1
struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : , xrefs: 00007FF6E0F6F677
TEXCOORD, xrefs: 00007FF6E0F6F584
COLOR, xrefs: 00007FF6E0F6F58F
cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; , xrefs: 00007FF6E0F6F4CD
@, xrefs: 00007FF6E0F6F637

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Compile$memset
String ID: @$COLOR$POSITION$TEXCOORD$cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; $main$ps_4_0$struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : $vs_4_0
API String ID: 2361541216-1668656389
Opcode ID: 26a6d36b227cddbc7a768a2f2aac4afe95351f8e009027302f408cf80af2eddd
Instruction ID: c7c010a65a696a0a5db1270862c28d0491947a7b7e40c3fee4c78c5541012d51
Opcode Fuzzy Hash: 26a6d36b227cddbc7a768a2f2aac4afe95351f8e009027302f408cf80af2eddd
Instruction Fuzzy Hash: 5FE1CFB3A04B818AE720CF65E8443DD77B4F788B88F508126DA8C57B28DF7AD558CB44

Function 00007FF6E0F7FFC0 Relevance: 20.5, APIs: 1, Strings: 12, Instructions: 962COMMON

Download Yara Rule

Strings

RICKZ, xrefs: 00007FF6E0F7FFD0
M:0.000, xrefs: 00007FF6E0F803BE
##picker, xrefs: 00007FF6E0F80B1A
_COL3F, xrefs: 00007FF6E0F80FF5
M:000, xrefs: 00007FF6E0F80430
#%02X%02X%02X, xrefs: 00007FF6E0F807B2, 00007FF6E0F80D65
##Text, xrefs: 00007FF6E0F807DB
%02X%02X%02X, xrefs: 00007FF6E0F8088A
_COL4F, xrefs: 00007FF6E0F81038
#%02X%02X%02X%02X, xrefs: 00007FF6E0F80752
%02X%02X%02X%02X, xrefs: 00007FF6E0F8086F
picker, xrefs: 00007FF6E0F80951, 00007FF6E0F80AE1

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ##Text$##picker$#%02X%02X%02X$#%02X%02X%02X%02X$%02X%02X%02X$%02X%02X%02X%02X$M:0.000$M:000$RICKZ$_COL3F$_COL4F$picker
API String ID: 0-96551478
Opcode ID: 5de05dd499c3371492aab9e875e8c0bf65f65acb609ca8cf95087698ec6e3029
Instruction ID: 7ca790baeac0bf47710e0e5ded855458cb13ed300a99e477b9172feca3dd7db3
Opcode Fuzzy Hash: 5de05dd499c3371492aab9e875e8c0bf65f65acb609ca8cf95087698ec6e3029
Instruction Fuzzy Hash: 0BA2F133A0CB859AE361CB6694413EAB7A0FF99344F544331EE48976A5DF3AE090DB05

Function 00007FF6E0FBEBE0 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 422stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0FBEE5E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0FBEE66
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF6E0FBEE7C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0FBEE85
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0FBEE8D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0FBEE97

Strings

%02d:%02d:%02d%n, xrefs: 00007FF6E0FBEE09
GMT, xrefs: 00007FF6E0FBED57
%02d:%02d%n, xrefs: 00007FF6E0FBEE3D
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00007FF6E0FBEC9E

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: da3a876cd641ff460eacfdd1d8be52e2435304971a0b95ad74f15df0a9d207b0
Instruction ID: 7df690c6b66d3ba186f0154db1a295e61ff2b266ae249372ad5640cb42bc17d2
Opcode Fuzzy Hash: da3a876cd641ff460eacfdd1d8be52e2435304971a0b95ad74f15df0a9d207b0
Instruction Fuzzy Hash: 2DF1D173F0C5129AEB248B6894103FC37A1BB48798F504235DE1AA77DCDE7EA8258F45

Function 00007FF6E0F703A0 Relevance: 16.7, APIs: 11, Instructions: 192keyboardCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00007FF6E0F703D7
QueryPerformanceCounter.KERNEL32 ref: 00007FF6E0F7040F
GetForegroundWindow.USER32 ref: 00007FF6E0F70452
ClientToScreen.USER32 ref: 00007FF6E0F7048A
SetCursorPos.USER32 ref: 00007FF6E0F7049C
GetCursorPos.USER32 ref: 00007FF6E0F704B6
ScreenToClient.USER32 ref: 00007FF6E0F704C8
GetKeyState.USER32 ref: 00007FF6E0F70515
GetKeyState.USER32 ref: 00007FF6E0F70585
GetKeyState.USER32 ref: 00007FF6E0F705F5
GetKeyState.USER32 ref: 00007FF6E0F70665

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: State$Client$CursorScreen$CounterForegroundPerformanceQueryRectWindow
String ID:
API String ID: 1576454153-0
Opcode ID: dda52871fd6fb87ff5b5e5069a1cdc0ff72940256f05f4f488c8842ba64214fe
Instruction ID: 0d6a80afc2dcc6478fbb4cb0a5c2ee0b5ab5b74eba6f67c3e0cdb2f270d4ae6b
Opcode Fuzzy Hash: dda52871fd6fb87ff5b5e5069a1cdc0ff72940256f05f4f488c8842ba64214fe
Instruction Fuzzy Hash: 2891AD73A1C685AAFB21CFB1D4543A967A0FB84748F484231EE4C87695CF7DE4A4CB06

Function 00007FF6E0F5C940 Relevance: 15.8, APIs: 10, Instructions: 821COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5CA5E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F5CFF9
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F5D029
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5D4C2
memmove.VCRUNTIME140 ref: 00007FF6E0F5D4EA
memmove.VCRUNTIME140 ref: 00007FF6E0F5D505
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5D524
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5D54C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5D584
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5D5A9

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free$mallocmemmovesqrtf
String ID:
API String ID: 2108133213-0
Opcode ID: ad3344c8744b919211e929fbbb42ffd814eaa3c97148a9ed6a8ed132f0f962e2
Instruction ID: 7ef4a8be33cdb143f20c7d0331fe19f375e4f7f9c0438e3e4d1623be19216420
Opcode Fuzzy Hash: ad3344c8744b919211e929fbbb42ffd814eaa3c97148a9ed6a8ed132f0f962e2
Instruction Fuzzy Hash: 02627C13E2CBE845D3178B3650423BAB691AF6E784F19C722ED45A77A1EF3DE8518700

Function 00007FF6E0F82DF0 Relevance: 15.3, Strings: 12, Instructions: 302COMMON

Download Yara Rule

Strings

0..255, xrefs: 00007FF6E0F82EF6
context, xrefs: 00007FF6E0F82E24
Copy, xrefs: 00007FF6E0F82F8A, 00007FF6E0F82F96
0.00..1.00, xrefs: 00007FF6E0F82F16
Hex, xrefs: 00007FF6E0F82EA3
HSV, xrefs: 00007FF6E0F82E81
Copy as.., xrefs: 00007FF6E0F82F70
#%02X%02X%02X, xrefs: 00007FF6E0F83151
(%.3ff, %.3ff, %.3ff, %.3ff), xrefs: 00007FF6E0F83075
(%d,%d,%d,%d), xrefs: 00007FF6E0F830F1
#%02X%02X%02X%02X, xrefs: 00007FF6E0F831B2
RGB, xrefs: 00007FF6E0F82E5F

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #%02X%02X%02X$#%02X%02X%02X%02X$(%.3ff, %.3ff, %.3ff, %.3ff)$(%d,%d,%d,%d)$0..255$0.00..1.00$Copy$Copy as..$HSV$Hex$RGB$context
API String ID: 0-542206533
Opcode ID: cd63a392858a21845b84cdda0b71fc737ec17b73385720aca3ec2fad249f5b06
Instruction ID: 38cd709d575bc1dcff9b5a4e3a4ff8045e2de7a0dcc45619876302c0e846f888
Opcode Fuzzy Hash: cd63a392858a21845b84cdda0b71fc737ec17b73385720aca3ec2fad249f5b06
Instruction Fuzzy Hash: 35E1ED33A1CA81A5E761CB26D4813E923A0FF95748F584332EE0D973A5DF3AE455C31A

Function 00007FF6E0F58790 Relevance: 15.0, APIs: 10, Instructions: 50clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF6E0F5879B
MultiByteToWideChar.KERNEL32 ref: 00007FF6E0F587CC
GlobalAlloc.KERNEL32 ref: 00007FF6E0F587E0
GlobalLock.KERNEL32 ref: 00007FF6E0F587F1
MultiByteToWideChar.KERNEL32 ref: 00007FF6E0F58810
GlobalUnlock.KERNEL32 ref: 00007FF6E0F58819
EmptyClipboard.USER32 ref: 00007FF6E0F5881F
SetClipboardData.USER32 ref: 00007FF6E0F5882D
GlobalFree.KERNEL32 ref: 00007FF6E0F5883B
CloseClipboard.USER32 ref: 00007FF6E0F58841

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardGlobal$ByteCharMultiWide$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 1965520120-0
Opcode ID: 8dcec3aa36e4b0d12ce11dd68cd7adead0af348f09e3f84eb87400f6946112d8
Instruction ID: 5b757b844e8f3d59062e7c4c1c8d94d4bf56f7c2bd3dff917933f70667eb29b4
Opcode Fuzzy Hash: 8dcec3aa36e4b0d12ce11dd68cd7adead0af348f09e3f84eb87400f6946112d8
Instruction Fuzzy Hash: 5F116076B09B4286E7349B25B818329A6A1FF88FC1F048139DE4E8B7A4DF3DE4049705

Function 00007FF6E0F58630 Relevance: 13.6, APIs: 9, Instructions: 96clipboardCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F58669
OpenClipboard.USER32 ref: 00007FF6E0F58675
GetClipboardData.USER32 ref: 00007FF6E0F5869A
CloseClipboard.USER32 ref: 00007FF6E0F586A8
GlobalLock.KERNEL32 ref: 00007FF6E0F586BD
WideCharToMultiByte.KERNEL32 ref: 00007FF6E0F586F8
WideCharToMultiByte.KERNEL32 ref: 00007FF6E0F58756
GlobalUnlock.KERNEL32 ref: 00007FF6E0F58764
CloseClipboard.USER32 ref: 00007FF6E0F5876A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard$ByteCharCloseGlobalMultiWide$DataLockOpenUnlockfree
String ID:
API String ID: 2227228011-0
Opcode ID: d5ed05b84332b394d1ba01f8d66e4e595134f311a80da6a4715195109b4e04f9
Instruction ID: d0ab405bbd7ba69de917045c8c10a6def5122934e69bef1b829471b575fd405c
Opcode Fuzzy Hash: d5ed05b84332b394d1ba01f8d66e4e595134f311a80da6a4715195109b4e04f9
Instruction Fuzzy Hash: D231C537A0DB4286EB248F26F84062A77A0FB88B84F544134DE5E87754DF3DE851D709

Function 00007FF6E0F93E00 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F93FBA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94104
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94152

Strings

invalid string: ill-formed UTF-8 byte, xrefs: 00007FF6E0F94378

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: invalid string: ill-formed UTF-8 byte
API String ID: 15630516-1928180049
Opcode ID: 1238730d5981ef49c25456a0efdca86b87de8057daba67ecded4faedbe971f85
Instruction ID: 832dbe7b1c4f12b84e00a6077b5e9c93b78bf2ad28202a6661720122d4ca6a1c
Opcode Fuzzy Hash: 1238730d5981ef49c25456a0efdca86b87de8057daba67ecded4faedbe971f85
Instruction Fuzzy Hash: 57F1DD23B08B8199EB14CFA9E0407ED2761EB64798F804631DE6C47BD9DF39E0A9D345

Function 00007FF6E0F3E8F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF6E0F3E900
OpenServiceW.ADVAPI32 ref: 00007FF6E0F3E929
CloseServiceHandle.ADVAPI32 ref: 00007FF6E0F3E93A

Strings

scraidy, xrefs: 00007FF6E0F3E91F

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: OpenService$CloseHandleManager
String ID: scraidy
API String ID: 4136619037-2706037857
Opcode ID: ae1e65bc028e034a0441abfa53bd44021dffb63b73db2ca85fe6db69d5624be0
Instruction ID: 7d492ef0eb68d3bf74c700f11408b334de1f725d606cca595e0e1e446e15006c
Opcode Fuzzy Hash: ae1e65bc028e034a0441abfa53bd44021dffb63b73db2ca85fe6db69d5624be0
Instruction Fuzzy Hash: C601B526F1C74182EB588726B56433E1391AF8CBD0F442030ED4F87B58DE2DD4869B06

Function 00007FF6E0F60210 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F60303
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F6032D
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F6035C
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F6038B
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F60588
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F605B6
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F605E5
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F60610

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 8c493e4403442ffed635f4857a7ece52d612cb5348b7f3e4fec6bcb96094a203
Instruction ID: 709b5f6cdea396759bf24f3a3cead28b46eeb81e128942c0ca129f2d64ab396a
Opcode Fuzzy Hash: 8c493e4403442ffed635f4857a7ece52d612cb5348b7f3e4fec6bcb96094a203
Instruction Fuzzy Hash: 85B17222E38BCC81E223963750821FAE250AFBF385F2DDB23FD84756B29F5561D16644

Function 00007FF6E0F81130 Relevance: 10.3, APIs: 2, Strings: 4, Instructions: 1329COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F81335

Strings

##Foreground, xrefs: 00007FF6E0F81A86, 00007FF6E0F81B39, 00007FF6E0F81FD8, 00007FF6E0F82048, 00007FF6E0F820A4, 00007FF6E0F82100, 00007FF6E0F8215A, 00007FF6E0F821BB, 00007FF6E0F82212, 00007FF6E0F8233A, 00007FF6E0F82455, 00007FF6E0F824F6, 00007FF6E0F825C9, 00007FF6E0F8274B, 00007FF6E0F827C1, 00007FF6E0F828D6
c, xrefs: 00007FF6E0F8290E
alpha, xrefs: 00007FF6E0F816E6
hue, xrefs: 00007FF6E0F81623

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID: ##Foreground$alpha$c$hue
API String ID: 2162964266-3504404221
Opcode ID: 88b1f16ddf69180a5fae73c6e3ca0a4fd86e58606e798136816bf14e45f3ccc3
Instruction ID: 12547a8af9fdfba79d23ec45b2891ce567018053cdab3141a02399fb2734303f
Opcode Fuzzy Hash: 88b1f16ddf69180a5fae73c6e3ca0a4fd86e58606e798136816bf14e45f3ccc3
Instruction Fuzzy Hash: ABE2E633E18B899AE711CB3394412F9B360FF59788F149731EE08A76A5DF39B0919B44

Function 00007FF6E0FBC300 Relevance: 10.1, Strings: 8, Instructions: 72COMMON

Download Yara Rule

Strings

%4I64dG, xrefs: 00007FF6E0FBC3F4
%4I64dP, xrefs: 00007FF6E0FBC41D
%5I64d, xrefs: 00007FF6E0FBC315
%2I64d.%0I64dG, xrefs: 00007FF6E0FBC3BA
%4I64dk, xrefs: 00007FF6E0FBC32E
%2I64d.%0I64dM, xrefs: 00007FF6E0FBC349
%4I64dM, xrefs: 00007FF6E0FBC39C
%4I64dT, xrefs: 00007FF6E0FBC410

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 0-2102732564
Opcode ID: a094cdb544779c342772e4dd935e1fffcb54706bc2f73dc86c9d2dd44f28de0c
Instruction ID: 04e800805dc47f0bc75e350e281e11751e132d9eef0e467e41a8c8e30ae01021
Opcode Fuzzy Hash: a094cdb544779c342772e4dd935e1fffcb54706bc2f73dc86c9d2dd44f28de0c
Instruction Fuzzy Hash: 08210652E1D94AA3FF24CB85A4117F502A08B84780EC45432EC0F87796CF6E6161DACA

Function 00007FF6E0F6B6E0 Relevance: 8.3, APIs: 5, Instructions: 758COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00007FF6E0F6B8C0
powf.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00007FF6E0F6B916
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F6BD8D
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F6BDD9
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F6BE30

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: powfsqrtf$cosf
String ID:
API String ID: 3592889626-0
Opcode ID: 48885942967e0b279b5b2858fca1dffffacc1ca7c8b7f3b83b257308674a8418
Instruction ID: cec83ae715281ba2e9f500f5d09ceb5404daf031aa289c36e8c1bfff8f5fa513
Opcode Fuzzy Hash: 48885942967e0b279b5b2858fca1dffffacc1ca7c8b7f3b83b257308674a8418
Instruction Fuzzy Hash: 78623933A286D99AD3168F3694413F97750FF19348F148336EE0AA77A1DF3AB5A18740

Function 00007FF6E0F9C750 Relevance: 8.2, Strings: 6, Instructions: 693COMMON

Download Yara Rule

Strings

(nil), xrefs: 00007FF6E0F9CFB6
.%ld, xrefs: 00007FF6E0F9CAB9
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00007FF6E0F9CC6B, 00007FF6E0F9CCD6
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00007FF6E0F9C793, 00007FF6E0F9CC64, 00007FF6E0F9CCCB
(nil), xrefs: 00007FF6E0F9CF34
%ld, xrefs: 00007FF6E0F9CA60

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %ld$(nil)$(nil)$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-1379995092
Opcode ID: 6f99e3ed039b95584fece0472ffe47e6e3baa46303abbd2177f2813650d2659f
Instruction ID: ca3756ac1395e9a3454440c0b0e8ffdfaa14eb29fb916235d0040ff2dc4ff212
Opcode Fuzzy Hash: 6f99e3ed039b95584fece0472ffe47e6e3baa46303abbd2177f2813650d2659f
Instruction Fuzzy Hash: E5424433A0CA8255E7658E5894043F96B91FF80794FD04331DEAE877D4DE3EE826864A

Function 00007FF6E0F5F470 Relevance: 7.9, APIs: 6, Instructions: 360COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5F4F5
memset.VCRUNTIME140 ref: 00007FF6E0F5F611
memset.VCRUNTIME140 ref: 00007FF6E0F5F628

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memset$malloc
String ID:
API String ID: 1671641884-0
Opcode ID: c4649c7f4dd7e1bd476a87d462cba10d5a916030b90391c0dd288e8f405a551a
Instruction ID: f741be8096f063b5b6274055dfdfc1001001eddc179f5cd3516aba27b202811b
Opcode Fuzzy Hash: c4649c7f4dd7e1bd476a87d462cba10d5a916030b90391c0dd288e8f405a551a
Instruction Fuzzy Hash: 5702E337908BC597D7268B3690413A9B3A4FF58784F18C722DF48A3760EF39E595CA01

Function 00007FF6E104FA78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6E104FAD9
IsDebuggerPresent.KERNEL32 ref: 00007FF6E104FAF1
OutputDebugStringW.KERNEL32 ref: 00007FF6E104FB02

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF6E104FAFB

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: d20e6daf092be968f3290abcdfcd1f3ada1b4515a8e1611c7531e4ee28b39881
Instruction ID: 400ab8a8ad04b108849fadbd3b69d19e8f0826052677a73a4169d0a01ef3b21f
Opcode Fuzzy Hash: d20e6daf092be968f3290abcdfcd1f3ada1b4515a8e1611c7531e4ee28b39881
Instruction Fuzzy Hash: 8B116A33A08B82A6E7549B26E6543B933A0FF04342F408135CA4DC2A90EF3EE474C75A

Function 00007FF6E0F21390 Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

valorant plus, xrefs: 00007FF6E0F218FA
90be9dbc1ba562a40117eee5bf792fb31f59a2d93725589bd976276122481d66, xrefs: 00007FF6E0F21694
1.7, xrefs: 00007FF6E0F21585
https://keyauth.win/api/1.2/, xrefs: 00007FF6E0F213B3
9WIvTVJa9m, xrefs: 00007FF6E0F218DC

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 1.7$90be9dbc1ba562a40117eee5bf792fb31f59a2d93725589bd976276122481d66$9WIvTVJa9m$https://keyauth.win/api/1.2/$valorant plus
API String ID: 0-1485598925
Opcode ID: 2abe8cecc858a6674c5f262c9961c6aa839e41412205da8437f6505367a200fd
Instruction ID: 536d5ded914c0c49080b782d8a491deb117a83e4c0981a5abe4c34ceaf87f791
Opcode Fuzzy Hash: 2abe8cecc858a6674c5f262c9961c6aa839e41412205da8437f6505367a200fd
Instruction Fuzzy Hash: C9123B63E2E7C25AF703973594022E8A754AF63784F51D336ED5871963EF2E7282820D

Function 00007FF6E0F50360 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 356COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F50861
memset.VCRUNTIME140 ref: 00007FF6E0F50887

Strings

Processed, xrefs: 00007FF6E0F5079C
Remaining, xrefs: 00007FF6E0F507B3

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmovememset
String ID: Processed$Remaining
API String ID: 1288253900-3602939160
Opcode ID: 735409ce1e2724ff5a158aacc97896fd99b671b84d9842b6c112a3e06f57ce67
Instruction ID: 04227224164cde8f02c5732d4c95a90c7eb75a34231386258d95610ebec4ec37
Opcode Fuzzy Hash: 735409ce1e2724ff5a158aacc97896fd99b671b84d9842b6c112a3e06f57ce67
Instruction Fuzzy Hash: 60F12277A0C2C196EB21CE2991503FA7BA1FB55744F188235CF499B384DF3AE8648B15

Function 00007FF6E104F8F0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6E104F91C
GetCurrentThreadId.KERNEL32 ref: 00007FF6E104F92A
GetCurrentProcessId.KERNEL32 ref: 00007FF6E104F936
QueryPerformanceCounter.KERNEL32 ref: 00007FF6E104F946

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: fffa4231dc8814ce12171949a46b45311e9b0181c8fe4d49e46644eb9cdb0393
Instruction ID: 09f6043897c5bcef12891365db6cdaeacbba4e203dc4d3f21e4fbad782422f11
Opcode Fuzzy Hash: fffa4231dc8814ce12171949a46b45311e9b0181c8fe4d49e46644eb9cdb0393
Instruction Fuzzy Hash: BF112A36B14F018AEB00CF60E8543B833A4FB59798F440E31EA6D86BA4DF79D1A4C341

Function 00007FF6E0F4AF50 Relevance: 5.8, APIs: 3, Instructions: 2091COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F4B7E1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F4B7FC
memmove.VCRUNTIME140 ref: 00007FF6E0F4B818

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID:
API String ID: 2537350866-0
Opcode ID: fea57a67dc6805ae9f60562eaecb5846adcd23f41826885d4dcb6397f7f36a1a
Instruction ID: 8fccb8f718a3fd43e73134f5aba17d699f5a1ccdeb688150b0eabd03a095ed81
Opcode Fuzzy Hash: fea57a67dc6805ae9f60562eaecb5846adcd23f41826885d4dcb6397f7f36a1a
Instruction Fuzzy Hash: 8C33E633A08785AAE759CB3682403F9B7A0FF59344F089725DF58A36A1DF39B4B18705

Function 00007FF6E0F78810 Relevance: 4.5, Strings: 3, Instructions: 706COMMON

Download Yara Rule

Strings

RICKZ, xrefs: 00007FF6E0F78827
%.3f, xrefs: 00007FF6E0F7903B
d, xrefs: 00007FF6E0F791FD

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Xlength_error@std@@
String ID: %.3f$RICKZ$d
API String ID: 1004598685-3949712113
Opcode ID: e73b60039662295c2d92127ddddb494b32932f21a7fc1731b674f7423d02d303
Instruction ID: 18f3404a24d21e56c5fc27b734b2bee719946f9fe58f80ba0c95871efb314cb4
Opcode Fuzzy Hash: e73b60039662295c2d92127ddddb494b32932f21a7fc1731b674f7423d02d303
Instruction Fuzzy Hash: 1882BE33918B899AE312CB3794812B977A0FF99744F189731DE0C636A1DF39A095DB06

Function 00007FF6E0F6EA10 Relevance: 4.3, APIs: 3, Instructions: 594COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F6EBFB
memmove.VCRUNTIME140 ref: 00007FF6E0F6EC0E
memset.VCRUNTIME140 ref: 00007FF6E0F6EDAF

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$memset
String ID:
API String ID: 3790616698-0
Opcode ID: 5c418a967b7f897dcd153b0aecd35bdb02cea3fd2a6bc0264aba69cb485f3000
Instruction ID: 096ad9a2b24bcc268063079d1e1f54c6efb1b17072090665d706f3b78d48e777
Opcode Fuzzy Hash: 5c418a967b7f897dcd153b0aecd35bdb02cea3fd2a6bc0264aba69cb485f3000
Instruction Fuzzy Hash: 16525777614B858ADB20CF26D9846ED77A1FB88B88F058222DF5D57B28CF39D558CB00

Function 00007FF6E0F738D0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 601COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF6E0F73A70

Strings

d, xrefs: 00007FF6E0F741EE

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cursor
String ID: d
API String ID: 3268636600-2564639436
Opcode ID: 019cf52cc8e7496ef486d9cc70fbc853bd32a2408b78d9227eb0e0ccd8fe9883
Instruction ID: 282e1b11e0de02718da5f17afd543d7d3dd33968a5215ee84033aa144f85cca0
Opcode Fuzzy Hash: 019cf52cc8e7496ef486d9cc70fbc853bd32a2408b78d9227eb0e0ccd8fe9883
Instruction Fuzzy Hash: 3062E13391CB859AE312CB36D4812A97760FF99784F188331EE5C636A5DF3AE094DB05

Function 00007FF6E0F252E0 Relevance: 4.1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF6E0F25326
VUUU, xrefs: 00007FF6E0F25346
##Foreground, xrefs: 00007FF6E0F2534B, 00007FF6E0F25432, 00007FF6E0F254C9, 00007FF6E0F25569, 00007FF6E0F255F6, 00007FF6E0F25699, 00007FF6E0F25727, 00007FF6E0F257B4

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: mallocmemset
String ID: ##Foreground$VUUU$VUUU
API String ID: 2882185209-179498016
Opcode ID: d2a733f738cd936a44e1c05fe6522841c55cef3c58dd0419f350e48f7d3ec183
Instruction ID: 49f53104ae7b9d276ac3e73f69fa4f2608c43e752c49044952cc61d0be297da6
Opcode Fuzzy Hash: d2a733f738cd936a44e1c05fe6522841c55cef3c58dd0419f350e48f7d3ec183
Instruction Fuzzy Hash: 51E18333F14B8899E301CB3AD4426E97361FB9AB88B545332EE0CA3765DF39A151E744

Function 00007FF6E0F29940 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F44740: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,?,00000000,00007FF6E0F58B7E), ref: 00007FF6E0F44780
Part of subcall function 00007FF6E0F44740: memset.VCRUNTIME140(?,?,00000000,?,00000000,00007FF6E0F58B7E), ref: 00007FF6E0F447DC

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F29EEB

Strings

##Background, xrefs: 00007FF6E0F29A4D, 00007FF6E0F29B0F, 00007FF6E0F29BA9, 00007FF6E0F29C3E, 00007FF6E0F29CC2, 00007FF6E0F29D36, 00007FF6E0F29DA4

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmallocmemset
String ID: ##Background
API String ID: 3803164509-465303879
Opcode ID: 8536633b7119915d2edc8d6eda108762c789fb982fd37ab339ffd04b75241944
Instruction ID: 339af47bb4005c6c682eff2b087ce1c689411548e0c23852a8b360054ba8a054
Opcode Fuzzy Hash: 8536633b7119915d2edc8d6eda108762c789fb982fd37ab339ffd04b75241944
Instruction Fuzzy Hash: 2CF1C033A18A8595E311CB36D4403E973A0FF9AB88F548332EE0CA7765DF39E5919744

Function 00007FF6E0F29F00 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F44740: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,?,00000000,00007FF6E0F58B7E), ref: 00007FF6E0F44780
Part of subcall function 00007FF6E0F44740: memset.VCRUNTIME140(?,?,00000000,?,00000000,00007FF6E0F58B7E), ref: 00007FF6E0F447DC

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F2A4AB

Strings

##Background, xrefs: 00007FF6E0F2A00D, 00007FF6E0F2A0CF, 00007FF6E0F2A169, 00007FF6E0F2A1FE, 00007FF6E0F2A282, 00007FF6E0F2A2F6, 00007FF6E0F2A364

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmallocmemset
String ID: ##Background
API String ID: 3803164509-465303879
Opcode ID: c4cb6dbbb575443f7632560458786369f6e2e9b2adea50aee31c3dae094ea94c
Instruction ID: a1a48c4b643ef2b35fbf2e878c27cf801cd2462b379318806b366a149a027b15
Opcode Fuzzy Hash: c4cb6dbbb575443f7632560458786369f6e2e9b2adea50aee31c3dae094ea94c
Instruction Fuzzy Hash: 36F1C133A18A8595E311CB36D4403E973A0FF9AB88F548332EE0CA7765DF3AE4919744

Function 00007FF6E0F62E60 Relevance: 3.4, APIs: 2, Instructions: 887COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6301A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F63039

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 9d77b15b28e4da4d51151dd03b45274d18182ca299354d3111731ef926ea4dc6
Instruction ID: 0391802bfe331960d8559fce87791a769c16530cbb3bd45d3de138ccf2058845
Opcode Fuzzy Hash: 9d77b15b28e4da4d51151dd03b45274d18182ca299354d3111731ef926ea4dc6
Instruction Fuzzy Hash: 38A26C33928B8896C712CF3794811ACB764FFADB84B19DB16DE0863365DB35E4A4DB40

Function 00007FF6E0F72E50 Relevance: 3.1, Strings: 2, Instructions: 576COMMON

Download Yara Rule

Strings

RICKZ, xrefs: 00007FF6E0F72E6A
P, xrefs: 00007FF6E0F736A9

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID: P$RICKZ
API String ID: 3061335427-1822746440
Opcode ID: f9f7ca35fb14ccb3f56f89dedee7cb2b19f6a2afdc8d89550bb47db6d74dcac3
Instruction ID: bb0815f374099cdc678f0ab551ddfc1d558f522bf74fed7c4e7e65d5e9d789ce
Opcode Fuzzy Hash: f9f7ca35fb14ccb3f56f89dedee7cb2b19f6a2afdc8d89550bb47db6d74dcac3
Instruction Fuzzy Hash: 2762D13391CB859AE311CB36D4412A9B760FF99744F188322EE4C636A5DF3AF094DB05

Function 00007FF6E0F5FCB0 Relevance: 2.7, APIs: 2, Instructions: 215COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5FDB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5FFFF

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: e5732b2a02167b6cc88cc3f41ae0b859de86bad15b6347bd0c99810d2589892d
Instruction ID: 79ac0b0f78bf38c1d359c1220b2d9fc2b790580ae37d9c126f73283f7a29d75b
Opcode Fuzzy Hash: e5732b2a02167b6cc88cc3f41ae0b859de86bad15b6347bd0c99810d2589892d
Instruction Fuzzy Hash: 0D910133A2868596DB12CB3A94007F9B7A0FF9A785F04C331DE49A3756EF39E4558704

Function 00007FF6E0F769B0 Relevance: 1.9, Strings: 1, Instructions: 675COMMON

Download Yara Rule

Strings

RICKZ, xrefs: 00007FF6E0F769CA

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID: RICKZ
API String ID: 2537350866-2281857468
Opcode ID: 93571875ff336e1378f85e27f1f9e38c0f49635ba8184db4a7591fd394028538
Instruction ID: 8ab328220ac568fec0072fcd78540c10907f87d6dc8a0023f6f1749b7bfb2601
Opcode Fuzzy Hash: 93571875ff336e1378f85e27f1f9e38c0f49635ba8184db4a7591fd394028538
Instruction Fuzzy Hash: 36820573D1CB859AE302CB36D4412A9B760FF99748F188725EE4C636A1DF39E094DB05

Function 00007FF6E0F49430 Relevance: 1.9, Strings: 1, Instructions: 616COMMON

Download Yara Rule

Strings

#RESIZE, xrefs: 00007FF6E0F4957A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #RESIZE
API String ID: 0-1383961720
Opcode ID: 8df723408b928e6247639cd3cc21f1eb38827f8e9bcf509939f9f5ec70a9e906
Instruction ID: 3f5411a5bfe1e6937f48644c62ac1e5ef2c1eb6b165d37d56365983eaee52990
Opcode Fuzzy Hash: 8df723408b928e6247639cd3cc21f1eb38827f8e9bcf509939f9f5ec70a9e906
Instruction Fuzzy Hash: 3462E933E1C689A6E322CB3791412B97360FF5E384F188721EE88637A1DF39B5559B05

Function 00007FF6E0F6ABF0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX - XX XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X -X..X X..X--- -XXX.X, xrefs: 00007FF6E0F6AC24

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: - -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX - XX XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X -X..X X..X--- -XXX.X
API String ID: 0-1177099622
Opcode ID: 5790968400fa42a01706774ecd21c36d927aa3cf4ad9447513d04e950ae86dd0
Instruction ID: ef51559c318a6506ded7783554081329a33b853198edc154e8b3c00a34644617
Opcode Fuzzy Hash: 5790968400fa42a01706774ecd21c36d927aa3cf4ad9447513d04e950ae86dd0
Instruction Fuzzy Hash: 61C163F3A182997BEF0DCF3945A216DBFAAE791E40B49857FC24783751D660C4B08B05

Function 00007FF6E0F61060 Relevance: 1.4, APIs: 1, Instructions: 192COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6E0F610BA

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: b21917c61df192cebd13a49903dc96d80a51bddde65e79ab3a7b6bfb152286ce
Instruction ID: 6bb77d57d6716d115259e9cc5ea0cdacb8a7f0389f51abd84739a92ae14c5513
Opcode Fuzzy Hash: b21917c61df192cebd13a49903dc96d80a51bddde65e79ab3a7b6bfb152286ce
Instruction Fuzzy Hash: 72612AA3A2C2E252D3554B3C65513BEAED0F79A344F1C9234EE8AC3B45CD3ED5248689

Function 00007FF6E0F60DD0 Relevance: 1.4, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6E0F60E2A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: faf4a162c8b5c5f12d3a868e7c27431c7148435f80e62847b61a09eafc72ab83
Instruction ID: 96d600a85927e5e6848518b64eb90493591c9901e431461a92021a3d00a0ba8f
Opcode Fuzzy Hash: faf4a162c8b5c5f12d3a868e7c27431c7148435f80e62847b61a09eafc72ab83
Instruction Fuzzy Hash: 0C61F273B2C6E1D6C3218B28F415ABAAEA4E759308F198275DA8CC3B49CE2FD411C745

Function 00007FF6E0F21B20 Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6E0F21C03

Part of subcall function 00007FF6E104E940: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF6E0F21BE3), ref: 00007FF6E104E950

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: AcquireExclusiveHeapLockProcess
String ID:
API String ID: 3110430671-0
Opcode ID: f6b92d81b8d856eee529be7f5847735c364462ee0e80fa13c48f504c7076e764
Instruction ID: 49160d2cee8a70e9cac8fa85938a60cda7befcaf795788e393a4ea1033800ce6
Opcode Fuzzy Hash: f6b92d81b8d856eee529be7f5847735c364462ee0e80fa13c48f504c7076e764
Instruction Fuzzy Hash: A031AA67E0EA4395E760DB14F8823B032A5AF58320F614135C96CC32A1EF3EA595E30F

Function 00007FF6E0F726C0 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2adf35384462c8fd218d8c02c8b791b234af45adcbd9e9bcbd549e4699825c7c
Instruction ID: 8dc25e73a81e9203d100ebea7a760f51405ec311a24b7f76408c727cf7fda5b0
Opcode Fuzzy Hash: 2adf35384462c8fd218d8c02c8b791b234af45adcbd9e9bcbd549e4699825c7c
Instruction Fuzzy Hash: 03222B23D1C28665FBE28A3640403F966A1EFA5744F1C4535CE4CA73D5DFBFA961820B

Function 00007FF6E0FB1280 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57f4573ed358c013fb59e61f181f10906edc1893a34b9b18ef3225c2fbe308c
Instruction ID: f3854226851a181bc779e7dc9b01b57053946427e751ea63956607f4685f1f45
Opcode Fuzzy Hash: e57f4573ed358c013fb59e61f181f10906edc1893a34b9b18ef3225c2fbe308c
Instruction Fuzzy Hash: 66027EB2A181A04BD36DCB2EA469639BFE1F389741B04912EE7A7C3781D93CC955DF10

Function 00007FF6E0F612F0 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d6f37076774b9be301aaff99032594faac3cb7e596c53ed7869a12adef87e5
Instruction ID: 0dc3e353b6adae480015bb0b36f65ad215850a225362ab2b732dc3e48cec3a1f
Opcode Fuzzy Hash: e9d6f37076774b9be301aaff99032594faac3cb7e596c53ed7869a12adef87e5
Instruction Fuzzy Hash: F512E733A186C48AD365CB35E0417A9B7A0FB9D784F188326EF89A3755DF39E491CB40

Function 00007FF6E0F6FD50 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919eac1ae9629a85af0f94cc597958aec25c15705187f261bc76cdc44d5ca21e
Instruction ID: 4b4f1444c96f01dcc83888e200482acba22109cc47c0d64308aec6215fcaee80
Opcode Fuzzy Hash: 919eac1ae9629a85af0f94cc597958aec25c15705187f261bc76cdc44d5ca21e
Instruction Fuzzy Hash: 7F022913E3C6BAA5F7128A7154013F96251CF6A344F1C8332EC5977BE6DF2E74A28246

Function 00007FF6E0F77DC0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850d8a2714e4f7c5381dfb9918324260ba908304152368461642cf3e1a3882b6
Instruction ID: 45bbf16cdc25a74b0327cf286a6b3621ffd402e2cb0cc3e9659cd07d9f3d2f21
Opcode Fuzzy Hash: 850d8a2714e4f7c5381dfb9918324260ba908304152368461642cf3e1a3882b6
Instruction Fuzzy Hash: 6A12023392C686A5E7618B2184407F963A4FF55784F188331EE4CA77D1CF3AA866C70B

Function 00007FF6E0F4EE60 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae3a0b67a58569eae7613f8d22619e939305ed05a7f0938026b516762418707
Instruction ID: defd2f5c22dd451aee77133ce38efdcb76308781b89591a77a3f33ab21888fb0
Opcode Fuzzy Hash: dae3a0b67a58569eae7613f8d22619e939305ed05a7f0938026b516762418707
Instruction Fuzzy Hash: B612033380D7C1A9D313CF3684412ED7F94DBA6B49F1D8275CE092B3AACE2962559F21

Function 00007FF6E0F5EE30 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2133f80909ee812045689b3ce05e41ab045961dfdb411013b2739842601b1786
Instruction ID: 358f41bd8014e5d530a36107906119dfa23f39829d65b95f4c199a50458e4479
Opcode Fuzzy Hash: 2133f80909ee812045689b3ce05e41ab045961dfdb411013b2739842601b1786
Instruction Fuzzy Hash: C4F13A27D1CB8C96E212963340421F9B250AFBF3C4F1DEB22FD44B66B2DF2A65A59504

Function 00007FF6E0F854D0 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee1575ee32294e942e9ea2b9657064e6d3cde114df6b5d105b25692ee589802
Instruction ID: 96d22a460a97f0808c1e07d10d77708b514e8f6d8249d16f4391d7d6a31dccb8
Opcode Fuzzy Hash: cee1575ee32294e942e9ea2b9657064e6d3cde114df6b5d105b25692ee589802
Instruction Fuzzy Hash: D7F1F623C0C7CE96E213963740422F972409F7EB86F1DDB33ED48762A2DF2A71A19519

Function 00007FF6E0F749F0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746c87778465b71bfd90c066c19435873cf673364028122541cacdf7bbb52aac
Instruction ID: f3c429e673d152ed1d7c0e29b131c5eb38d92f7ce0c8a8062be5b49efc34fdac
Opcode Fuzzy Hash: 746c87778465b71bfd90c066c19435873cf673364028122541cacdf7bbb52aac
Instruction Fuzzy Hash: 25D1E933D28B8D99E713CA3754422F97361EF6E384F1C8B22ED48376A5DF2570A19A05

Function 00007FF6E0F52E80 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3902ebb8f6d8b37aa96321588c393c18f35031687928e071c09f058a5c958264
Instruction ID: f12fbd6d017985656747f8c513138b21c455f762f2512d330e16e5c39e94b68d
Opcode Fuzzy Hash: 3902ebb8f6d8b37aa96321588c393c18f35031687928e071c09f058a5c958264
Instruction Fuzzy Hash: 4EC1F727D0CA8E91F262523B50422F862909F7E385F1DD732FD58B36A1DF1A3995520A

Function 00007FF6E0F55F00 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56957c218098bf9537d577425b7b6e026f202162c38c68572c616946e82525c2
Instruction ID: d0b3ec49a355d7272726cd18449d23951c966ac1922426cdf3d4581cf0719aa9
Opcode Fuzzy Hash: 56957c218098bf9537d577425b7b6e026f202162c38c68572c616946e82525c2
Instruction Fuzzy Hash: F4D1D437D0C687AAE3668B3680043F96690EF45B54F19C731DF68933D5DF3AA891870A

Function 00007FF6E0F5D9E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421bed7b7ebda35f1758091d64a74c1ae5c5625944ced7affa312c76d4ecfa51
Instruction ID: 91e670a0166726adb90b0a1b8ca184b4883e9964b4a6e9429d3e6705db38dcbb
Opcode Fuzzy Hash: 421bed7b7ebda35f1758091d64a74c1ae5c5625944ced7affa312c76d4ecfa51
Instruction Fuzzy Hash: 1AA1B033A18AD89EF701CF7A80412FCBBB0BB59349F159325DE4533A65DB396595CB00

Function 00007FF6E0F5B260 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: ae620a837fe7704b667d1a2d9b25920e0ec5fd53b1a6cc02014314a171cd7216
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: DF5108A76284B187DB508F2AD8816BC3790E746B42FD48476D658C2F91C53EC51ADF20

Function 00007FF6E0F6E840 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572067d43e0bb9b4b4bf09bf9cfdcc8ccbb566e726d4778adefb851f1c3dd114
Instruction ID: 89794df36de74e1c47657f49d4baa182f2ba46f597eb2e9f98244b81c81e1ad8
Opcode Fuzzy Hash: 572067d43e0bb9b4b4bf09bf9cfdcc8ccbb566e726d4778adefb851f1c3dd114
Instruction Fuzzy Hash: 3751E376614A8592DB54CF2AE454B9E77A1FB8DF88F599132DF4A03B28CF39D058CB00

Function 00007FF6E0F6CF70 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38d7f48acacb32f9200d76b54f90db7e51c0fec053fc2825604f8ba922bf16e
Instruction ID: 788161fe7e4efbb47479bf0a35edb6716ad00a4d4d3dc83e9a0667c361e98fd3
Opcode Fuzzy Hash: c38d7f48acacb32f9200d76b54f90db7e51c0fec053fc2825604f8ba922bf16e
Instruction Fuzzy Hash: 68416A23E1D25965E921893360403FA6651AFAA780F5DC732ED8857788DF3EE092428A

Function 00007FF6E0F440A0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4aba7fefc6fd9502e7fe74557c2f6decdcab9c23a650afdc81c86faec63b3a
Instruction ID: 09d6778499d23d3d54222d15285cefdc5cbd1df6bad5ee73ce38335b9ec4c3f6
Opcode Fuzzy Hash: aa4aba7fefc6fd9502e7fe74557c2f6decdcab9c23a650afdc81c86faec63b3a
Instruction Fuzzy Hash: F541D3A36390F55FE6589733847053E7BA0D28B742788A51BEFD106986CA3ED150EF20

Function 00007FF6E0F44000 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddf5de799f46bd42d84597dda8bcfa7db29991e6711bd5321313df1f86b4e40
Instruction ID: 1421be79d98a1e0b17ab8c5ac644adebe825c44012a856ef9e054bc306618f07
Opcode Fuzzy Hash: 8ddf5de799f46bd42d84597dda8bcfa7db29991e6711bd5321313df1f86b4e40
Instruction Fuzzy Hash: EE01FC726042D24ADB54CBA194F45BA73A0E38C702F461137FF8D47685EE3D9246DB70

Function 00007FF6E0F43040 Relevance: 59.0, APIs: 39, Instructions: 498fileCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43096
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F430C8
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F43137
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F43140
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F431CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43206
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43238
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F4326A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F432A3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F432D5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F4333D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F4336F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F433A1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F433D3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43405
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F4346A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43496
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F434CC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43509
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43547
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43579
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F435C3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F435FD

Part of subcall function 00007FF6E0F68990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F689CB
Part of subcall function 00007FF6E0F68990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F689EC
Part of subcall function 00007FF6E0F68990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68A3A
Part of subcall function 00007FF6E0F68990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68A6A
Part of subcall function 00007FF6E0F68990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68A96
Part of subcall function 00007FF6E0F68990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68AB8
Part of subcall function 00007FF6E0F68990: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68ADA

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43660
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F4369A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F436CC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F436FE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43730
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43762
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43794
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F437C6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F437FF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43831
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F43863
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F43886
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F43894
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F438C6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F438F8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F4392A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free$fclose$__acrt_iob_funcfwrite
String ID:
API String ID: 3704438457-0
Opcode ID: fa34977cf2f86ff559207e85c809f873b77360157f60e54e62ae7a809150c374
Instruction ID: de0404ab317f2d3d3d73fe6caa798e9b82b371ce1512f1cc94e6b48237277448
Opcode Fuzzy Hash: fa34977cf2f86ff559207e85c809f873b77360157f60e54e62ae7a809150c374
Instruction Fuzzy Hash: 04420872B09A82B6EA2D9B11DA447B977A0FF44B41F884535CF6D87350CF3AB471E209

Function 00007FF6E0F35DD0 Relevance: 47.3, APIs: 21, Strings: 6, Instructions: 88processCOMMON

Download Yara Rule

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F35DE0
GetStdHandle.KERNEL32 ref: 00007FF6E0F35DEB
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35DF9

Part of subcall function 00007FF6E0F21CA0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F21CC4
Part of subcall function 00007FF6E0F21CA0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F21CE5

GetStdHandle.KERNEL32 ref: 00007FF6E0F35E1C
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35E2A
GetStdHandle.KERNEL32 ref: 00007FF6E0F35E41
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35E4F
GetStdHandle.KERNEL32 ref: 00007FF6E0F35E66
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35E74
GetStdHandle.KERNEL32 ref: 00007FF6E0F35E96
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35EA4
GetStdHandle.KERNEL32 ref: 00007FF6E0F35EBB
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35EC9
GetStdHandle.KERNEL32 ref: 00007FF6E0F35EE0
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35EEE
GetStdHandle.KERNEL32 ref: 00007FF6E0F35F1C
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35F2A
GetStdHandle.KERNEL32 ref: 00007FF6E0F35F41
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35F4F
GetStdHandle.KERNEL32 ref: 00007FF6E0F35F66
SetConsoleTextAttribute.KERNEL32 ref: 00007FF6E0F35F74

Strings

[ Selecione uma opcao: ], xrefs: 00007FF6E0F35E30
##########################################################, xrefs: 00007FF6E0F35E55
##########################################################, xrefs: 00007FF6E0F35E0B
cls, xrefs: 00007FF6E0F35DD9
Status: %s, xrefs: 00007FF6E0F35F01
Inserir Key: , xrefs: 00007FF6E0F35F7A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: AttributeConsoleHandleText$__acrt_iob_func__stdio_common_vfprintfsystem
String ID: Inserir Key: $ Status: %s$##########################################################$##########################################################$[ Selecione uma opcao: ]$cls
API String ID: 2136955776-2655065097
Opcode ID: 31e4bd216100fab6e83c934368dca800184fd989d186e26079e92c9a21e89ba9
Instruction ID: 98345d5705b5b4bff61cf8f0816942e8b1ea8a19b2cff3b103c8b133b2e4da53
Opcode Fuzzy Hash: 31e4bd216100fab6e83c934368dca800184fd989d186e26079e92c9a21e89ba9
Instruction Fuzzy Hash: FB416D17E0884396E7156B70E8153B43210FF98F64F908235D93ECB7E2DE2EA495A31B

Function 00007FF6E0F3E560 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6E0F3E5B7
GetFileAttributesW.KERNEL32 ref: 00007FF6E0F3E5C4
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F3E5E6
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6E0F3E607
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F3E63B
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6E0F3E65A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F3E6A4
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF6E0F3E6C8
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F3E72E
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6E0F3E74A

Strings

C:\Windows\System32\drivers\scraidy.sys, xrefs: 00007FF6E0F3E5A9, 00007FF6E0F3E5BD

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@?write@?$basic_ostream@AttributesByteCharD@std@@@1@_FileMultiV12@V?$basic_streambuf@Widefclose
String ID: C:\Windows\System32\drivers\scraidy.sys
API String ID: 2986869609-3815880412
Opcode ID: 1240f2b43991285311358065356a968415243cd3eab797b76bce2c2170b8149f
Instruction ID: 79ecd8cb5de8dfc5d5e31584a03fc9288fe9ae6a4f76510fee85757ee922eee6
Opcode Fuzzy Hash: 1240f2b43991285311358065356a968415243cd3eab797b76bce2c2170b8149f
Instruction Fuzzy Hash: 7EB16933A08B4199EB10CB24E8943AD7B74FB85B98F504036DA8D93BA8DF3ED449C705

Function 00007FF6E0F9B520 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6E0F9B5D6
OpenProcessToken.ADVAPI32 ref: 00007FF6E0F9B5EB
GetTokenInformation.ADVAPI32 ref: 00007FF6E0F9B62E
GetLastError.KERNEL32 ref: 00007FF6E0F9B634
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9B69D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9B6D6
UnloadUserProfile.USERENV ref: 00007FF6E0F9B7C0
CloseHandle.KERNEL32 ref: 00007FF6E0F9B7D9
GetTokenInformation.ADVAPI32 ref: 00007FF6E0F9B849
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9B866
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9B896
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9B8F8
memmove.VCRUNTIME140 ref: 00007FF6E0F9B923
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9B965

Strings

none, xrefs: 00007FF6E0F9B6FD

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free$Token$InformationProcess$CloseCurrentErrorHandleLastOpenProfileUnloadUsercallocmallocmemmove
String ID: none
API String ID: 3698963424-2140143823
Opcode ID: dcd8a3627940dee8f0799b03fdcec6499e56044c8146465e5d679fd45f01a3a3
Instruction ID: d055f36005c30132e0550960273ffac97cffbdaf868f3671e464265bb2c99b06
Opcode Fuzzy Hash: dcd8a3627940dee8f0799b03fdcec6499e56044c8146465e5d679fd45f01a3a3
Instruction Fuzzy Hash: 8BD18E33A09BC19AEB609F61C9503E833A0FB84B68F444635DE6D8BB95DF39D564C306

Function 00007FF6E0F35F90 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 204sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F386A0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F386D0
Part of subcall function 00007FF6E0F386A0: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6E0F386EF
Part of subcall function 00007FF6E0F386A0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F38721
Part of subcall function 00007FF6E0F386A0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6E0F3873C
Part of subcall function 00007FF6E0F386A0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F3878B

?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z.MSVCP140 ref: 00007FF6E0F35FFE

Part of subcall function 00007FF6E0F3CD90: ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF6E0F3CDEC
Part of subcall function 00007FF6E0F3CD90: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6E0F3CE1E
Part of subcall function 00007FF6E0F3CD90: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F3CEF8

Part of subcall function 00007FF6E0F3A000: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F22553), ref: 00007FF6E0F3A062
Part of subcall function 00007FF6E0F3A000: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF6E0F22553), ref: 00007FF6E0F3A084

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F36045
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F36180
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6E0F361BD
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6E0F361C7
Sleep.KERNEL32 ref: 00007FF6E0F36205
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F36229
Sleep.KERNEL32 ref: 00007FF6E0F3625A
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F36265
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F362E8
Sleep.KERNEL32 ref: 00007FF6E0F362F9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F36334

Strings

C:\Windows\key.txt, xrefs: 00007FF6E0F3611C
Erro ao salvar a chave., xrefs: 00007FF6E0F36230
valorant plus, xrefs: 00007FF6E0F36060, 00007FF6E0F360FD, 00007FF6E0F361DF

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?setstate@?$basic_ios@$Sleep_invalid_parameter_noinfo_noreturn$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?sgetc@?$basic_streambuf@?widen@?$basic_ios@D@std@@@1@_Ipfx@?$basic_istream@V?$basic_streambuf@exitfclose
String ID: C:\Windows\key.txt$Erro ao salvar a chave.$valorant plus
API String ID: 599532705-3608017239
Opcode ID: 11d9dfe08b24bf0fb7950eff6a1674df54bda6bb21bd7d00659f75edb542c4a5
Instruction ID: 7eb44071298e018970150b0c5303cdb35af92a9ff5330e7fbdd425e77e66594c
Opcode Fuzzy Hash: 11d9dfe08b24bf0fb7950eff6a1674df54bda6bb21bd7d00659f75edb542c4a5
Instruction Fuzzy Hash: 90A1B063A1CA8696EB10DB24E4483FD6760FF84764F404131EA8D87BAADF7EE444C706

Function 00007FF6E0F94610 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 361COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6E0F9466D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94787
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6E0F947B5
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6E0F947C2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F947FB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F9484C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F949C8
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6E0F949F4
__std_exception_destroy.VCRUNTIME140 ref: 00007FF6E0F94A01
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94A3B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94A8E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94B7C

Part of subcall function 00007FF6E0F3A420: memmove.VCRUNTIME140(?,00000000,?,00007FF6E0F22793), ref: 00007FF6E0F3A457

Part of subcall function 00007FF6E0F90100: memmove.VCRUNTIME140 ref: 00007FF6E0F90261

Part of subcall function 00007FF6E0F8F0B0: memmove.VCRUNTIME140 ref: 00007FF6E0F8F173

Part of subcall function 00007FF6E0F90B50: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,-00000001,00000001,00007FF6E0F9041E), ref: 00007FF6E0F90C2F

Strings

value, xrefs: 00007FF6E0F946EC, 00007FF6E0F94931

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroymemmove$memset
String ID: value
API String ID: 1018545407-494360628
Opcode ID: e9f96acc898cebe2ceaf1ab6ba4ff8e8812883fec564dea484d71cb4c7b880d0
Instruction ID: f1289e06c11d3fd3ab7f19a4cb82c9f788129480576af1427935e05fa34f3c0b
Opcode Fuzzy Hash: e9f96acc898cebe2ceaf1ab6ba4ff8e8812883fec564dea484d71cb4c7b880d0
Instruction Fuzzy Hash: 2BF1E323A1CAC155EB10CFA4E4403ED6760EB953A8F404231EAAD83BE9DF3DE195C705

Function 00007FF6E0FA1EF0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,?,00000000,00000000,?,00000000,00007FF6E0FA1E4F), ref: 00007FF6E0FA1F53
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FA1FCD
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6E0FA2040
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FA209F
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF6E0FA20BA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FA20D0

Strings

# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00007FF6E0FA1FC6
## Fatal libcurl error, xrefs: 00007FF6E0FA2107
%s.%s.tmp, xrefs: 00007FF6E0FA1F8A
%s, xrefs: 00007FF6E0FA206B

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: fclose$__acrt_iob_func_unlinkfputsqsort
String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
API String ID: 101901870-4087121635
Opcode ID: f35b2f19f72bee67aa526d12bf57b1b073cf278445dcc725a39886f997d4b41d
Instruction ID: 178dc58b1390301db085bd2566d896502710b28a20d7fac1228a9f3fb879cf15
Opcode Fuzzy Hash: f35b2f19f72bee67aa526d12bf57b1b073cf278445dcc725a39886f997d4b41d
Instruction Fuzzy Hash: E751C363B0D64255FEA59B25A8143F626B0BF94BC4F548431DD0EC7750DE3FE424D20A

Function 00007FF6E0FB0140 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128librarystringloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF6E0FD929A,?,?,?,?,00007FF6E0FB04CB), ref: 00007FF6E0FB0154
GetProcAddress.KERNEL32(?,?,?,?,00007FF6E0FB04CB), ref: 00007FF6E0FB0179
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF6E0FB04CB), ref: 00007FF6E0FB018C

Strings

kernel32, xrefs: 00007FF6E0FB014D
LoadLibraryExA, xrefs: 00007FF6E0FB016A
AddDllDirectory, xrefs: 00007FF6E0FB01D3

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 27745253-3327535076
Opcode ID: 6fa5a679e9bc4c2b9dabc23e1795dd50d6da33276f97551344a2d7596afa6442
Instruction ID: b9d547aafcf3e6696734a35a43c01d364cc185db80c65cad0a3e7e603266c522
Opcode Fuzzy Hash: 6fa5a679e9bc4c2b9dabc23e1795dd50d6da33276f97551344a2d7596afa6442
Instruction Fuzzy Hash: 08410513B0DA4296FB258B56A80427927A1EF85BD0F088130CE0D87794DE3ED49ADB19

Function 00007FF6E0F8F0B0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F3A420: memmove.VCRUNTIME140(?,00000000,?,00007FF6E0F22793), ref: 00007FF6E0F3A457

Part of subcall function 00007FF6E0F93E00: memmove.VCRUNTIME140 ref: 00007FF6E0F93FBA

memmove.VCRUNTIME140 ref: 00007FF6E0F8F173
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8F2D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8F32A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8F37B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8F3BA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8F409
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8F448
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8F4C5

Strings

parse_error, xrefs: 00007FF6E0F8F111
parse error, xrefs: 00007FF6E0F8F169, 00007FF6E0F8F189

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: parse error$parse_error
API String ID: 15630516-1820534363
Opcode ID: 9a22302770469650c955177b661f9e09b8e3911ab644c72a34899699424071ef
Instruction ID: 90231ff40e8bc48203187ebd314d8170ed9b5bdd4bb066438cdabf6015d72ec6
Opcode Fuzzy Hash: 9a22302770469650c955177b661f9e09b8e3911ab644c72a34899699424071ef
Instruction Fuzzy Hash: C0C1EF63A18B8199FB00CB69E4443ED2761FB887A4F504235EA6C93BE9DF7DE085C305

Function 00007FF6E0F2AE10 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00007FF6E0F2AE2B
ClientToScreen.USER32 ref: 00007FF6E0F2AE3D
FindWindowA.USER32 ref: 00007FF6E0F2AE8E
DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FF6E0F2AEC1
SetLayeredWindowAttributes.USER32 ref: 00007FF6E0F2AED9
ShowWindow.USER32 ref: 00007FF6E0F2AEEB
UpdateWindow.USER32 ref: 00007FF6E0F2AEF8
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F2AF03

Strings

MedalOverlayClass, xrefs: 00007FF6E0F2AE87
MedalOverlay, xrefs: 00007FF6E0F2AE80

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Window$Client$AreaAttributesExtendFindFrameIntoLayeredRectScreenShowUpdateexit
String ID: MedalOverlay$MedalOverlayClass
API String ID: 543961071-163034715
Opcode ID: 139e8f40f3c704eb64744fbe9b29f7420d452cd1f3d4098edb693072818aaefe
Instruction ID: 729eece6425b1c03bc6a59c872331f9fa5565f20e19b9622c1232c29c8e29c2c
Opcode Fuzzy Hash: 139e8f40f3c704eb64744fbe9b29f7420d452cd1f3d4098edb693072818aaefe
Instruction Fuzzy Hash: 042107B6A08A469AEB20DB15E84133437A0FF88725F604235D96DC73A4DF3EF445A70E

Function 00007FF6E0F3EE00 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 488COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F3FF30: memset.VCRUNTIME140(?,?,00000000,00007FF6E0F3EE39), ref: 00007FF6E0F3FF94
Part of subcall function 00007FF6E0F3FF30: memset.VCRUNTIME140(?,?,00000000,00007FF6E0F3EE39), ref: 00007FF6E0F3FFEC

memset.VCRUNTIME140 ref: 00007FF6E0F3EE98
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F3EED8
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F3EEE3
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F3EF04
memset.VCRUNTIME140 ref: 00007FF6E0F3F366
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F3F542
memset.VCRUNTIME140 ref: 00007FF6E0F3F5FE
memset.VCRUNTIME140 ref: 00007FF6E0F3F9D6

Strings

33s@, xrefs: 00007FF6E0F3F63E

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memset$cosf$mallocsinf
String ID: 33s@
API String ID: 4264095117-2537142335
Opcode ID: 57e47f784db80c1244b036179ec1002cad0598aa6e2c3d74522fccb888693eb2
Instruction ID: a05dd194e257d2af3b3570113e2d5927a1e4d497672c25881f8f5b1484399dd4
Opcode Fuzzy Hash: 57e47f784db80c1244b036179ec1002cad0598aa6e2c3d74522fccb888693eb2
Instruction Fuzzy Hash: B762AEB2615BC1AAD30CDF25EA442DAB7A8F755B15F994329C7B403290DF74B1B08B0D

Function 00007FF6E0F935C0 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 335COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F867D0: memcmp.VCRUNTIME140 ref: 00007FF6E0F868AC
Part of subcall function 00007FF6E0F867D0: memcmp.VCRUNTIME140 ref: 00007FF6E0F86923

Part of subcall function 00007FF6E0F867D0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F86A09

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F93A53

Strings

createdate, xrefs: 00007FF6E0F936C2
username, xrefs: 00007FF6E0F935F9
subscription, xrefs: 00007FF6E0F93870
expiry, xrefs: 00007FF6E0F9395B
none, xrefs: 00007FF6E0F9367C
hwid, xrefs: 00007FF6E0F93669, 00007FF6E0F9368B
lastlogin, xrefs: 00007FF6E0F936F9
subscriptions, xrefs: 00007FF6E0F93740, 00007FF6E0F937B9, 00007FF6E0F938A3

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcmp
String ID: createdate$expiry$hwid$lastlogin$none$subscription$subscriptions$username
API String ID: 2972922734-284943577
Opcode ID: 09ee00e8d0a5f02102d179386c09d32c012c180e17d6289e94d6139bdf4b86fd
Instruction ID: 7628f738894953ddeb9b672bf35e5ce1519d5caa2d741c707d3597896ef1707b
Opcode Fuzzy Hash: 09ee00e8d0a5f02102d179386c09d32c012c180e17d6289e94d6139bdf4b86fd
Instruction Fuzzy Hash: 2EE1A2A3B0C642A4FB048FAAD4543EC3761EB85B94F859032CE5D87795DE3ED5A0C34A

Function 00007FF6E0F40810 Relevance: 15.1, APIs: 10, Instructions: 82COMMON

Download Yara Rule

APIs

ftell.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F40857
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F40871
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F40882
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F4089C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F408C1
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F408DD
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F408EB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F40906
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F4090E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6E0F4519B), ref: 00007FF6E0F40924

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: fclose$fseekftell$freadfreemalloc
String ID:
API String ID: 1549146309-0
Opcode ID: 64a4d35f6bfc99ba9769ec1b87698a4ad42c0c652016416c53d9c18217438fb4
Instruction ID: c4b588711ff820841fd4ed084a3a90ae027f8ba687c8fda8c00a49b2132fbea4
Opcode Fuzzy Hash: 64a4d35f6bfc99ba9769ec1b87698a4ad42c0c652016416c53d9c18217438fb4
Instruction Fuzzy Hash: F2317433B1D60361FB649B95BA0437922A0AF84B90F181534CD2EC77D1DE3EE862930A

Function 00007FF6E0F33840 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F39540: memmove.VCRUNTIME140(?,?,?,00007FF6E0F3387F,00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F3962F
Part of subcall function 00007FF6E0F39540: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F39653
Part of subcall function 00007FF6E0F39540: ??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F3387F,00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F39679

Part of subcall function 00007FF6E0F39540: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF6E0F3387F,00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F39609

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F33AA0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F33AA7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F33AAE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F33AB5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,0000000100000000,00007FF6E0F21AAF), ref: 00007FF6E0F33ABC

Strings

9WIvTVJa9m, xrefs: 00007FF6E0F33883
1.7, xrefs: 00007FF6E0F338AB
valorant plus, xrefs: 00007FF6E0F3386B

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$??1?$codecvt@_Concurrency::cancel_current_taskMbstatet@@@std@@memmove
String ID: 1.7$9WIvTVJa9m$valorant plus
API String ID: 634393736-2861110663
Opcode ID: 01c2d13774a74eb2f9b014e1552840ac1e9e692a6a465cce479ad741b5a00f26
Instruction ID: cb92b0ad138de26b82cdb7077a0ad0633da36ac4b910c5059e034545f78348c7
Opcode Fuzzy Hash: 01c2d13774a74eb2f9b014e1552840ac1e9e692a6a465cce479ad741b5a00f26
Instruction Fuzzy Hash: 9461D0A3A08786A1EB00DB25E4583BD7762FB19F80F504035DA9C87656DF7EE4D0D34A

Function 00007FF6E0F94B90 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F94D28

Part of subcall function 00007FF6E0F88750: memmove.VCRUNTIME140 ref: 00007FF6E0F88843
Part of subcall function 00007FF6E0F88750: memmove.VCRUNTIME140 ref: 00007FF6E0F88851

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94DBC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94DFB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94E49
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F94E97

Strings

, column , xrefs: 00007FF6E0F94D1E, 00007FF6E0F94D40
at line , xrefs: 00007FF6E0F94CB0

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID: at line $, column
API String ID: 15630516-191570568
Opcode ID: 3bf037b0e44b0f009ee830589db665dfe21d148cb65d098ffe82f56f71977ea6
Instruction ID: f36dc361ddab85d28832494213bf68de60562d8c181142dfad1eba7b3512d7b6
Opcode Fuzzy Hash: 3bf037b0e44b0f009ee830589db665dfe21d148cb65d098ffe82f56f71977ea6
Instruction Fuzzy Hash: F891BE63F18B8599FB00DBA8D4043EC2761EB54B98F404226DE6C57BDADF39E096C345

Function 00007FF6E0FA1B70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 161fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FA1C31
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FA1C52
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FA1CA8
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FA1D74

Strings

ignoring failed cookie_init for %s, xrefs: 00007FF6E0FA1CB2
Set-Cookie:, xrefs: 00007FF6E0FA1CE6
none, xrefs: 00007FF6E0FA1BF2

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: fclose$__acrt_iob_funcfopen
String ID: Set-Cookie:$ignoring failed cookie_init for %s$none
API String ID: 3183491739-4095489131
Opcode ID: 0afd0d92738b6e1e3894cd5ad0dd3c6e393f0d8bc3bf062bb5050741ccf8a7b3
Instruction ID: d5d65029b652b3601e18422bf3940093f81475dae773257de437e3541cc86694
Opcode Fuzzy Hash: 0afd0d92738b6e1e3894cd5ad0dd3c6e393f0d8bc3bf062bb5050741ccf8a7b3
Instruction Fuzzy Hash: 3D61E223A0CB82A1EB619B21A4143F937A4FF45B84F694834DE8D87785DF3EE411D74A

Function 00007FF6E0F8FF10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 131processCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F8FF8C
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8FFEB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F90025
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F90077
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F900EE

Strings

&& timeout /t 5", xrefs: 00007FF6E0F8FF82, 00007FF6E0F8FFA0
start cmd /C "color b && title Error && echo , xrefs: 00007FF6E0F8FF3C

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmovesystem
String ID: && timeout /t 5"$start cmd /C "color b && title Error && echo
API String ID: 3478177393-3357973498
Opcode ID: ffc4cf0877067ca897e14bade09d9f568f7246c1195780a34d21c2b964f04260
Instruction ID: 254bff2fd84bb3980a4e4b01208443a6c88d6d549d483f3669f77ac67280c5f4
Opcode Fuzzy Hash: ffc4cf0877067ca897e14bade09d9f568f7246c1195780a34d21c2b964f04260
Instruction Fuzzy Hash: 9551EE73A18B8595EB10CB69E4443AD6321FB89BD0F904231EB9D83BAADF7DD090C305

Function 00007FF6E0F3D840 Relevance: 12.1, APIs: 8, Instructions: 122COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(2E8BA2E8BA2E8BA3,00000000,00000000,00000000,00007FF6E0F3C5D6), ref: 00007FF6E0F3D939
memmove.VCRUNTIME140(2E8BA2E8BA2E8BA3,00000000,00000000,00000000,00007FF6E0F3C5D6), ref: 00007FF6E0F3D94B
memmove.VCRUNTIME140(2E8BA2E8BA2E8BA3,00000000,00000000,00000000,00007FF6E0F3C5D6), ref: 00007FF6E0F3D95B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(2E8BA2E8BA2E8BA3,00000000,00000000,00000000,00007FF6E0F3C5D6), ref: 00007FF6E0F3D98F
memmove.VCRUNTIME140 ref: 00007FF6E0F3D999
memmove.VCRUNTIME140 ref: 00007FF6E0F3D9A9
memmove.VCRUNTIME140 ref: 00007FF6E0F3D9B9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3D9E9

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 64d7b9545e8f25cb4753dce702b5719d5cfaf3ac6c213c9bbd665d16455df6be
Instruction ID: c88da242df577e9bd18e5d74cc0205e999f3d64a8e333196cf93f0983e8343ae
Opcode Fuzzy Hash: 64d7b9545e8f25cb4753dce702b5719d5cfaf3ac6c213c9bbd665d16455df6be
Instruction Fuzzy Hash: C241D263B0DA85A1EA10EF16F4443E9A355FB48BE4F540232DE9C47B95CE3DE455C30A

Function 00007FF6E0F9B2E0 Relevance: 12.1, APIs: 8, Instructions: 117COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF6E0F9B454,?,?,?,?,?,?,00000000,00007FF6E0F9B8AD), ref: 00007FF6E0F9B360
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,00007FF6E0F9B8AD), ref: 00007FF6E0F9B3B0

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: aa30bc4991c5531d7c69db98f32cea81edc8e763002baaa846ffd2d222899a18
Instruction ID: 7a9cc2624607169b34feaf255d52d0cc9ff70e8c02042f1a34aedc7b1a63c6e0
Opcode Fuzzy Hash: aa30bc4991c5531d7c69db98f32cea81edc8e763002baaa846ffd2d222899a18
Instruction Fuzzy Hash: 8041E167A0C64695EB10DF9AE5907BD6360BB84BC0F844035DF0D87786CF3ED461870A

Function 00007FF6E0F5A4CA Relevance: 11.3, APIs: 9, Instructions: 86COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A4ED
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A512
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A537
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A55C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A581
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A5A6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A5CB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A5F0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5A615

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: dc537d5a5411c32b1dbce4e9dcbebf7c3ddfc857890f66abfc441d16219d4877
Instruction ID: b5f7b80a8d794acf1b04338c74a1be6e94a8a41388eeb5250ea177b9550a2d90
Opcode Fuzzy Hash: dc537d5a5411c32b1dbce4e9dcbebf7c3ddfc857890f66abfc441d16219d4877
Instruction Fuzzy Hash: 38410926B1E68295FF2A8F10D4507B527A0FF44F45F8C8135CE0D87760DF3EA820A20A

Function 00007FF6E0F648B0 Relevance: 10.8, APIs: 7, Instructions: 264COMMON

Download Yara Rule

APIs

ceilf.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF6E0F64A10
ceilf.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF6E0F64A25
cosf.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF6E0F64AFF
sinf.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF6E0F64B18
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F64BBB
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F64BD3
ceilf.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF6E0F64CA1

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ceilf$cosfsinf
String ID:
API String ID: 125261001-0
Opcode ID: 836fafad6af3ad57cfa814b23af0c2a76a05541a8c4ac8a0882f8ee62869c8cd
Instruction ID: d1bde90135220dcbe3b60084b9144b2cd0b8562b9639768ebd961d36fb7a77a4
Opcode Fuzzy Hash: 836fafad6af3ad57cfa814b23af0c2a76a05541a8c4ac8a0882f8ee62869c8cd
Instruction Fuzzy Hash: D0B11A33D2CA8985E7129B35A0413F9B350FF59385F189332ED48B3761EF29F4A18A45

Function 00007FF6E0F39970 Relevance: 10.8, APIs: 7, Instructions: 261COMMON

Download Yara Rule

APIs

?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000826299E00), ref: 00007FF6E0F39A3F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000826299E00), ref: 00007FF6E0F39BFA

Part of subcall function 00007FF6E0F3B5E0: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B6F8

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000826299E00), ref: 00007FF6E0F39AFF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000826299E00), ref: 00007FF6E0F39D00
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000826299E00), ref: 00007FF6E0F39D4C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F39D53
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F39D59

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskmemmove$?in@?$codecvt@_Mbstatet@@Mbstatet@@@std@@
String ID:
API String ID: 147523147-0
Opcode ID: 6cb9c8fd25349631d31d92920ebd8e51a0de052557af6fef02a8a4311ec7598d
Instruction ID: 6ed99c5277b429e3694721c39323098364cc1855b5070e9430b523c0a72ebe03
Opcode Fuzzy Hash: 6cb9c8fd25349631d31d92920ebd8e51a0de052557af6fef02a8a4311ec7598d
Instruction Fuzzy Hash: BBB1BD63B1CB85A9EB00CB69D0483EC63A5EB487A8F405631DE5D97B98DF3DD151C30A

Function 00007FF6E0FBCB60 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00007FF6E0FBCBC6
WSASetLastError.WS2_32 ref: 00007FF6E0FBCD86
Sleep.KERNEL32 ref: 00007FF6E0FBCD96
__WSAFDIsSet.WS2_32 ref: 00007FF6E0FBCEAA
__WSAFDIsSet.WS2_32 ref: 00007FF6E0FBCEC2
Sleep.KERNEL32 ref: 00007FF6E0FBCEED

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: acae420a63f45e51fa7acf847ceccc2a55ddc1131ed42a7f23926728908f3f83
Instruction ID: 2481eb5531ca7aeef689657d25ba1ad2597558275721327b19f1d85af56cbeda
Opcode Fuzzy Hash: acae420a63f45e51fa7acf847ceccc2a55ddc1131ed42a7f23926728908f3f83
Instruction Fuzzy Hash: AAA10A27B1C69296EB694E1494003FA6695FF48B90F104235EE2EC77C8DF3ED9218F85

Function 00007FF6E0F9BEF0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 217stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6E0F9BEB8), ref: 00007FF6E0F9C005
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF6E0F9BEB8), ref: 00007FF6E0F9C01F

Strings

Internal error removing splay node = %d, xrefs: 00007FF6E0F9BF02
I32, xrefs: 00007FF6E0F9BFF5, 00007FF6E0F9C055
I64, xrefs: 00007FF6E0F9C015, 00007FF6E0F9C07F

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: strncmp
String ID: I32$I64$Internal error removing splay node = %d
API String ID: 1114863663-13178787
Opcode ID: 0585d2c26be094c6d8cbb9b76de019ef913e05d4dd486375b933617067b4fdb7
Instruction ID: 20d9b79464778c8a5a309de8c718abd5fdf37c4e9f2787857a0b51363e9332e4
Opcode Fuzzy Hash: 0585d2c26be094c6d8cbb9b76de019ef913e05d4dd486375b933617067b4fdb7
Instruction Fuzzy Hash: 50A1AF33A0CA8296EB208F55E4547BD7BA4FB48B88F464235CA9D83359DF3DD218CB45

Function 00007FF6E0F94ED0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F950E1

Part of subcall function 00007FF6E0F392F0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,00007FF6E0F94F3A), ref: 00007FF6E0F39348

Strings

ANUL, xrefs: 00007FF6E0F94F9E
EZZ, xrefs: 00007FF6E0F94FAC

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ANUL$EZZ
API String ID: 3668304517-3347727684
Opcode ID: b16b5b10051b587aa350b4541184d14af152be7a62e369b8c3d37a1a30503301
Instruction ID: f3a2accf83777ed4dcb7749c1abb7084f16004aea44a244776b0d019bf10e9c5
Opcode Fuzzy Hash: b16b5b10051b587aa350b4541184d14af152be7a62e369b8c3d37a1a30503301
Instruction Fuzzy Hash: 1991A263B087826AFB04DFA5D4143ED2362EB41B98F804535DE4D5BBCACF3D95A48389

Function 00007FF6E0F38010 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F380BF

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 0becba9c9d0fd3f813134cb444283808e43923709129d22eb6eac3924ca4e7fe
Instruction ID: be69c122322a6f137265ce9977e4d66e45f66e04c571fe60f4ee3eade9df3904
Opcode Fuzzy Hash: 0becba9c9d0fd3f813134cb444283808e43923709129d22eb6eac3924ca4e7fe
Instruction Fuzzy Hash: F6813433B18A41A9EB118F65D4843ED27B0FB48BA8F540632DE5D83B94DF3DD4A58316

Function 00007FF6E0FBE820 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6E0FA247A,?,?,?,?,?,?,?,00007FF6E0FA2247), ref: 00007FF6E0FBE831
strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF6E0FBE9D3
strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF6E0FBE9F0

Strings

0123456789abcdef, xrefs: 00007FF6E0FBE9C2, 00007FF6E0FBE9CC
TRUE, xrefs: 00007FF6E0FBE95C
0123456789ABCDEF, xrefs: 00007FF6E0FBE9E2, 00007FF6E0FBE9E9

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: strchr$_errno
String ID: 0123456789ABCDEF$0123456789abcdef$TRUE
API String ID: 2644425738-1191287149
Opcode ID: 7ffc78b9e3c83d4b176f08e2ae2837ce0d28e15046c52a3ba132142420f031f4
Instruction ID: b047c983b144ec560d57f76ecff3c3c526a0722b4fbd32c05e5350d05dfa03e5
Opcode Fuzzy Hash: 7ffc78b9e3c83d4b176f08e2ae2837ce0d28e15046c52a3ba132142420f031f4
Instruction Fuzzy Hash: 7E513513B1C78691EE208B1494603FA7794AB96B88F488131DE4E8774CEE3EE851CF07

Function 00007FF6E0F3A760 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6E0F3A7F3
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6E0F3A847
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF6E0F3A86E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF6E0F3A896
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F3A8DC
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF6E0F3A8E3
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6E0F3A8F0

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 729925803-0
Opcode ID: 242bd238bb676acabf07dd48db508c0998194b03baf990c35c43ac5153938f3a
Instruction ID: 21533fb04b662e36304107f591d71017a54d25a7467b764164a6b60160a240a8
Opcode Fuzzy Hash: 242bd238bb676acabf07dd48db508c0998194b03baf990c35c43ac5153938f3a
Instruction Fuzzy Hash: B4516133A09A4191EB218F1AD488378B7A0EF89FA5F15C535CE5E877A0CF3ED4568306

Function 00007FF6E0F3CB00 Relevance: 10.6, APIs: 7, Instructions: 131COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF6E0F221FA), ref: 00007FF6E0F3CB7F
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF6E0F221FA), ref: 00007FF6E0F3CBD6
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF6E0F221FA), ref: 00007FF6E0F3CC03
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF6E0F221FA), ref: 00007FF6E0F3CC26
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF6E0F221FA), ref: 00007FF6E0F3CC6C
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF6E0F221FA), ref: 00007FF6E0F3CC73
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF6E0F221FA), ref: 00007FF6E0F3CC80

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 729925803-0
Opcode ID: 1842c4115486c3145e7cab81e5a233985ab916393175ff326965b3655a763128
Instruction ID: daa4cea39402c4de5970f5fb887560f63a806b13e88a89fff17586ef43b9e113
Opcode Fuzzy Hash: 1842c4115486c3145e7cab81e5a233985ab916393175ff326965b3655a763128
Instruction Fuzzy Hash: AB51533360CA4191EB208F1AE494378B7A0EB89FA5F158535DE5E877A0CF3ED4529346

Function 00007FF6E0F406E0 Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,00007FF6E0F45240), ref: 00007FF6E0F40719
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,00007FF6E0F45240), ref: 00007FF6E0F40739
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6E0F45240), ref: 00007FF6E0F4076F
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,00007FF6E0F45240), ref: 00007FF6E0F40791
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,00007FF6E0F45240), ref: 00007FF6E0F407B5
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,00007FF6E0F45240), ref: 00007FF6E0F407C1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF6E0F45240), ref: 00007FF6E0F407E4

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$_wfopenfreemalloc
String ID:
API String ID: 2585890673-0
Opcode ID: 5cc6bccee49a7b6bf0fcf975e51644b80cd3a14626fcaf62830a758d8db18515
Instruction ID: 182c6ffc74216d596b59948735c179685b87392e6acfd4f84e2d27a1026418da
Opcode Fuzzy Hash: 5cc6bccee49a7b6bf0fcf975e51644b80cd3a14626fcaf62830a758d8db18515
Instruction Fuzzy Hash: CF31C436708B4286E7389F56E51027AB7A1FB88BD0F484239DE4D87B64CF3DE5119B06

Function 00007FF6E0F3B4F0 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B506
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B520
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B552
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B57D
std::_Facet_Register.LIBCPMT ref: 00007FF6E0F3B596
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B5B5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3B5CB

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 45d1420ffff35b9f5bc15fa38ad057af4f4f54293b4d159208b4e13ce5690f61
Instruction ID: 9e186187dc09cbe143cc7c8a962589e432fac6a3da0a813f0744abb72a497bbc
Opcode Fuzzy Hash: 45d1420ffff35b9f5bc15fa38ad057af4f4f54293b4d159208b4e13ce5690f61
Instruction Fuzzy Hash: 8B219123A0DA05A5EB548F15E4942A96720FB5DBA4F4C4131DF1D873A8DF3ED895C30A

Function 00007FF6E0F3A5F0 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF6E0F3A606
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF6E0F3A620
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF6E0F3A652
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF6E0F3A67D
std::_Facet_Register.LIBCPMT ref: 00007FF6E0F3A696
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF6E0F3A6B5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3A6CB

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskD@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 3790006010-0
Opcode ID: 3dd96a442718bfebf3a8faa2ab01d599450246068c1ac090c1866f4b6848a362
Instruction ID: 3159eea9f7f911f770950755b530b1f9e806309d3b6070658b2be4aa2f61fde0
Opcode Fuzzy Hash: 3dd96a442718bfebf3a8faa2ab01d599450246068c1ac090c1866f4b6848a362
Instruction Fuzzy Hash: 7021A123A0CA01A5EB159F16E8442A96720FF5DBA4F1C4135DF1D873A4DF3EE895C70A

Function 00007FF6E0F386A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F386D0
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6E0F386EF
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F38721
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6E0F3873C

Part of subcall function 00007FF6E0F3A0C0: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A0F1
Part of subcall function 00007FF6E0F3A0C0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A10E
Part of subcall function 00007FF6E0F3A0C0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A137
Part of subcall function 00007FF6E0F3A0C0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A182
Part of subcall function 00007FF6E0F3A0C0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A197

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F3878B

Strings

C:\Windows\key.txt, xrefs: 00007FF6E0F38766

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
String ID: C:\Windows\key.txt
API String ID: 2682282330-556312689
Opcode ID: afe34247b4c8ea58d77fa3424850605e248331e2c959b92e6fe93a8036ccd167
Instruction ID: 7709486e22ce270d68be27228dcf2d106275b90496bc9d852c43a636bbb68111
Opcode Fuzzy Hash: afe34247b4c8ea58d77fa3424850605e248331e2c959b92e6fe93a8036ccd167
Instruction Fuzzy Hash: 82217A33609B828AEB10CF25E99436A77A0FB49B98F149435CA4D87724DF3ED158CB46

Function 00007FF6E0F58860 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF6E0F58882
ImmSetCompositionWindow.IMM32 ref: 00007FF6E0F588BB
ImmSetCandidateWindow.IMM32 ref: 00007FF6E0F588F4
ImmReleaseContext.IMM32 ref: 00007FF6E0F58900

Strings

, xrefs: 00007FF6E0F58895
@, xrefs: 00007FF6E0F588D3

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ContextWindow$CandidateCompositionRelease
String ID: $@
API String ID: 3969737024-1077428164
Opcode ID: 9999db36d6e67b6fcffdb8e9ee4d45b7416ff3e433121c3d394097755cf5c0dd
Instruction ID: d28fc8d9eea3cec8ea2b9a5208a384b998b7a8afbb6dc2e80329ef25361085b3
Opcode Fuzzy Hash: 9999db36d6e67b6fcffdb8e9ee4d45b7416ff3e433121c3d394097755cf5c0dd
Instruction Fuzzy Hash: 5D113A739087818BD726CF21F14426AB7B1FB89B84F144225EB8957B18DF3DD881CE08

Function 00007FF6E0F68EA0 Relevance: 10.2, APIs: 8, Instructions: 173COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F68EEB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F68FA6
memmove.VCRUNTIME140 ref: 00007FF6E0F68FC9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F68FEC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F690C2
memmove.VCRUNTIME140 ref: 00007FF6E0F690D9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6911C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6913D

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc$memmove
String ID:
API String ID: 3069178222-0
Opcode ID: 8fb667db71b8971d2d10385bd8912fc17730b4fa5d40e3b9809cb97d766494d9
Instruction ID: 1f30ac39113cd12dcf26ef0bf8f6aa05e5d54a86a32f60f20d207b9edc35839c
Opcode Fuzzy Hash: 8fb667db71b8971d2d10385bd8912fc17730b4fa5d40e3b9809cb97d766494d9
Instruction Fuzzy Hash: 9F915A23A18B8186EB24CF28E5403B837A4FB98B44F599239CF8D83361DF39E495C345

Function 00007FF6E0F43E60 Relevance: 10.1, APIs: 8, Instructions: 96COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F431B8), ref: 00007FF6E0F43E8D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F431B8), ref: 00007FF6E0F43EE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F431B8), ref: 00007FF6E0F43F25
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F431B8), ref: 00007FF6E0F43F4A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F431B8), ref: 00007FF6E0F43F6F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F431B8), ref: 00007FF6E0F43F94
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F431B8), ref: 00007FF6E0F43FB9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F431B8), ref: 00007FF6E0F43FDE

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e098817a3693515d855fa59d99a8ff19f13eb435ad65e57d9088093367451104
Instruction ID: acbde297ab65b71eaff216550877fa1334cd766c4f6d32c181d878b4f061002b
Opcode Fuzzy Hash: e098817a3693515d855fa59d99a8ff19f13eb435ad65e57d9088093367451104
Instruction Fuzzy Hash: 85413732A0A642A5FF998F10D6453B927A0FF84F54F488535CE0D87764DF3EA855E30A

Function 00007FF6E0F75AD0 Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 405COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF6E0F7610E

Strings

( ), xrefs: 00007FF6E0F76012
(x), xrefs: 00007FF6E0F76008
0, xrefs: 00007FF6E0F75EB8
Alpha Bar, xrefs: 00007FF6E0F75ADD
%*s%.*s, xrefs: 00007FF6E0F76150

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memchr
String ID: %*s%.*s$( )$(x)$0$Alpha Bar
API String ID: 3297308162-869251483
Opcode ID: fdb9215adccff2669bdd96d037ffc39262892ded4f47387e47f436e8e1383b96
Instruction ID: b2b88cc9a1783ff0a26abc6e48cef2e8442613780507fdb769152b35c57a849e
Opcode Fuzzy Hash: fdb9215adccff2669bdd96d037ffc39262892ded4f47387e47f436e8e1383b96
Instruction Fuzzy Hash: AC121533A1CBC595E7128B3690013FAB750FF59798F088331EE58A36E2DF2AE5918705

Function 00007FF6E0F4D760 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 280COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F4D9C3
memmove.VCRUNTIME140 ref: 00007FF6E0F4D9F0
memmove.VCRUNTIME140 ref: 00007FF6E0F4DBE9

Strings

<NULL>, xrefs: 00007FF6E0F4D8FB, 00007FF6E0F4DA05
[focus] SetNavWindow("%s"), xrefs: 00007FF6E0F4DA0C
[focus] FocusWindow("%s", UnlessBelowModal): prevented by "%s"., xrefs: 00007FF6E0F4D906

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID: <NULL>$[focus] FocusWindow("%s", UnlessBelowModal): prevented by "%s".$[focus] SetNavWindow("%s")
API String ID: 2162964266-1643275426
Opcode ID: 3f01e9bf5e92c72b62c76e74e57ea285e856d27155aebf60d55670f15450bbad
Instruction ID: 19bc3e818f683f17df5768e97fbef1bcb2b76bb67589d0e7ecbd8b7519d163cf
Opcode Fuzzy Hash: 3f01e9bf5e92c72b62c76e74e57ea285e856d27155aebf60d55670f15450bbad
Instruction Fuzzy Hash: 8BD18E73A0DA81A5EB25CB14D2447F877A5FB40B88F054235CE8D87794DF3AE662C30A

Function 00007FF6E0F68500 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF6E0F624FA), ref: 00007FF6E0F6862F
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF6E0F624FA), ref: 00007FF6E0F68667
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF6E0F624FA), ref: 00007FF6E0F687CC
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF6E0F624FA), ref: 00007FF6E0F687EC
memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF6E0F624FA), ref: 00007FF6E0F6888D

Strings

, xrefs: 00007FF6E0F6870A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$memcmp
String ID:
API String ID: 845337883-3916222277
Opcode ID: a96e04677c4108d1fae9a491e0a512bce99e64dc5f0f718417c4fba591273aa1
Instruction ID: a036b73347c9aa6907db47829fa9ecceeee09d0ff7b195b7bf2b4653dfa9560d
Opcode Fuzzy Hash: a96e04677c4108d1fae9a491e0a512bce99e64dc5f0f718417c4fba591273aa1
Instruction Fuzzy Hash: C0B1EE73A1868187DB60CF18E4807A977A4FB84B84F468239DE4D97784DF39E852CB84

Function 00007FF6E0F42C70 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F42E74
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F42F5A
memmove.VCRUNTIME140 ref: 00007FF6E0F42F7D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F42FA0

Strings

Window, xrefs: 00007FF6E0F42C99
Table, xrefs: 00007FF6E0F42D3F

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: malloc$freememmove
String ID: Table$Window
API String ID: 3044343941-616867329
Opcode ID: 33e0afea7db2d6c21d3e714c924f230e69d64aa0feaaa365e38e8d12621de7db
Instruction ID: 05c6f56ab231677c1ddb4344c4de969f5c68f5187ff31018f565b4a3c1afa4fe
Opcode Fuzzy Hash: 33e0afea7db2d6c21d3e714c924f230e69d64aa0feaaa365e38e8d12621de7db
Instruction Fuzzy Hash: 5FB16C37A09B82A9EB50CF24E9407EC33A4FB58754F848236DE4C937A4DF39A466C345

Function 00007FF6E0F43960 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,IMGUI,00007FF6E0F48BF7,?,?,00000000,00000000,?,00007FF6E0F4B03D), ref: 00007FF6E0F43B5F
memset.VCRUNTIME140(?,00000000,IMGUI,00007FF6E0F48BF7,?,?,00000000,00000000,?,00007FF6E0F4B03D), ref: 00007FF6E0F43B9D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,IMGUI,00007FF6E0F48BF7,?,?,00000000,00000000,?,00007FF6E0F4B03D), ref: 00007FF6E0F43BD0
memmove.VCRUNTIME140(?,00000000,IMGUI,00007FF6E0F48BF7,?,?,00000000,00000000,?,00007FF6E0F4B03D), ref: 00007FF6E0F43BE0

Strings

IMGUI, xrefs: 00007FF6E0F43974
#MOVE, xrefs: 00007FF6E0F43CAA, 00007FF6E0F43CC3

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memset$mallocmemmove
String ID: #MOVE$IMGUI
API String ID: 1346079573-2253754107
Opcode ID: 6563d73963d4775274d4b28ef7f3312e9b558a959aa37a8ddb99b76d576e4d33
Instruction ID: a364b7e773cbe32b6e1e9baf09a83a2cd82ac4c09b269fff4722f14cb9eb5477
Opcode Fuzzy Hash: 6563d73963d4775274d4b28ef7f3312e9b558a959aa37a8ddb99b76d576e4d33
Instruction Fuzzy Hash: 16C10A32606B819AD354CF29E98879877A8F745F54FA94239C7A8473A0DF36E073C708

Function 00007FF6E0F92490 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 219COMMON

Download Yara Rule

Strings

[W, xrefs: 00007FF6E0F9251E
^R\H, xrefs: 00007FF6E0F9254D
W]GP, xrefs: 00007FF6E0F9255D
]F__, xrefs: 00007FF6E0F92517
K]YU, xrefs: 00007FF6E0F924EE

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken_invalid_parameter_noinfo_noreturn$CurrentErrorInformationLastOpenfree
String ID: K]YU$W]GP$[W$]F__$^R\H
API String ID: 3737595156-3239892679
Opcode ID: bd5031a836ad867ac11b1cf6d61d9ce31d2de4f6c15b56c2994843fbfa7a05f2
Instruction ID: 126228af23f2a8848047cce82f302354f70d5c3ad98085b107be725a6844a7dc
Opcode Fuzzy Hash: bd5031a836ad867ac11b1cf6d61d9ce31d2de4f6c15b56c2994843fbfa7a05f2
Instruction Fuzzy Hash: AAC19973908BC199EB24CF64E8443ED3B61F751788F809125DE885BB9ADFB9D298C344

Function 00007FF6E0F3C170 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,7FFFFFFFFFFFFFFF,00007FF6E0F3A6FD), ref: 00007FF6E0F3C20C
memmove.VCRUNTIME140(?,?,7FFFFFFFFFFFFFFF,00007FF6E0F3A6FD), ref: 00007FF6E0F3C268
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF6E0F3A6FD), ref: 00007FF6E0F3C2EB
memmove.VCRUNTIME140(?,?,7FFFFFFFFFFFFFFF,00007FF6E0F3A6FD), ref: 00007FF6E0F3C31D
memmove.VCRUNTIME140(?,?,7FFFFFFFFFFFFFFF,00007FF6E0F3A6FD), ref: 00007FF6E0F3C338
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3C363

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 5e9dfcf961e561541b6b2abf1d8a6e405b4f4903b0d22376f76ba7a9dc51d964
Instruction ID: 54f8c45f6cdcbc7f8c23858640baa4edfa58fe20c447b2205510d9607b9c3dae
Opcode Fuzzy Hash: 5e9dfcf961e561541b6b2abf1d8a6e405b4f4903b0d22376f76ba7a9dc51d964
Instruction Fuzzy Hash: DF51E333A08B81A2EA00EF25E5443AE2360FB59B94F144631CF6C57792CF3DE5A5D386

Function 00007FF6E0F3BEF0 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,0000000100000000,00007FF6E0F392E2), ref: 00007FF6E0F3BFDE
memmove.VCRUNTIME140(?,?,0000000100000000,00007FF6E0F392E2), ref: 00007FF6E0F3BFEC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,0000000100000000,00007FF6E0F392E2), ref: 00007FF6E0F3C025
memmove.VCRUNTIME140 ref: 00007FF6E0F3C02F
memmove.VCRUNTIME140 ref: 00007FF6E0F3C03D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3C06F

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 6928a6cf1e0265a3c61ee693cce608c00685c6cbbcada6e4fb2b7e4394de3906
Instruction ID: e8121ccafd6b4b0590a5c47156ca8d802e4b54504f432bf9d61e5754c5dfaa8a
Opcode Fuzzy Hash: 6928a6cf1e0265a3c61ee693cce608c00685c6cbbcada6e4fb2b7e4394de3906
Instruction Fuzzy Hash: E4410463B0878591EE149B26A8483A9A351EB48FF4F084531DF6D8B7C5CE3ED451D34A

Function 00007FF6E0F24E80 Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F24F16
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F24F22
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F24F33
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F24F47
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F24F54
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F24F69

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: cosfsinf
String ID:
API String ID: 3160392742-0
Opcode ID: 94492105d157e76651f932812522dfa15127902a899fdaf173298ab033314000
Instruction ID: 38e22e7b02413a053d42ba179535271d62f3891908335da99ff9768f30333a62
Opcode Fuzzy Hash: 94492105d157e76651f932812522dfa15127902a899fdaf173298ab033314000
Instruction Fuzzy Hash: 57615412D28ACD46E313973B65422F9B350AF7E295F2DDB23F94471672EF2631C2A904

Function 00007FF6E0F3B790 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F3B8BE
memmove.VCRUNTIME140 ref: 00007FF6E0F3B8CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F3B90C
memmove.VCRUNTIME140 ref: 00007FF6E0F3B916
memmove.VCRUNTIME140 ref: 00007FF6E0F3B926

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3B95C

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: d14615ca812d612ff3c8e6460d8840b25604f29bf4bb7be11e1b8f063f75d5b8
Instruction ID: f0dde6fe26e26389cd76a9cb17206b89ab16d5b67baa5b2ed1baccaccacc7cc1
Opcode Fuzzy Hash: d14615ca812d612ff3c8e6460d8840b25604f29bf4bb7be11e1b8f063f75d5b8
Instruction Fuzzy Hash: 8141DD62B09B41A1EA109B16A4183ADA365EB48BF0F540732DF7D87BD5DE3DE052C30A

Function 00007FF6E0F88750 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F88843
memmove.VCRUNTIME140 ref: 00007FF6E0F88851
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8888A
memmove.VCRUNTIME140 ref: 00007FF6E0F88894
memmove.VCRUNTIME140 ref: 00007FF6E0F888A2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F888D1

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: c0b25b98a232eed08dea2723924e0b6f5fc6c2f440964d4b038f21e1b6a55a04
Instruction ID: 1456bb35ec1a39f1c7363f49f8d986a7a8ecfa86c658a6e99a8f7cace8279f73
Opcode Fuzzy Hash: c0b25b98a232eed08dea2723924e0b6f5fc6c2f440964d4b038f21e1b6a55a04
Instruction Fuzzy Hash: 2B41D123B0868595EE24EB16A5043E96351FB08BE4F840630DF6D8BBC5CF3DE052C31A

Function 00007FF6E0F2A7C0 Relevance: 9.1, APIs: 6, Instructions: 102COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6E0F2A80A
memset.VCRUNTIME140 ref: 00007FF6E0F2A840
MultiByteToWideChar.KERNEL32 ref: 00007FF6E0F2A864
WideCharToMultiByte.KERNEL32 ref: 00007FF6E0F2A88B
memset.VCRUNTIME140 ref: 00007FF6E0F2A8AC
WideCharToMultiByte.KERNEL32 ref: 00007FF6E0F2A8D1

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$memset
String ID:
API String ID: 1216362210-0
Opcode ID: 26338298d1d3d96dd0868b141b4b97bb1442d97edbfbd09c8b4072101da87641
Instruction ID: 90e893e2700fc13f604912a7cd38409c6c348437b0a597fe2177f70f2db1501a
Opcode Fuzzy Hash: 26338298d1d3d96dd0868b141b4b97bb1442d97edbfbd09c8b4072101da87641
Instruction Fuzzy Hash: 6841E333A08B8086D724EF22B84496A77A1F788BD0F048638EE9E87755CF3CD151C344

Function 00007FF6E0FB02E0 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB03C5
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB03D4
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB03E6
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB03F8
VerSetConditionMask.KERNEL32 ref: 00007FF6E0FB040E
VerifyVersionInfoA.KERNEL32 ref: 00007FF6E0FB0421

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 275aa862014b364a1637bd7307711390a81a009400867d893bcfbf8043f2b66e
Instruction ID: b526192d03e6e8653fe04fb20b0efb555f1ca50c050fbf4e91e901ebc5f1d86c
Opcode Fuzzy Hash: 275aa862014b364a1637bd7307711390a81a009400867d893bcfbf8043f2b66e
Instruction Fuzzy Hash: F641A123E1C68297F7308B11A4147BE63A0EBE5344F056235E9CD47B54DE3EE4919F05

Function 00007FF6E0F3A0C0 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A0F1
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A10E
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A137
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A182

Part of subcall function 00007FF6E0F3B4F0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B506
Part of subcall function 00007FF6E0F3B4F0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B520
Part of subcall function 00007FF6E0F3B4F0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B552
Part of subcall function 00007FF6E0F3B4F0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B57D
Part of subcall function 00007FF6E0F3B4F0: std::_Facet_Register.LIBCPMT ref: 00007FF6E0F3B596
Part of subcall function 00007FF6E0F3B4F0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B5B5

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A197
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A1AE

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: 1bf8c51e907cd0c30f35acaccb77f120286727e0def8c07ebcdc7f11e772d724
Instruction ID: 1be6b5386140d3820f6b7f71155662716895c1cae3b9a5004c3ac5347fc6f1a5
Opcode Fuzzy Hash: 1bf8c51e907cd0c30f35acaccb77f120286727e0def8c07ebcdc7f11e772d724
Instruction Fuzzy Hash: 50314532A09B8185EB609F26F844369B3A4FB88FA8F040135DE8E87B58DF3DD555CB45

Function 00007FF6E0F9B9A0 Relevance: 8.9, APIs: 7, Instructions: 139COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F9BA69
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9BAA8
memmove.VCRUNTIME140 ref: 00007FF6E0F9BADA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9BB0C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9BB17
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F9BB92
memmove.VCRUNTIME140 ref: 00007FF6E0F9BBB5

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$freemalloc
String ID:
API String ID: 1763039611-0
Opcode ID: f104e7856a3d381d02960f38491be94047dd43afd979531dddab738ee57df8e5
Instruction ID: fac060dbf2f1a485c52b1e281ad66dbdbd73a838961089d18f26395df63ab929
Opcode Fuzzy Hash: f104e7856a3d381d02960f38491be94047dd43afd979531dddab738ee57df8e5
Instruction Fuzzy Hash: 25615213E18BC196E7118F38D9112FD6320F7A9788F41A321EF8D52A5BEF69E6D48700

Function 00007FF6E0F885F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F886CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8870B
memmove.VCRUNTIME140 ref: 00007FF6E0F88715
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F88742

Strings

&& timeout /t 5", xrefs: 00007FF6E0F885F4

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: && timeout /t 5"
API String ID: 2016347663-934313417
Opcode ID: 621fae1bf7b881e6080d1427c10a22160717e32d67e6d2f8f5b7a222e3aa172a
Instruction ID: 9b59818d10a76953089fe6c301e5d1ff70d35db97fb4d14b86347c0ddaa678b4
Opcode Fuzzy Hash: 621fae1bf7b881e6080d1427c10a22160717e32d67e6d2f8f5b7a222e3aa172a
Instruction Fuzzy Hash: 3F31112370D781A4EE24DB16A5443EC6251BB08BE0F580734DF6D8BBC5DE3EE0A28319

Function 00007FF6E0F68990 Relevance: 8.8, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F68B00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F689B0,?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68B59
Part of subcall function 00007FF6E0F68B00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F689B0,?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68BFF
Part of subcall function 00007FF6E0F68B00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F689B0,?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68C2B

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F689CB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F689EC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68A3A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68A6A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68A96
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68AB8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43081), ref: 00007FF6E0F68ADA

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f08ebb23e718f1f4bba077ec4d8772a049d6669c51cf378be8bf91aa0ddb58b5
Instruction ID: 1fd7d0f106234fe7888cdeb4808bcecf6563d902551751b2522437cd5f4bd655
Opcode Fuzzy Hash: f08ebb23e718f1f4bba077ec4d8772a049d6669c51cf378be8bf91aa0ddb58b5
Instruction Fuzzy Hash: 3D410932A2DA42A5EB158F51E5403793BA0FF44F45F48423ACE4D87765CF3EE851E28A

Function 00007FF6E0F3EC40 Relevance: 8.8, APIs: 7, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0F62690: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F626BD
Part of subcall function 00007FF6E0F62690: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F626E6
Part of subcall function 00007FF6E0F62690: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6270F
Part of subcall function 00007FF6E0F62690: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F62744
Part of subcall function 00007FF6E0F62690: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6276D
Part of subcall function 00007FF6E0F62690: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F62799

Part of subcall function 00007FF6E0F683F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6845D
Part of subcall function 00007FF6E0F683F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6848D
Part of subcall function 00007FF6E0F683F0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F684DE

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43481), ref: 00007FF6E0F3EC7E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43481), ref: 00007FF6E0F3ECA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43481), ref: 00007FF6E0F3ECC5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43481), ref: 00007FF6E0F3ECE7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43481), ref: 00007FF6E0F3ED09
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43481), ref: 00007FF6E0F3ED2B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43481), ref: 00007FF6E0F3ED4D

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4f9168953bf85da8ae3439e12f64e23650e7b6337f420bfbb834f12d8a8192d1
Instruction ID: 6f72d34201741aeebdf7099eb6254ce34812ce40c784c7512dac9855c97ba399
Opcode Fuzzy Hash: 4f9168953bf85da8ae3439e12f64e23650e7b6337f420bfbb834f12d8a8192d1
Instruction Fuzzy Hash: B8314C22B1A602A5FE698B11D5693B93760FF58B51F485435CE0D837A4CF3EF860E20E

Function 00007FF6E0F83300 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F83532

Strings

context, xrefs: 00007FF6E0F83344
##selectable, xrefs: 00007FF6E0F834BD
Alpha Bar, xrefs: 00007FF6E0F83609
##previewing_picker, xrefs: 00007FF6E0F83542

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID: ##previewing_picker$##selectable$Alpha Bar$context
API String ID: 2162964266-280553805
Opcode ID: 76aa48ee8ca1c845969c925ebce9493a886d020bc5a08467757bd4dbe96c2bbb
Instruction ID: 55f56fa1b412214d55d4277b6d2968848f8b389e3f6ab57d3e1c53c43b0a2bb3
Opcode Fuzzy Hash: 76aa48ee8ca1c845969c925ebce9493a886d020bc5a08467757bd4dbe96c2bbb
Instruction Fuzzy Hash: 31A1DF33A0C6C2A6EB11CF2AD4813E977A0FB49B48F484235DE4C877A6CF7AE4558715

Function 00007FF6E0F3B0C0 Relevance: 7.6, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF6E0F3B113
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF6E0F3B134
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6E0F3B1AC
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6E0F3B22A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F3B276

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
String ID:
API String ID: 481934583-0
Opcode ID: 7e3bb195d5053d476bfbf33652d865119d1e6cf75baec443c306f0e902ba9a56
Instruction ID: 0abfc42e27d2e424e08979c2b9d5f1555cc3e4d18fa3ae7ef54887891d960072
Opcode Fuzzy Hash: 7e3bb195d5053d476bfbf33652d865119d1e6cf75baec443c306f0e902ba9a56
Instruction Fuzzy Hash: 64519023709A4591DB21DF2AD5A437D6BA0EB89FA5F048232CE1E877A0CF3ED451C306

Function 00007FF6E0F3CD90 Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF6E0F3CDEC
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6E0F3CE1E
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6E0F3CE59
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF6E0F3CEBC
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F3CEF8

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sbumpc@?$basic_streambuf@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1457788575-0
Opcode ID: b3d2dcee56855b305582250f8701199ab9e844e10249452fb2d9a278db73892c
Instruction ID: 46e5495774d0d60136d838a8fe577bd3ca205c9cdf15a9d808ffc55270ba3d03
Opcode Fuzzy Hash: b3d2dcee56855b305582250f8701199ab9e844e10249452fb2d9a278db73892c
Instruction Fuzzy Hash: BE415F3360CA8195DB20CF1AE5846797BA0FB88F95F148135DE9E87B60CF3ED4A19346

Function 00007FF6E0F62690 Relevance: 7.6, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F626BD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F626E6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6270F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F62744
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6276D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F62799

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8180f580163738f20043099f956c5d9ec424b912fdab7c7c60d1dc6a8a39dc0e
Instruction ID: 18bb22254f2ebce2f99a7134be2673620698ddff9f1f31d6813b0a5eba57f723
Opcode Fuzzy Hash: 8180f580163738f20043099f956c5d9ec424b912fdab7c7c60d1dc6a8a39dc0e
Instruction Fuzzy Hash: 46312737A1AB0291EB598F24E54077933A4FF54F88B184175CE4C87B64CF3AA860E389

Function 00007FF6E0F379A0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F379D9
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6E0F379F8
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6E0F37A2B
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6E0F37A46

Part of subcall function 00007FF6E0F3A0C0: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A0F1
Part of subcall function 00007FF6E0F3A0C0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A10E
Part of subcall function 00007FF6E0F3A0C0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A137
Part of subcall function 00007FF6E0F3A0C0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A182
Part of subcall function 00007FF6E0F3A0C0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F35FB9), ref: 00007FF6E0F3A197

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6E0F37A91

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
String ID:
API String ID: 219286276-0
Opcode ID: 173463763a523f072a35e3f3573077b3c12e798aefd31bacd6d57fdc44c2a914
Instruction ID: 48147bef58f40da1c15c8b2460f3241eaa2423ab4cf8c7cf18cdd08a1a65e941
Opcode Fuzzy Hash: 173463763a523f072a35e3f3573077b3c12e798aefd31bacd6d57fdc44c2a914
Instruction Fuzzy Hash: 7D218B33608B828AEB10CF25E8587697BA0FB89B99F059535CA4D87724DF3DD01AC705

Function 00007FF6E0FBC6B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00007FF6E0FBCA02

Strings

%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00007FF6E0FBC74B
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 00007FF6E0FBC995
** Resuming transfer from byte position %I64d, xrefs: 00007FF6E0FBC738

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: fflush
String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
API String ID: 497872470-664487449
Opcode ID: 231feac19fa9a20d1dbfa59960c6aa15983c2efe3b75db0dd0a5ae4d08de409d
Instruction ID: a58f5cdb0ae434f7e652e983fd5223c0646c0a1835deb66ec8e6c73ae924056e
Opcode Fuzzy Hash: 231feac19fa9a20d1dbfa59960c6aa15983c2efe3b75db0dd0a5ae4d08de409d
Instruction Fuzzy Hash: B691BF22B0AB8695DA60CB06E5547EB7368FB84BC0F861032DE4D87B99EF3DD011DB44

Function 00007FF6E0F2AB40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

D3D11CreateDeviceAndSwapChain.D3D11 ref: 00007FF6E0F2AC19
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F2AC9A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F2AD0D

Strings

imgui_impl_dx11, xrefs: 00007FF6E0F2AD53

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ChainCreateDeviceSwap
String ID: imgui_impl_dx11
API String ID: 2169213826-2671864370
Opcode ID: 43d1e121367aa0e2a2a5eed634a1fa02d365546027568dd06051648096c859b2
Instruction ID: 3a9af921634ec84a9b8c73d851683da3d9b7f880cb7c51d1e7b4e79f2049c3fb
Opcode Fuzzy Hash: 43d1e121367aa0e2a2a5eed634a1fa02d365546027568dd06051648096c859b2
Instruction Fuzzy Hash: D0915B77A09B4296EB00CF25E8403A837A4FB88B48F958136DE5C87764DF7EE154D309

Function 00007FF6E0F226D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF6E0F22841
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F2287A

Strings

.5, xrefs: 00007FF6E0F22731
7, xrefs: 00007FF6E0F227A5

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: CreateThread_invalid_parameter_noinfo_noreturn
String ID: .5$7
API String ID: 2430190256-173827267
Opcode ID: 59673424dbd7d37f33c1861f3bf079b68573cce438c3fcea2b3baf28c77c3cef
Instruction ID: 110c6d8aa1d7426709de984c9c1ffd016a56860e49927f70f60336cbe041d582
Opcode Fuzzy Hash: 59673424dbd7d37f33c1861f3bf079b68573cce438c3fcea2b3baf28c77c3cef
Instruction Fuzzy Hash: F451EF63E08682A9FB00CB24E4403EC3BA0FB697A8F545235DE6957AD9DF39C145C34A

Function 00007FF6E0FAD5E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77fileCOMMON

Download Yara Rule

APIs

fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FAD705
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0FAD720

Strings

..., xrefs: 00007FF6E0FAD688
..., xrefs: 00007FF6E0FAD672

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: fwrite
String ID: ...$...
API String ID: 3559309478-2253869979
Opcode ID: 5e762050c77f55cbeff0a0fd7c417f4c7e3481b4574e79b718220cc48a91bd0c
Instruction ID: 4f043ac521c9cdfd4d2009ffe8f51dd3b745ffd9ecf2c2689cb0f70955cbaa94
Opcode Fuzzy Hash: 5e762050c77f55cbeff0a0fd7c417f4c7e3481b4574e79b718220cc48a91bd0c
Instruction Fuzzy Hash: 8131F623A1CA8591EB64CF11E4447F963A1FB84B94F904232CE9E83790CF3EE165C785

Function 00007FF6E0FD9260 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E0FB0140: GetModuleHandleA.KERNEL32(?,?,00000000,00007FF6E0FD929A,?,?,?,?,00007FF6E0FB04CB), ref: 00007FF6E0FB0154

GetProcAddress.KERNEL32(?,?,?,?,00007FF6E0FB04CB), ref: 00007FF6E0FD92B0

Strings

security.dll, xrefs: 00007FF6E0FD928A
InitSecurityInterfaceA, xrefs: 00007FF6E0FD92A6
secur32.dll, xrefs: 00007FF6E0FD9283

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 1646373207-3788156360
Opcode ID: db93cb98f6fea8d46ddcc8c093cf0ba3b1f1f90215fd4462b1154fd5d962bcd4
Instruction ID: 66e7bb8c28176feb5667dfc7ed21e1cec9a6079a30d431e688860d3006a2ee71
Opcode Fuzzy Hash: db93cb98f6fea8d46ddcc8c093cf0ba3b1f1f90215fd4462b1154fd5d962bcd4
Instruction Fuzzy Hash: DDF03C66E0DB0361EF289B55A8813F42290AF58785F844438C80CC3395EE2EE1699B0A

Function 00007FF6E0F6C6C0 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6C72B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F6C766

Strings

, xrefs: 00007FF6E0F6C912
., xrefs: 00007FF6E0F6C98A

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: $.
API String ID: 1294909896-3929174939
Opcode ID: b169aaf0309f6f42e9bbdf8faa4f8f6faa2ea81fd89e3eb92304d6872364a473
Instruction ID: 59fb4f67ae4db9fabd236701f99b19c4508d399ab53e556b5b4406569bdb6bb8
Opcode Fuzzy Hash: b169aaf0309f6f42e9bbdf8faa4f8f6faa2ea81fd89e3eb92304d6872364a473
Instruction Fuzzy Hash: 7702E273A18A4692DB10CF29D0905BC77A1FB94F88B414232CF8E97398EF3AD595C785

Function 00007FF6E0F3E180 Relevance: 6.1, APIs: 4, Instructions: 149COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,00000001,00007FF6E0F3C856,?,?,?,?,?,?,00000000,?,?,00007FF6E0F3C649), ref: 00007FF6E0F3E25E
memmove.VCRUNTIME140(?,?,00000001,00007FF6E0F3C856,?,?,?,?,?,?,00000000,?,?,00007FF6E0F3C649), ref: 00007FF6E0F3E28C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00007FF6E0F3C856,?,?,?,?,?,?,00000000,?,?,00007FF6E0F3C649), ref: 00007FF6E0F3E2F5

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3E302

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemmovememset
String ID:
API String ID: 2090792099-0
Opcode ID: a8ee1eb3fa836421ea86eee9d091a1f287d11dbe86f28c3705f25b030d25c57b
Instruction ID: eccaea732c3ef47aec7d58bffb4e26b99d1a66c6973dcdf91f7308107010d035
Opcode Fuzzy Hash: a8ee1eb3fa836421ea86eee9d091a1f287d11dbe86f28c3705f25b030d25c57b
Instruction Fuzzy Hash: 2A51B033B09A8196EA148B25D0583BD6364FF59BB0F588631DE6D877C9CF2EE4618306

Function 00007FF6E0F34330 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140 ref: 00007FF6E0F3435C
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F3436B

Part of subcall function 00007FF6E0F3CF40: memmove.VCRUNTIME140(?,?,FFFFFFFF,?,00007FF6E0F344E7), ref: 00007FF6E0F3D054

?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F3438C
_Mtx_unlock.MSVCP140 ref: 00007FF6E0F344EB

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Mtx_lockMtx_unlockmemmove
String ID:
API String ID: 3408330162-0
Opcode ID: a8b42432f296ec50bad8876030c32d0f2cc32a2a85104ec60740f74b25ee108c
Instruction ID: 4000dc34c46d8de825adbd8ff170f77219fbd864fdb5cc04cee82ba6b1a3144d
Opcode Fuzzy Hash: a8b42432f296ec50bad8876030c32d0f2cc32a2a85104ec60740f74b25ee108c
Instruction Fuzzy Hash: 61517C73A08B4582EB10CF15E84436973A0FB89B65F598135DA9D833A1CF3EF4A1D70A

Function 00007FF6E0F87F50 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6E0F88057
memmove.VCRUNTIME140 ref: 00007FF6E0F8806A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F880D5

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F880E2

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 621bd197fadc60c7a5533c1f0352bf2ba6ecce1092ec92715e1d25b7106f6b14
Instruction ID: 973a72bc560ef7311384e75c3f6912d84491925821310f0ddf107ba06b8c546f
Opcode Fuzzy Hash: 621bd197fadc60c7a5533c1f0352bf2ba6ecce1092ec92715e1d25b7106f6b14
Instruction Fuzzy Hash: BE41CE63609B85A5EA24CF26E4443FA67A0BB48BD0F544635DFAD83B85CF3ED151C306

Function 00007FF6E0F3BBD0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,00000007,?,00007FF6E0F399EC), ref: 00007FF6E0F3BCE2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000007,?,00007FF6E0F399EC), ref: 00007FF6E0F3BD28
memmove.VCRUNTIME140(?,00000007,?,00007FF6E0F399EC), ref: 00007FF6E0F3BD32

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3BD6E

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 18b75d0e97c1d606c953b10f002786c3906dd40535e4d097011a3a4780c16e07
Instruction ID: 39c93b2c35f4d549d5cffc801e330a7f9156e381be1a21481e7e7cdfacf94612
Opcode Fuzzy Hash: 18b75d0e97c1d606c953b10f002786c3906dd40535e4d097011a3a4780c16e07
Instruction Fuzzy Hash: CA41CF22B08A45A1EA209B15E1583BC7365AB08BF0F940735CF7D87BD5DE7EE061C30A

Function 00007FF6E0F3B5E0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B6F8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B73B
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F2EC8F), ref: 00007FF6E0F3B745

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3B780

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: d2a3fb81521cf64dd403010ea7f6d2c02ff7eee1526c36fcedc6afbbd49c2b66
Instruction ID: ea5fd32eecd92f762b0ba3ea363ae5e229a9d3d205bdc321aca9e8775c706d4b
Opcode Fuzzy Hash: d2a3fb81521cf64dd403010ea7f6d2c02ff7eee1526c36fcedc6afbbd49c2b66
Instruction Fuzzy Hash: 8641CF22B08A45A1EA10DB12A1583BDA365EB48BF4F540734DF7D87BD5DF7DE062830A

Function 00007FF6E0F3CF40 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,FFFFFFFF,?,00007FF6E0F344E7), ref: 00007FF6E0F3D054

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

memmove.VCRUNTIME140(?,?,FFFFFFFF,?,00007FF6E0F344E7), ref: 00007FF6E0F3D041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,FFFFFFFF,?,00007FF6E0F344E7), ref: 00007FF6E0F3D0C7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3D0D4

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: c4843d127d64cf2e0c9decbdd67acd0f543d712e49dfacc79db2d1e3671483cc
Instruction ID: e1d7d845692c48c9f401d826fafaf7dae2c174b0af65e3ca9ccb115779d02b89
Opcode Fuzzy Hash: c4843d127d64cf2e0c9decbdd67acd0f543d712e49dfacc79db2d1e3671483cc
Instruction Fuzzy Hash: 2541C463708A85A1EA18DB25E4482A96354FB48FE4F544635DFAD477C9CF3DE062C306

Function 00007FF6E0F3A420 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,00000000,?,00007FF6E0F22793), ref: 00007FF6E0F3A457
memmove.VCRUNTIME140(?,00000000,?,00007FF6E0F22793), ref: 00007FF6E0F3A513
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,00007FF6E0F22793), ref: 00007FF6E0F3A56E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3A57B

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 1b363299aaa352b53699088439ce117c0f5a2a56abc248acba5e971984f49645
Instruction ID: d58117f0fcdc23cfe71593bc69efbbb94f4604622e4e8589cbcd1b5c823c293c
Opcode Fuzzy Hash: 1b363299aaa352b53699088439ce117c0f5a2a56abc248acba5e971984f49645
Instruction Fuzzy Hash: E631F523B0DA82A4EA54DB16E1483BD2251AF08FE0F580631DE2D477D5DE7EE4A1830A

Function 00007FF6E0F38430 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0326687004ba4274e219e13ef6573654f3c0306d1fb81ae999189bfbd040a
Instruction ID: 83709e8c0247c5e705db78d6466232a0291de5960e429aba70cb57c594e785cd
Opcode Fuzzy Hash: 05e0326687004ba4274e219e13ef6573654f3c0306d1fb81ae999189bfbd040a
Instruction Fuzzy Hash: B0414D33608B8595DB608F29E0803AD73A1F789BA8F584236DB5D87798DF3DC855C705

Function 00007FF6E0F9AF90 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,00007FF6E0F9ADAF,?,?,?,00007FF6E0F9B885), ref: 00007FF6E0F9B085
memset.VCRUNTIME140(?,?,?,?,?,?,?,00007FF6E0F9ADAF,?,?,?,00007FF6E0F9B885), ref: 00007FF6E0F9B08E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF6E0F9ADAF,?,?,?,00007FF6E0F9B885), ref: 00007FF6E0F9B093
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF6E0F9ADAF,?,?,?,00007FF6E0F9B885), ref: 00007FF6E0F9B09F

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: e4b241b74f07b52132a545517aeb3eb2e00d1c9165d189944b00675f5df5a39c
Instruction ID: 7d936ccee01615ac3e56e012af444b59e6bde8a2665cece99545c9c661ff6dac
Opcode Fuzzy Hash: e4b241b74f07b52132a545517aeb3eb2e00d1c9165d189944b00675f5df5a39c
Instruction Fuzzy Hash: 0B41AB77A08B4582EB108F6AE54426D73A0FB88F94F558022DF2C437A5CF3ED8A1C745

Function 00007FF6E0F3C370 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF6E0F3A6FD), ref: 00007FF6E0F3C428

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

memmove.VCRUNTIME140(?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF6E0F3A6FD), ref: 00007FF6E0F3C455
memmove.VCRUNTIME140(?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF6E0F3A6FD), ref: 00007FF6E0F3C466
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3C491

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 3aca070d69d599499550ffecd67ab734acccbe14453cead860dafd2376e0c5ca
Instruction ID: 8104616d246c564d6f5289c57ca5f0db9a8da958e4e2cff6bb374e261d4b4e58
Opcode Fuzzy Hash: 3aca070d69d599499550ffecd67ab734acccbe14453cead860dafd2376e0c5ca
Instruction Fuzzy Hash: CA31D323A08B4591EA10DB16E4443B963A1EB48BE0F580631DEAC47BD5DF3EE0A2C346

Function 00007FF6E0F3C9C0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF6E0F221FA), ref: 00007FF6E0F3CA34

Part of subcall function 00007FF6E0F22140: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF6E0F3BA78,?,?,?,00007FF6E0F2157C), ref: 00007FF6E0F2214B

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3CAF4

Part of subcall function 00007FF6E0F22000: __std_exception_copy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E0F3CAF9,?,?,?), ref: 00007FF6E0F22044

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskXlength_error@std@@__std_exception_copymemmove
String ID:
API String ID: 889149773-0
Opcode ID: dc2e6b7f13046bf8821be080a67745e6e9ba1c4aa51723125b93972b204ad8a3
Instruction ID: 2d8cb3e8387ae2ced0a835637bc9ea39848294b03789cb4b409e905884e9751c
Opcode Fuzzy Hash: dc2e6b7f13046bf8821be080a67745e6e9ba1c4aa51723125b93972b204ad8a3
Instruction Fuzzy Hash: FD312C33A0C78695EE14DB15A1543BD3254EB18BE4F240235DE6C47BD5CF3EE0A29386

Function 00007FF6E0F393E0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF6E0F2224B), ref: 00007FF6E0F39434
memset.VCRUNTIME140(?,?,?,00007FF6E0F2224B), ref: 00007FF6E0F394C5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F394EC

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memset$Concurrency::cancel_current_task
String ID:
API String ID: 3006004123-0
Opcode ID: 764da1a887b7741357235fb3c947440710b0c19226b0c8128b2c1e97390adbf3
Instruction ID: 23cc7f407a5049a06e700c925061c5c4dfab68dafd568b02d4e2882c195579ed
Opcode Fuzzy Hash: 764da1a887b7741357235fb3c947440710b0c19226b0c8128b2c1e97390adbf3
Instruction Fuzzy Hash: EF210B23A0CB8195FB14DB11E1443AD2250EF54BE4F248635EFAD47BD6DE3DE4628346

Function 00007FF6E0F8E680 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6E0F87ECB), ref: 00007FF6E0F8E6CE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F8E6EA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F8E737

Part of subcall function 00007FF6E104E9B8: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E0F3CAAF,?,?,?,00007FF6E0F221FA), ref: 00007FF6E104E9D2

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskmalloc
String ID:
API String ID: 4234954712-0
Opcode ID: e9d45f828527803f5e177269633b04136cac0574cf07a17ffdd9e196b2e30e1f
Instruction ID: 1bfb18efb3620983bea0c435d14ab38549db2e1633362a724163aa5f604865a5
Opcode Fuzzy Hash: e9d45f828527803f5e177269633b04136cac0574cf07a17ffdd9e196b2e30e1f
Instruction Fuzzy Hash: 31315A67F0E782A5EE64D32294A13FC5290AF647B0F900734DA7D437C8EE2ED1A18716

Function 00007FF6E0F3FF30 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,00000000,00007FF6E0F3EE39), ref: 00007FF6E0F3FF94
memset.VCRUNTIME140(?,?,00000000,00007FF6E0F3EE39), ref: 00007FF6E0F3FFEC

Strings

imgui_log.txt, xrefs: 00007FF6E0F3FFAE
imgui.ini, xrefs: 00007FF6E0F3FF99

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID: imgui.ini$imgui_log.txt
API String ID: 2221118986-3179804127
Opcode ID: fbc67b020a20d219994de257b1e47ed90ac56ad0647577e47b09a81cd69a298c
Instruction ID: 134a9a281e3ee9f965970cf9b33bbc9044d4db3152a35dc8ef4b52803ef93a9c
Opcode Fuzzy Hash: fbc67b020a20d219994de257b1e47ed90ac56ad0647577e47b09a81cd69a298c
Instruction Fuzzy Hash: F45108B31097809AC711DF39D9643897BACF725B48F688139CB580F768CB728159CB94

Function 00007FF6E0F3B970 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF6E0F2157C), ref: 00007FF6E0F3B9B3
memmove.VCRUNTIME140(?,?,?,00007FF6E0F2157C), ref: 00007FF6E0F3BA4F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E0F3BA79

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 21cbf52802fa8ea405856aa9b72a4b80f6fbb3f01738c7a460912fc8a21e6f41
Instruction ID: 0719ea128cf43d307c94efee1fbaa4e3378952fd5008110cf316e7dad3c3f85b
Opcode Fuzzy Hash: 21cbf52802fa8ea405856aa9b72a4b80f6fbb3f01738c7a460912fc8a21e6f41
Instruction Fuzzy Hash: 9921B623A0DB9195EA24DB41A0543B96294EB08BF0F540634DFAD47BC6CF7EE561834A

Function 00007FF6E0FA2A40 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF6E0FA2B93
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF6E0FA2BA7
CloseHandle.KERNEL32 ref: 00007FF6E0FA2BB4
closesocket.WS2_32 ref: 00007FF6E0FA2BF4

Part of subcall function 00007FF6E0FBFCC0: WaitForSingleObjectEx.KERNEL32(?,?,?,00007FF6E0FA2BC9,?,?,?,00000000), ref: 00007FF6E0FBFCD8
Part of subcall function 00007FF6E0FBFCC0: CloseHandle.KERNEL32(?,?,?,00007FF6E0FA2BC9,?,?,?,00000000), ref: 00007FF6E0FBFCE8

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterLeaveObjectSingleWaitclosesocket
String ID:
API String ID: 817826440-0
Opcode ID: caa65dbde1d5fe6421530dd861c81e6c12c5354666952ee64247b86e73d3fb12
Instruction ID: 65ffa43acb55a4005d3e0e1b552b05f2e7c30a2057312a1004f85a5d4d997c7b
Opcode Fuzzy Hash: caa65dbde1d5fe6421530dd861c81e6c12c5354666952ee64247b86e73d3fb12
Instruction Fuzzy Hash: 6B216927B08A41A6E7609F16E5903B92370FB98B90F140031DF4D87B41CF3AE4A58719

Function 00007FF6E0F34530 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140 ref: 00007FF6E0F34540
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F3454F
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6E0F34571
_Mtx_unlock.MSVCP140 ref: 00007FF6E0F34620

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Mtx_lockMtx_unlock
String ID:
API String ID: 3599876872-0
Opcode ID: 4427ec9be5c4569eb79f5c379de7b5cee8f15dd3dff06f74e77a0cfb63fb197b
Instruction ID: 5b103aab799221d7938275c1f4b8af2bd215e447f6dc7262c65ebfe7a0160982
Opcode Fuzzy Hash: 4427ec9be5c4569eb79f5c379de7b5cee8f15dd3dff06f74e77a0cfb63fb197b
Instruction Fuzzy Hash: 80218C63B1DA4292EF008F25E4553B42360FB88759F641136C95E873A0CE3EF024D70E

Function 00007FF6E0FA26F0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF6E0FA2B93
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00007FF6E0FA2BA7
CloseHandle.KERNEL32 ref: 00007FF6E0FA2BB4
closesocket.WS2_32 ref: 00007FF6E0FA2BF4

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CloseEnterHandleLeaveclosesocket
String ID:
API String ID: 1837779049-0
Opcode ID: 8a424a1ccdc7d506cfb46c6195d0dce437cc3ddd0ad6af436ff03b8ea59f1838
Instruction ID: b1cde36876bb279dc418d3fc6020d6bdbc1e2d1d21c5669dd8fabecb2f019829
Opcode Fuzzy Hash: 8a424a1ccdc7d506cfb46c6195d0dce437cc3ddd0ad6af436ff03b8ea59f1838
Instruction Fuzzy Hash: E211583BB08A4197E7609F16E1803A97370FB88BA0F144131DF8E87B44CF3AE4A18719

Function 00007FF6E0F59790 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F62560,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F597C4
memmove.VCRUNTIME140(?,?,##Foreground,00007FF6E0F62560,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F597E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F62560,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59804

Strings

##Foreground, xrefs: 00007FF6E0F59795

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID: ##Foreground
API String ID: 2537350866-985450567
Opcode ID: e117e3516de497c23135975b6cf2ee7193f1d65a2e425d22d0c29ca455f6e1d5
Instruction ID: 8beed48394e9ca31a0429eb49de6a40e39671f6d8d07d05ee59708a2b3c42523
Opcode Fuzzy Hash: e117e3516de497c23135975b6cf2ee7193f1d65a2e425d22d0c29ca455f6e1d5
Instruction Fuzzy Hash: BC018B76A1AA8281EF188F15E190279A760FF88F89B48C036CE0D87358DF39E851D715

Function 00007FF6E0F599F0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F6253D,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59A22
memmove.VCRUNTIME140(?,?,##Foreground,00007FF6E0F6253D,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59A3D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F6253D,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59A5D

Strings

##Foreground, xrefs: 00007FF6E0F599F5

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID: ##Foreground
API String ID: 2537350866-985450567
Opcode ID: 004002f2019c523edb63102c5cfd102018d9b7418cf1d086c0e86a35ba291b8e
Instruction ID: 7547d3431a84b2a15e49d9589371a2e27034f6a631b9da4e059debc22b80e074
Opcode Fuzzy Hash: 004002f2019c523edb63102c5cfd102018d9b7418cf1d086c0e86a35ba291b8e
Instruction Fuzzy Hash: 5601693BB1A78281EF188B05E15027963A0FF48F84B088031DE1D4B718DF3DE8529255

Function 00007FF6E0F59540 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F625EF,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59573
memmove.VCRUNTIME140(?,?,##Foreground,00007FF6E0F625EF,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F5958F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F625EF,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F595AF

Strings

##Foreground, xrefs: 00007FF6E0F59545

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID: ##Foreground
API String ID: 2537350866-985450567
Opcode ID: 47d300c3e48124a4edf72402c27e8a46ff53b8030ac14f68bc2a5e97b8c9c704
Instruction ID: 12bd6b2d5846a06abab1f725989c3f34ff7f44466a4470c1dd36036d0b7ebbde
Opcode Fuzzy Hash: 47d300c3e48124a4edf72402c27e8a46ff53b8030ac14f68bc2a5e97b8c9c704
Instruction Fuzzy Hash: 16018077A1968285EF198B15E14027867A0FF48F84F088031DE1D47718EF3DE851D659

Function 00007FF6E0F59DF0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F625A9,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59E23
memmove.VCRUNTIME140(?,?,##Foreground,00007FF6E0F625A9,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59E3F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F625A9,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59E5F

Strings

##Foreground, xrefs: 00007FF6E0F59DF5

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID: ##Foreground
API String ID: 2537350866-985450567
Opcode ID: 7477ec51e02851c26f69a0bc0a0c6df26df13d36ca3013102acb1aacbb275225
Instruction ID: a51ac2c0f368a3216189aa09b91aa83a97d7bb3dcdcf725479409feb13b8c401
Opcode Fuzzy Hash: 7477ec51e02851c26f69a0bc0a0c6df26df13d36ca3013102acb1aacbb275225
Instruction Fuzzy Hash: 5D016D7AA1968282EB18CB15E15127863A0FF48F84B088031DE1D47714DE2DE851D255

Function 00007FF6E0F59BA0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F6263F,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59BD0
memmove.VCRUNTIME140(?,?,##Foreground,00007FF6E0F6263F,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59BEC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,##Foreground,00007FF6E0F6263F,?,?,?,?,?,?,?,?,?,?,##Foreground,00007FF6E0F44813), ref: 00007FF6E0F59C0C

Strings

##Foreground, xrefs: 00007FF6E0F59BA5

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemallocmemmove
String ID: ##Foreground
API String ID: 2537350866-985450567
Opcode ID: da9e859d7ad19d5799a8a82d7ec30d3050a6206e4f25237b9af1617168395d54
Instruction ID: 74e8890f3e0ae2b06fcc2ddb36c7d6f0ab7421f84fd7325daf3cf0a35587c5bc
Opcode Fuzzy Hash: da9e859d7ad19d5799a8a82d7ec30d3050a6206e4f25237b9af1617168395d54
Instruction Fuzzy Hash: 57015B36A1968281EF188B05E14427877A0FF88B84F488031DE4D8B758DF29E8519249

Function 00007FF6E0F4A370 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F4A634
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6E0F4A645

Part of subcall function 00007FF6E0F63DB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,42F00000,00000000,?,?), ref: 00007FF6E0F63EB7
Part of subcall function 00007FF6E0F63DB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,42F00000,00000000,?,?), ref: 00007FF6E0F63ED6

Strings

0, xrefs: 00007FF6E0F4A7FC

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: cosffreemallocsinf
String ID: 0
API String ID: 2497593509-4108050209
Opcode ID: 41e95e8f179c135b557111ae8b8c83356a903e215f19d1b9416ae5ef7237c141
Instruction ID: 0d4293e55761b84b675faf7bffb005f8fe4fd7a6c17f5235ed3126a00155929b
Opcode Fuzzy Hash: 41e95e8f179c135b557111ae8b8c83356a903e215f19d1b9416ae5ef7237c141
Instruction Fuzzy Hash: F722C633A186859AE322CB3691413E9B360FF5D348F189721EE48776A5EF39F095DB04

Function 00007FF6E0F2E0E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F2E537
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F2E588

Strings

##Foreground, xrefs: 00007FF6E0F2E1B4, 00007FF6E0F2E273, 00007FF6E0F2E32F, 00007FF6E0F2E3EF, 00007FF6E0F2E4A1

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ##Foreground
API String ID: 3668304517-985450567
Opcode ID: 343be313b107443f0f44d4b54802b20e0c60f6637d0772acf63fd6d9949373ef
Instruction ID: d8e9c158ab028691bb2944552e55c15e0e8e0e5f8ed1e3ae3346009c9bc4ae42
Opcode Fuzzy Hash: 343be313b107443f0f44d4b54802b20e0c60f6637d0772acf63fd6d9949373ef
Instruction Fuzzy Hash: C4D1BD73A18BC499E700CB26E4403ADB761FB99798F109326EE8D53BA9DF39D180C704

Function 00007FF6E0F75820 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F75A52
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F75AA5

Part of subcall function 00007FF6E0F22140: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF6E0F3BA78,?,?,?,00007FF6E0F2157C), ref: 00007FF6E0F2214B

Strings

picker, xrefs: 00007FF6E0F75855

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xlength_error@std@@
String ID: picker
API String ID: 2854100973-3847375488
Opcode ID: d37045fd45fd4543ab49629cde31d04de114ed40a54fd2788552c6cdd838a059
Instruction ID: ee4996d166aaa2c9cded78fd8f255d4f536ae2d2cf7d89c23ef1121dbc9540d8
Opcode Fuzzy Hash: d37045fd45fd4543ab49629cde31d04de114ed40a54fd2788552c6cdd838a059
Instruction Fuzzy Hash: 9961C07391878986D711CB66D0403A97B60FB99B90F18C731DEAC57BE1CF7AE0849B05

Function 00007FF6E0F2A930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F2AABF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6E0F2AB1E

Strings

##Background, xrefs: 00007FF6E0F2A9A9

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ##Background
API String ID: 3668304517-465303879
Opcode ID: a6bf80a1d8beeee7f1884d4e0d13c3667efd123aabf0f6681393c89d1e69ddb9
Instruction ID: 73d0d5d1d4fd7f0c803adba3b50e68bf10d8f3b5f734fc5386056cb79d5df2c4
Opcode Fuzzy Hash: a6bf80a1d8beeee7f1884d4e0d13c3667efd123aabf0f6681393c89d1e69ddb9
Instruction Fuzzy Hash: 8051BF63E1CBC592E610CB25E4403A963A1FF997A0F109332EAAC93796DF7DD491C705

Function 00007FF6E0F40FA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

__stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F40FE1
__stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6E0F41089

Part of subcall function 00007FF6E0F59960: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F5998F
Part of subcall function 00007FF6E0F59960: memmove.VCRUNTIME140 ref: 00007FF6E0F599A7
Part of subcall function 00007FF6E0F59960: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F599C7

Strings

[focus] SetNavWindow("%s"), xrefs: 00007FF6E0F40FAA

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: __stdio_common_vsprintf$freemallocmemmove
String ID: [focus] SetNavWindow("%s")
API String ID: 4069205237-2701392973
Opcode ID: a5deea19f207f9997a22d48a692295c6522e98ad8d0cdbffa3898ef1ea7c4b9f
Instruction ID: 40ce8b21cdd9531bb2a99186ac4fc1e2bff0913f0583be3441386075528badd4
Opcode Fuzzy Hash: a5deea19f207f9997a22d48a692295c6522e98ad8d0cdbffa3898ef1ea7c4b9f
Instruction Fuzzy Hash: D531B633B0CA9196E7148E55E9803697791FB88BD0F144239EE9DC3B85DF3DE8628705

Function 00007FF6E0F79670 Relevance: 5.3, APIs: 4, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6E0F79754
memmove.VCRUNTIME140 ref: 00007FF6E0F79874
memmove.VCRUNTIME140 ref: 00007FF6E0F79997

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$strncpy
String ID:
API String ID: 2493730309-0
Opcode ID: 5e5cde14ad9ce78fa06dc007d5256c4c078a79f85c9007bb82c2ebe1205bbf17
Instruction ID: a0bc2573973c3aa5f636e27c6efe0c59db3f4bd29b254a1a2a247fdd3b6b3113
Opcode Fuzzy Hash: 5e5cde14ad9ce78fa06dc007d5256c4c078a79f85c9007bb82c2ebe1205bbf17
Instruction Fuzzy Hash: 13B1F223A2C68665FB60CA11E4403F96BA5AB42780F484131DE9D937C5DF2EE966C70B

Function 00007FF6E0F606B0 Relevance: 5.2, APIs: 4, Instructions: 233COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F60752
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F607B7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F60A54
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6E0F60A75

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: c8caf140900bd7d62c84113d060cd358166033d1ad81b8b3fd7d15520fe715fb
Instruction ID: b4e6493b072a544cd54638e6e118128cd57add46604821be1ccb79c168eb60b4
Opcode Fuzzy Hash: c8caf140900bd7d62c84113d060cd358166033d1ad81b8b3fd7d15520fe715fb
Instruction Fuzzy Hash: E0A1E423A28B85D5E7218B3590443BAB7A4FF59B84F149332EE8962754DF39E492D700

Function 00007FF6E0F57B50 Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000000,00000000,00000000,00007FF6E0F451B8), ref: 00007FF6E0F57BEA
memchr.VCRUNTIME140(00000000,00000000,00000000,00000000,00007FF6E0F451B8), ref: 00007FF6E0F57CB9
memchr.VCRUNTIME140(00000000,00000000,00000000,00000000,00007FF6E0F451B8), ref: 00007FF6E0F57CD5
memmove.VCRUNTIME140 ref: 00007FF6E0F57D5C

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memchrmemmove
String ID:
API String ID: 1132781299-0
Opcode ID: 2171b7cdc3f25e87d5507f82199c8997f33f3ac46699d107a0a8d807d1b9e264
Instruction ID: 0e0105286c6ae9ff4bf1921ccea7e8d6396633b371194c8aa281aec3940d4597
Opcode Fuzzy Hash: 2171b7cdc3f25e87d5507f82199c8997f33f3ac46699d107a0a8d807d1b9e264
Instruction Fuzzy Hash: BC61062BF0CB82A5EA148A25A8447FA6791BF45B80F44C135DE5D83381DF3EE862C346

Function 00007FF6E0F6B0E0 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6E0F6B199
memset.VCRUNTIME140 ref: 00007FF6E0F6B1AB
memset.VCRUNTIME140 ref: 00007FF6E0F6B1C1
memset.VCRUNTIME140 ref: 00007FF6E0F6B2CC

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ff74e9f33073e74dd683c51837f89bae72d983d8d24e5a546a8702681c5c2d5f
Instruction ID: c55517d1e55362177d78024cb3e3fbd55b9bf39fe5f9d69cf86998bedb568ba3
Opcode Fuzzy Hash: ff74e9f33073e74dd683c51837f89bae72d983d8d24e5a546a8702681c5c2d5f
Instruction Fuzzy Hash: D3510333A18B9842D755CF2AA5513BA73A5FF5AB80F188326EE5863751DF39E094C380

Function 00007FF6E0F59830 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00007FF6E0F48C8F,?,?,00000000,00000000,?,00007FF6E0F4B03D), ref: 00007FF6E0F598AF
memmove.VCRUNTIME140(?,00000000,?,00007FF6E0F48C8F,?,?,00000000,00000000,?,00007FF6E0F4B03D), ref: 00007FF6E0F598CB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00007FF6E0F48C8F,?,?,00000000,00000000,?,00007FF6E0F4B03D), ref: 00007FF6E0F598EB
memmove.VCRUNTIME140(?,00000000,?,00007FF6E0F48C8F,?,?,00000000,00000000,?,00007FF6E0F4B03D), ref: 00007FF6E0F59919

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$freemalloc
String ID:
API String ID: 1763039611-0
Opcode ID: 7122ed094784a9004ec5f362adfea97a476eb96b67d91c2a17be55049b41cd45
Instruction ID: 32f20b8537d82e7cabba00f6e9bddec6cf2c7e84959b22880684f0ffbd5d5f6a
Opcode Fuzzy Hash: 7122ed094784a9004ec5f362adfea97a476eb96b67d91c2a17be55049b41cd45
Instruction Fuzzy Hash: E831AD77B09A8296EF18CF1AE5402A8A360FB48B85B49C436DF5D87751DF3DE8A1C344

Function 00007FF6E0F58F30 Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43522), ref: 00007FF6E0F58F9A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43522), ref: 00007FF6E0F58FBC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43522), ref: 00007FF6E0F58FFC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF6E0F43522), ref: 00007FF6E0F59026

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ae99c3905f8de055621d65a0696f68ce96dc9de02c9a502f623ba776ddb3cd3e
Instruction ID: eb5226ce9c658aaeca679afb4de8b28be04061a8733c1bba50cdf31db7b9c430
Opcode Fuzzy Hash: ae99c3905f8de055621d65a0696f68ce96dc9de02c9a502f623ba776ddb3cd3e
Instruction Fuzzy Hash: 1E317837A09B4296EB188F11E44037927A1FB48F84F488535CF1D97B64CF3AE9A2D349

Function 00007FF6E0F59AF0 Relevance: 5.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00004B58,00007FF6E0F59101,?,?,?,00007FF6E0F43616), ref: 00007FF6E0F59B14
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00004B58,00007FF6E0F59101,?,?,?,00007FF6E0F43616), ref: 00007FF6E0F59B39
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00004B58,00007FF6E0F59101,?,?,?,00007FF6E0F43616), ref: 00007FF6E0F59B5E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00004B58,00007FF6E0F59101,?,?,?,00007FF6E0F43616), ref: 00007FF6E0F59B83

Memory Dump Source

Source File: 00000000.00000002.2550161033.00007FF6E0F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E0F20000, based on PE: true

Associated: 00000000.00000002.2550140073.00007FF6E0F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550305894.00007FF6E1053000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550385738.00007FF6E109F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550406576.00007FF6E10A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550493277.00007FF6E10F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2550509237.00007FF6E10F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e0f20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: fba1132c7f6acfdda1a1f26291c2334435c42afb2b287deb19e8071c4891c86e
Instruction ID: 70ebb3da31198ac3fbe4967f6fec61db6c2f84d7549245c284cfefe1ba6bfd09
Opcode Fuzzy Hash: fba1132c7f6acfdda1a1f26291c2334435c42afb2b287deb19e8071c4891c86e
Instruction Fuzzy Hash: C2110526B1E642A5FF6D8F11E4553B527A0FF89F45F488035CE0D87360DF2EA950E21A

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.16016.24947.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_eb2620f6d3d187daf5b73e6fffe3728eece36b_6212d8dd_29dd5dd9-70d6-47d5-a508-1794b1875975\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER417C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4314.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4353.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.16016.24947.exe

Function 00007FF6E0F36360 Relevance: 149.5, APIs: 70, Strings: 15, Instructions: 786
sleepprocessfileCOMMON

Function 00007FF6E0F34FE0 Relevance: 77.5, APIs: 3, Strings: 41, Instructions: 502
processCOMMON

Function 00007FF6E0F34940 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 257
encryptionCOMMON

Function 00007FF6E104E9B8 Relevance: 4.6, APIs: 3, Instructions: 127
COMMONLIBRARYCODE

Function 00007FF6E0F34DD0 Relevance: 87.6, APIs: 7, Strings: 43, Instructions: 125
COMMON

Function 00007FF6E0F3AD10 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Function 00007FF6E0F3AEF0 Relevance: 10.6, APIs: 7, Instructions: 118
COMMON

Function 00007FF6E0F37650 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00007FF6E0F346D0 Relevance: 6.2, APIs: 4, Instructions: 170
COMMON

Function 00007FF6E0F3BD80 Relevance: 6.1, APIs: 4, Instructions: 105
COMMON

Function 00007FF6E0F39540 Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Function 00007FF6E0F387B0 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Function 00007FF6E0F3CCC0 Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Function 00007FF6E0F21CA0 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Function 00007FF6E0F3DBE0 Relevance: 1.7, APIs: 1, Instructions: 184
COMMON