Edit tour

Windows Analysis Report
KrMhCpCNtm.exe

Overview

General Information

Sample name:	KrMhCpCNtm.exe
Analysis ID:	1545844
MD5:	18fb86e828354d879698e7fefdde11a0
SHA1:	3242e65c4c9a45a57aea38bd6bfdbe990a5c543f
SHA256:	0e053da640e325971896b97f0993fbb17dd010bdc9625ca6fa4ee64c4a5f018a
Tags:	exeuser-lontze7
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

KrMhCpCNtm.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\KrMhCpCNtm.exe" MD5: 18FB86E828354D879698E7FEFDDE11A0)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: KrMhCpCNtm.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: KrMhCpCNtm.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 87.8% probability

Machine Learning detection for sample

Source: KrMhCpCNtm.exe

Joe Sandbox ML: detected

Source: KrMhCpCNtm.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\userX\Desktop\kdmapper-master\x64\Release\kdmapper_Release.pdb source: KrMhCpCNtm.exe
Source:	Binary string: C:\Users\userX\Desktop\kdmapper-master\x64\Release\kdmapper_Release.pdb11 source: KrMhCpCNtm.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: KrMhCpCNtm.exe

Source: KrMhCpCNtm.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: KrMhCpCNtm.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: KrMhCpCNtm.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: KrMhCpCNtm.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: KrMhCpCNtm.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF6673632E0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		0_2_00007FF6673632E0
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF66736F220 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		0_2_00007FF66736F220

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

Code function: 0_2_00007FF667362880: DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,DeviceIoControl,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,

0_2_00007FF667362880

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF667361CE0	0_2_00007FF667361CE0
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF667361760	0_2_00007FF667361760
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF66736B770	0_2_00007FF66736B770
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF6673632E0	0_2_00007FF6673632E0

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

Code function: String function: 00007FF667366260 appears 105 times

Source: KrMhCpCNtm.exe, 00000000.00000000.1671593345.00007FF667372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs KrMhCpCNtm.exe
Source: KrMhCpCNtm.exe, 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs KrMhCpCNtm.exe
Source: KrMhCpCNtm.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs KrMhCpCNtm.exe

Source: KrMhCpCNtm.exe	Binary string: Unknown exceptionbad array new lengthstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Can't exploit intel driver, is there any antivirus or anticheat running?[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[!] Failed to ClearWdFilterDriverListWdFilter.sys[+] WdFilter.sys not loaded, clear skippedxxx????xxH
Source: KrMhCpCNtm.exe	Binary string: \Device\Nal

Source: classification engine

Classification label: mal64.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

Code function: 0_2_00007FF66736A700 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

0_2_00007FF66736A700

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03

Source: KrMhCpCNtm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KrMhCpCNtm.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\KrMhCpCNtm.exe "C:\Users\user\Desktop\KrMhCpCNtm.exe"
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: KrMhCpCNtm.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: KrMhCpCNtm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KrMhCpCNtm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KrMhCpCNtm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KrMhCpCNtm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KrMhCpCNtm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KrMhCpCNtm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: KrMhCpCNtm.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: KrMhCpCNtm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\userX\Desktop\kdmapper-master\x64\Release\kdmapper_Release.pdb source: KrMhCpCNtm.exe
Source:	Binary string: C:\Users\userX\Desktop\kdmapper-master\x64\Release\kdmapper_Release.pdb11 source: KrMhCpCNtm.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: KrMhCpCNtm.exe

Source: KrMhCpCNtm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KrMhCpCNtm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KrMhCpCNtm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KrMhCpCNtm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KrMhCpCNtm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

Code function: 0_2_00007FF66736A700 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

0_2_00007FF66736A700

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

API coverage: 2.0 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

Code function: 0_2_00007FF667370910 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF667370910

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

Code function: 0_2_00007FF66736A700 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

0_2_00007FF66736A700

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF66736A870 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,memcpy,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memcpy,memcpy,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF66736A870
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF667370910 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF667370910
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF667370120 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF667370120
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe	Code function: 0_2_00007FF667370ABC SetUnhandledExceptionFilter,	0_2_00007FF667370ABC

Source: C:\Users\user\Desktop\KrMhCpCNtm.exe

Code function: 0_2_00007FF667370B68 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF667370B68

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
KrMhCpCNtm.exe	61%	ReversingLabs	Win64.Trojan.DriverLoader
KrMhCpCNtm.exe	100%	Avira	TR/Redcap.fmbdb
KrMhCpCNtm.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	KrMhCpCNtm.exe	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	KrMhCpCNtm.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545844
Start date and time:	2024-10-31 06:49:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KrMhCpCNtm.exe
Detection:	MAL
Classification:	mal64.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 74
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: KrMhCpCNtm.exe

Process:	C:\Users\user\Desktop\KrMhCpCNtm.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.68946445647071
Encrypted:	false
SSDEEP:	3:ytoICArEE0IEVq4MILAAzI1MCJEdMgxGzin:wRCA5CVq4FAAzI1M5VGzin
MD5:	293C14E3E6CE8BCF759BCB6365C0D4FB
SHA1:	0D7B836D72608CD666F00FFFAC677B8BFB660161
SHA-256:	3C5C212D5DC08B830238A0B4B2B46B07EEA0847F1C05CC658F27F4DC44BE384C
SHA-512:	0612C0976E7FBFF0CB8D311370EB1C031E61EE5B5AEB14C5A965F2B87B1E8BE4E401F7213A83B299E0E2C787CEFF7FFC7AC3B91D20AC6DE1A537D5EC952A0A5E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......[!] Incorrect Usage!..[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.142037302452791
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KrMhCpCNtm.exe
File size:	146'944 bytes
MD5:	18fb86e828354d879698e7fefdde11a0
SHA1:	3242e65c4c9a45a57aea38bd6bfdbe990a5c543f
SHA256:	0e053da640e325971896b97f0993fbb17dd010bdc9625ca6fa4ee64c4a5f018a
SHA512:	76340b7c0f88317c742fb92f853b129fff8731cb912ffa9ee95b1bf050c9d666879ce665c63dd6a10f0d9171b375587e7726fd8f0549b1f54a27a1e2ddbe0ffb
SSDEEP:	3072:XIhPqvQBdqEbx39as9wOmJTQSaMm5/6N7uq0YmN:XIhPqoBdpBYwWWlOKq0
TLSH:	98E33B5763A910A8E2B7D6B8DAB14612E7B17C051774D3CF1360813A0F637E1AE3EB61
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(W,.l6BVl6BVl6BVeN.V~6BV.LFWf6BV.LAWh6BV.LGWM6BV.LCWj6BV.FCWe6BVl6CV.6BV.LKWj6BV.L.Vm6BV.L@Wm6BVRichl6BV................PE..d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14001061c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x669D2E23 [Sun Jul 21 15:49:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	83068d21cd75a0464fd1ef096e108bca

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5268D12AA8h
dec eax
add esp, 28h
jmp 00007F5268D123D7h
int3
int3
dec eax
sub esp, 28h
call 00007F5268D12DD0h
test eax, eax
je 00007F5268D12583h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F5268D12567h
dec eax
cmp ecx, eax
je 00007F5268D12576h
xor eax, eax
dec eax
cmpxchg dword ptr [0001447Ch], ecx
jne 00007F5268D12550h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F5268D12559h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00014467h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00014457h], al
call 00007F5268D12BCFh
call 00007F5268D12B06h
test al, al
jne 00007F5268D12566h
xor al, al
jmp 00007F5268D12576h
call 00007F5268D12AF9h
test al, al
jne 00007F5268D1256Bh
xor ecx, ecx
call 00007F5268D12AEEh
jmp 00007F5268D1254Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0001441Ch], 00000000h
mov ebx, ecx
jne 00007F5268D125C9h
cmp ecx, 01h
jnbe 00007F5268D125CCh
call 00007F5268D12D36h
test eax, eax
je 00007F5268D1258Ah
test ebx, ebx
jne 00007F5268D12586h
dec eax
lea ecx, dword ptr [00014406h]
call 00007F5268D125E2h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21494	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x25000	0xdf8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x27000	0x108	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1e620	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1e700	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1e4e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12000	0x5e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10b8b	0x10c00	33a84da265abd7f11f347e08f316b3c7	False	0.49338269589552236	data	6.230571778777325	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x12000	0x1141e	0x11600	d4c8f50b09c1344c64c8b641003b78bf	False	0.4238421762589928	data	5.740973915220694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x24000	0xd80	0x600	044aa8e4f1755c27ba3b6b6d4f90fee5	False	0.20638020833333334	data	3.4464573681485184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x25000	0xdf8	0xe00	2601d8db3ec9b33fdb013992b6095436	False	0.49107142857142855	PEX Binary Archive	5.0225086026520485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x1e8	0x200	2d22e421adfc8228f1491d43140ec4d8	False	0.5390625	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x27000	0x108	0x200	aee3ad14e40e8549046bb30bd1302939	False	0.435546875	data	3.2203490542556215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x26060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	CloseHandle, GetProcAddress, GetCurrentProcessId, CreateToolhelp32Snapshot, Process32NextW, GetModuleHandleA, SetUnhandledExceptionFilter, GetTempPathW, FormatMessageA, GetCurrentThreadId, CreateFileW, VirtualAlloc, DeviceIoControl, Process32FirstW, VirtualFree, GetFileAttributesExW, AreFileApisANSI, GetLastError, GetFileInformationByHandleEx, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, LocalFree
USER32.dll	GetWindowThreadProcessId, GetShellWindow
ADVAPI32.dll	RegCloseKey, RegDeleteTreeW, RegCreateKeyW, RegOpenKeyW, RegSetKeyValueW
MSVCP140.dll	?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?widen@?$ctype@_W@std@@QEBA_WD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Winerror_map@std@@YAHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z, ?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ??Bid@locale@std@@QEAA_KXZ, ?uncaught_exception@std@@YA_NXZ, ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ?id@?$ctype@_W@std@@2V0locale@2@A, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
ntdll.dll	NtQuerySystemInformation, RtlInitUnicodeString
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__current_exception, __C_specific_handler, __std_terminate, memset, __std_exception_destroy, memcmp, memcpy, __current_exception_context, _CxxThrowException, wcsstr, __std_exception_copy, memmove
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, _fseeki64, fread, fsetpos, ungetc, _get_stream_buffer_pointers, fflush, setvbuf, fgetpos, fwrite, __p__commode, fputc, fgetc, fclose
api-ms-win-crt-utility-l1-1-0.dll	rand, srand
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file, _wremove
api-ms-win-crt-string-l1-1-0.dll	_stricmp, _wcsicmp
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-runtime-l1-1-0.dll	_register_thread_local_exe_atexit_callback, _register_onexit_function, _cexit, _crt_atexit, __p___argc, _invalid_parameter_noinfo_noreturn, _exit, exit, _initterm_e, _initterm, _get_initial_wide_environment, _initialize_wide_environment, _configure_wide_argv, __p___wargv, _set_app_type, _seh_filter_exe, _initialize_onexit_table, terminate, _c_exit
api-ms-win-crt-heap-l1-1-0.dll	malloc, _callnewh, free, _set_new_mode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, ___lc_codepage_func
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	01:50:00
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\KrMhCpCNtm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\KrMhCpCNtm.exe"
Imagebase:	0x7ff667360000
File size:	146'944 bytes
MD5 hash:	18FB86E828354D879698E7FEFDDE11A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:50:00
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.9%
Total number of Nodes:	1691
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF66736A870 Relevance: 81.2, APIs: 28, Strings: 18, Instructions: 701COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF66736A8B4
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF66736A8FB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF66736A93B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00007FF66736A9CB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00007FF66736AA0B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00007FF66736AA8B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00007FF66736AACB
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736AB21
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736AB49
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736AB71
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736AB98
memcpy.VCRUNTIME140(?,?), ref: 00007FF66736AC0E

Part of subcall function 00007FF667368980: memcpy.VCRUNTIME140 ref: 00007FF667368A7B

Part of subcall function 00007FF66736BAB0: __std_fs_code_page.MSVCPRT ref: 00007FF66736BAD1

memcmp.VCRUNTIME140(?,?), ref: 00007FF66736AC9A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736ADCD
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736ADF0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00007FF66736AE28
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00007FF66736AE2F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00007FF66736AE36
memcpy.VCRUNTIME140(?,?), ref: 00007FF66736AE93
memcpy.VCRUNTIME140(?,?), ref: 00007FF66736AEEB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00007FF66736AFF1

Part of subcall function 00007FF667368980: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667368ADC
Part of subcall function 00007FF667368980: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF667368AE9

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736B053
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736B175
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736B23D
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?), ref: 00007FF66736B265
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736B299
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736B2E0

Part of subcall function 00007FF66736C310: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C965

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

Part of subcall function 00007FF667369030: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6673691AD
Part of subcall function 00007FF667369030: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF6673691B4
Part of subcall function 00007FF667369030: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6673691C1

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736B361

Strings

[!] Incorrect Usage!, xrefs: 00007FF66736ADB0
[+] success, xrefs: 00007FF66736B248
[-] Too many allocation modes, xrefs: 00007FF66736B0DC
.sys, xrefs: 00007FF66736AC93
[+] Allocate Independent Pages mode enabled, xrefs: 00007FF66736AB54
[+] Free pool memory after usage enabled, xrefs: 00007FF66736AB04
indPages, xrefs: 00007FF66736A9C4, 00007FF66736AA04
[-] Failed to read image to memory, xrefs: 00007FF66736B0B6
[-] Failed to map , xrefs: 00007FF66736B13E
[+] Pass Allocation Ptr as first param enabled, xrefs: 00007FF66736AB7B
mdl, xrefs: 00007FF66736A970
[-] File , xrefs: 00007FF66736B00D
[-] Warning failed to fully unload vulnerable driver , xrefs: 00007FF66736B220
doesn't exist, xrefs: 00007FF66736B03A
[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver, xrefs: 00007FF66736ADD3
PassAllocationPtr, xrefs: 00007FF66736AA84, 00007FF66736AAC4
free, xrefs: 00007FF66736A8F4, 00007FF66736A934
[+] Mdl memory usage enabled, xrefs: 00007FF66736AB2C

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$_invalid_parameter_noinfo_noreturn$_wcsicmp$memcpy$?setstate@?$basic_ios@_?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@$Concurrency::cancel_current_taskExceptionFilterUnhandled__std_fs_code_pagememcmp
String ID: [!] Incorrect Usage!$ doesn't exist$.sys$PassAllocationPtr$[+] Allocate Independent Pages mode enabled$[+] Free pool memory after usage enabled$[+] Mdl memory usage enabled$[+] Pass Allocation Ptr as first param enabled$[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver$[+] success$[-] Failed to map $[-] Failed to read image to memory$[-] File $[-] Too many allocation modes$[-] Warning failed to fully unload vulnerable driver $free$indPages$mdl
API String ID: 3819007230-912387167
Opcode ID: 4b22240b4a028cde26dbc79ad241a238124bf3edf135c065056b3fdd9352ead6
Instruction ID: 1dd701f9a4ba8bead2f476570c98fde58d04d7ee55732d20bf9c14540e32ea60
Opcode Fuzzy Hash: 4b22240b4a028cde26dbc79ad241a238124bf3edf135c065056b3fdd9352ead6
Instruction Fuzzy Hash: 4C629162E18656C5EB00DB66E8642BC23B1FF447A4F504235DA6DAF6E5EF7CE580C300

Function 00007FF6673704A0 Relevance: 13.6, APIs: 9, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6673704B4
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6673704C9
__scrt_release_startup_lock.LIBCMT ref: 00007FF667370537
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667370585
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66737058A
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667370592
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66737059A
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673705BC
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667370616

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1184979102-0
Opcode ID: 8334bf1337a27570fc31efeb7616df46911b556520961b86d9452f094374e34a
Instruction ID: 50825a8759b59c94b866ff32795257ef1e49047722f9bc32859885ac59d6e66d
Opcode Fuzzy Hash: 8334bf1337a27570fc31efeb7616df46911b556520961b86d9452f094374e34a
Instruction Fuzzy Hash: 5D316861A2D207C1FA40AB20E5723BD13B0AF85784F844035EA4EEF6D7CE6EF805C648

Function 00007FF667366260 Relevance: 10.6, APIs: 7, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673662F4
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF66736634E
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF667366378
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF667366399
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 2558415004-0
Opcode ID: e2c367ad136847038fff30af22d074e8d0cf769924741a1b4bfb1a54706169fd
Instruction ID: 90b68d49bb3dd83bbfcb8be62fdafdf7bdb5bd29f9827afef0e87813b4ccbeba
Opcode Fuzzy Hash: e2c367ad136847038fff30af22d074e8d0cf769924741a1b4bfb1a54706169fd
Instruction Fuzzy Hash: 18512E32608A41C2EB60CB1AE5A0239A7B0FB84FD5F258535CE4E9B7B4DF3AD5468300

Function 00007FF667366430 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF667366445
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z.MSVCP140 ref: 00007FF667366451
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF66736645A

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@?put@?$basic_ostream@_?widen@?$basic_ios@_D@std@@@std@@U?$char_traits@V12@V12@_
String ID:
API String ID: 1552636710-0
Opcode ID: 6b9bb272492244e5790e4fd1cbe884ca5642f07c574ec06d6b73e01d33ea6295
Instruction ID: 0738c8274e851824ff59b320d65f5434f3eb269c72dcf31295825e7fef64b020
Opcode Fuzzy Hash: 6b9bb272492244e5790e4fd1cbe884ca5642f07c574ec06d6b73e01d33ea6295
Instruction Fuzzy Hash: DED06755A84B46C6EA199F67B9A41381331EF9DF56F0CA431DD4F9B310CE3EE09A8218

Non-executed Functions

Function 00007FF667361760 Relevance: 66.8, APIs: 22, Strings: 16, Instructions: 320
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF667361796
GetCurrentThreadId.KERNEL32 ref: 00007FF66736179F
srand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6673617AA
CreateFileW.KERNEL32 ref: 00007FF6673617D7
CloseHandle.KERNEL32 ref: 00007FF6673617EA

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736180D
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF667361851
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF667361895
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736190A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736194A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667361986

Strings

ntoskrnl.exe, xrefs: 00007FF667361B11
[!] Failed to ClearMmUnloadedDrivers, xrefs: 00007FF667361BF9
[!] Failed to ClearWdFilterDriverList, xrefs: 00007FF667361C0E
[-] Can't find TEMP folder, xrefs: 00007FF667361969
[-] \Device\Nal is already in use., xrefs: 00007FF6673617F0
[-] Failed to register and start service for the vulnerable driver, xrefs: 00007FF667361A77
[-] Can't exploit intel driver, is there any antivirus or anticheat running?, xrefs: 00007FF667361C23
[-] Failed to load driver iqvw64e.sys, xrefs: 00007FF667361C2C
\\.\Nal, xrefs: 00007FF6673617D0, 00007FF667361AD6
[<] Loading vulnerable driver, Name: , xrefs: 00007FF6673618C6
gfff, xrefs: 00007FF66736185A
[-] Failed to get temp path, xrefs: 00007FF667361539
[-] Failed to ClearKernelHashBucketList, xrefs: 00007FF667361BE4
[-] Failed to create vulnerable driver file, xrefs: 00007FF667361A2D
[-] Failed to ClearPiDDBCacheTable, xrefs: 00007FF667361BCF
[-] Failed to get ntoskrnl.exe, xrefs: 00007FF667361B80

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$rand$?setstate@?$basic_ios@_?uncaught_exception@std@@CloseCreateCurrentD@std@@@std@@FileHandleOsfx@?$basic_ostream@ThreadU?$char_traits@_invalid_parameter_noinfo_noreturn_time64srand
String ID: [!] Failed to ClearMmUnloadedDrivers$[!] Failed to ClearWdFilterDriverList$[-] Can't exploit intel driver, is there any antivirus or anticheat running?$[-] Can't find TEMP folder$[-] Failed to ClearKernelHashBucketList$[-] Failed to ClearPiDDBCacheTable$[-] Failed to create vulnerable driver file$[-] Failed to get ntoskrnl.exe$[-] Failed to get temp path$[-] Failed to load driver iqvw64e.sys$[-] Failed to register and start service for the vulnerable driver$[-] \Device\Nal is already in use.$[<] Loading vulnerable driver, Name: $\\.\Nal$gfff$ntoskrnl.exe
API String ID: 3610494094-2874678725
Opcode ID: 215f6cb8711acf866a15f77a1b43d1d7574e59f13d4660aa0747dac13177975f
Instruction ID: 4193bc72ac9add26cceb160350a558cdd11df49ffc2886ba4d166f1cb6328391
Opcode Fuzzy Hash: 215f6cb8711acf866a15f77a1b43d1d7574e59f13d4660aa0747dac13177975f
Instruction Fuzzy Hash: 90E19C31E18A46C1FA00DB26E9742B92371FF85794F405235DA5EEBAA5EF7CE644C700

Function 00007FF667361CE0 Relevance: 49.4, APIs: 14, Strings: 14, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6673660D0: memcpy.VCRUNTIME140 ref: 00007FF667366101

Part of subcall function 00007FF66736F220: NtQuerySystemInformation.NTDLL ref: 00007FF66736F250
Part of subcall function 00007FF66736F220: VirtualFree.KERNEL32 ref: 00007FF66736F270
Part of subcall function 00007FF66736F220: VirtualAlloc.KERNEL32 ref: 00007FF66736F286
Part of subcall function 00007FF66736F220: NtQuerySystemInformation.NTDLL ref: 00007FF66736F2A1
Part of subcall function 00007FF66736F220: VirtualFree.KERNEL32 ref: 00007FF66736F2C2

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667361D80
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667361DAE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667361E02
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667361EF3
memset.VCRUNTIME140 ref: 00007FF66736202A
wcsstr.VCRUNTIME140 ref: 00007FF667362064
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673620EA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362152
DeviceIoControl.KERNEL32 ref: 00007FF6673621C4
DeviceIoControl.KERNEL32 ref: 00007FF66736226B
DeviceIoControl.KERNEL32 ref: 00007FF6673622C6
DeviceIoControl.KERNEL32 ref: 00007FF667362338
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362380
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6673623C3

Part of subcall function 00007FF6673666D0: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF667366708
Part of subcall function 00007FF6673666D0: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF667366730

Strings

[+] WdFilter.sys not loaded, clear skipped, xrefs: 00007FF667361D91
PAGE, xrefs: 00007FF667361DCE, 00007FF667361E4D, 00007FF667361E86, 00007FF667361EB3
[!] Failed to find WdFilter RuntimeDriversCount, xrefs: 00007FF667361E64
[+] Found WdFilter MpFreeDriverInfoEx with second pattern, xrefs: 00007FF667361EDD
[!] DriverInfo Magic is invalid, new wdfilter version?, driver info will not be released to prevent bsod, xrefs: 00007FF667362363
[!] Failed to remove from RuntimeDriversArray, xrefs: 00007FF667362135
WdFilter.sys, xrefs: 00007FF667361D31
[+] WdFilterDriverList Cleaned: , xrefs: 00007FF667362398
xx????xxx, xrefs: 00007FF667361E37
xxx????xx, xrefs: 00007FF667361DB8
xxx?x?xx???????????x, xrefs: 00007FF667361E70
[!] Failed to find WdFilter MpFreeDriverInfoEx, xrefs: 00007FF667361ED1
xxx?xx?x???????????x, xrefs: 00007FF667361E9D
[!] Failed to find WdFilter RuntimeDriversList, xrefs: 00007FF667361DE5

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$ControlDevice$Virtual$FreeInformationQuerySystem_invalid_parameter_noinfo_noreturn$AllocHandleModulememcpymemsetwcsstr
String ID: PAGE$WdFilter.sys$[!] DriverInfo Magic is invalid, new wdfilter version?, driver info will not be released to prevent bsod$[!] Failed to find WdFilter MpFreeDriverInfoEx$[!] Failed to find WdFilter RuntimeDriversCount$[!] Failed to find WdFilter RuntimeDriversList$[!] Failed to remove from RuntimeDriversArray$[+] Found WdFilter MpFreeDriverInfoEx with second pattern$[+] WdFilter.sys not loaded, clear skipped$[+] WdFilterDriverList Cleaned: $xx????xxx$xxx????xx$xxx?x?xx???????????x$xxx?xx?x???????????x
API String ID: 1039085603-2424582720
Opcode ID: 3af2ef3975ef6651820a215681cdd876bbf7a2ba93fdc62476ba25fb80ec0d09
Instruction ID: a216b80ff7f8023199b95253357b68d5b2a53fbce8e1387db8f6a2d5b43f3cb5
Opcode Fuzzy Hash: 3af2ef3975ef6651820a215681cdd876bbf7a2ba93fdc62476ba25fb80ec0d09
Instruction Fuzzy Hash: 58123876B09B41D5EB10DB62E5602BC2371BB49798F804135DE4DABB99DF3CE20AC344

Function 00007FF66736B770 Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF66736B85E
memset.VCRUNTIME140 ref: 00007FF66736B86B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736B8A4
memcpy.VCRUNTIME140 ref: 00007FF66736B8AE
memset.VCRUNTIME140 ref: 00007FF66736B8BB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF66736B8E9
memcpy.VCRUNTIME140(?,?,00000000,00000000,?,?,00007FF66736B4C5), ref: 00007FF66736B9F3
memcpy.VCRUNTIME140(?,?,00000000,00000000,?,?,00007FF66736B4C5), ref: 00007FF66736BA01
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736BA3A
memcpy.VCRUNTIME140 ref: 00007FF66736BA44
memcpy.VCRUNTIME140 ref: 00007FF66736BA52
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF66736BA81

Part of subcall function 00007FF667361110: __std_exception_copy.VCRUNTIME140 ref: 00007FF667361154

Part of subcall function 00007FF6673611B0: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF6673611BB

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF66736F808,?,?,?,00007FF66736F672), ref: 00007FF66736BA9B
__std_fs_code_page.MSVCPRT ref: 00007FF66736BAD1

Part of subcall function 00007FF66736F8D0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF66736BAD6), ref: 00007FF66736F8D4
Part of subcall function 00007FF66736F8D0: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF66736BAD6), ref: 00007FF66736F8E3

__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF66736BB2C

Part of subcall function 00007FF66736F8F8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF66736F953

memset.VCRUNTIME140 ref: 00007FF66736BB94
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF66736BBC9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736BCF5
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736BD35
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736BD58

Strings

MmAllocatePagesForMdl, xrefs: 00007FF66736BC98
[-] Can't allocate pages for mdl, xrefs: 00007FF66736BD3B
vector too long, xrefs: 00007FF66736BA94
[!] Failed to find MmAlocatePagesForMdl, xrefs: 00007FF66736BD18

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$V01@$_invalid_parameter_noinfo_noreturnmemset$??6?$basic_ostream@_Concurrency::cancel_current_taskU?$char_traits@_V01@@W@std@@@std@@Xlength_error@std@@__std_fs_convert_wide_to_narrow$ApisByteCharFileMultiWide___lc_codepage_func__std_exception_copy__std_fs_code_page
String ID: MmAllocatePagesForMdl$[!] Failed to find MmAlocatePagesForMdl$[-] Can't allocate pages for mdl$vector too long
API String ID: 525806170-1127084285
Opcode ID: 40c3f28e2fd63654cb26dbddd77a1e857423d7b86104dd573d2a7600dc734811
Instruction ID: 83ba49626e6310d9420b179b6f2796b2de3749a9e57c5ecbd31236f19c08324c
Opcode Fuzzy Hash: 40c3f28e2fd63654cb26dbddd77a1e857423d7b86104dd573d2a7600dc734811
Instruction Fuzzy Hash: BEE1C132B08A82C5EA20DF27E4242696375FB44BD4F544635EEADAFBD5DE3CE2418700

Function 00007FF6673632E0 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 226
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF667363327
VirtualFree.KERNEL32 ref: 00007FF66736333F
VirtualAlloc.KERNEL32 ref: 00007FF667363354
NtQuerySystemInformation.NTDLL ref: 00007FF66736336D
GetCurrentProcessId.KERNEL32 ref: 00007FF6673633C5
VirtualFree.KERNEL32 ref: 00007FF667363404
memset.VCRUNTIME140 ref: 00007FF667363503
DeviceIoControl.KERNEL32 ref: 00007FF667363591
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6673635C6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6673635ED
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736361F
VirtualFree.KERNEL32 ref: 00007FF667363652

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

Part of subcall function 00007FF667366260: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673662F4
Part of subcall function 00007FF667366260: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF66736634E

Strings

[!] Failed to find device_object, xrefs: 00007FF667363639
[!] Failed to find driver_section, xrefs: 00007FF667363627
[!] Failed to find driver_object, xrefs: 00007FF667363630
[+] MmUnloadedDrivers Cleaned: , xrefs: 00007FF66736359B
[!] Failed to write driver name length, xrefs: 00007FF6673635D0
[!] Failed to read driver name, xrefs: 00007FF667363524
[!] Failed to find driver name, xrefs: 00007FF667363602

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$Virtual$??6?$basic_ostream@_FreeV01@@$D@std@@@std@@InformationQuerySystemU?$char_traits@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@AllocControlCurrentDeviceOsfx@?$basic_ostream@ProcessV12@memset
String ID: [!] Failed to find device_object$[!] Failed to find driver name$[!] Failed to find driver_object$[!] Failed to find driver_section$[!] Failed to read driver name$[!] Failed to write driver name length$[+] MmUnloadedDrivers Cleaned:
API String ID: 1665244892-3011715350
Opcode ID: 3048a13f96c088af2f3ecdc01685d36d1f6f71eb46c19ee1ce8045e942d742ce
Instruction ID: 2dbdac93806ae27d029d64225063aa4f92c5dee44b8dc518fc7d9722cfee8a4f
Opcode Fuzzy Hash: 3048a13f96c088af2f3ecdc01685d36d1f6f71eb46c19ee1ce8045e942d742ce
Instruction Fuzzy Hash: 39A17C61B18A82C5FB50CB72A9602BC23B1AB49B88F415535DE4DBBB95EF3CE6458304

Function 00007FF667362880 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF667362903
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936
DeviceIoControl.KERNEL32 ref: 00007FF6673629A6
DeviceIoControl.KERNEL32 ref: 00007FF667362A27
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362A4A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362A5A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362AA6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362AB6

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

Strings

[-] Failed to translate virtual address 0x, xrefs: 00007FF667362914
[-] Failed to map IO space of 0x, xrefs: 00007FF667362A94
[!] Failed to unmap IO space of physical address 0x, xrefs: 00007FF667362A38

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$ControlDeviceV01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@
String ID: [!] Failed to unmap IO space of physical address 0x$[-] Failed to map IO space of 0x$[-] Failed to translate virtual address 0x
API String ID: 20913588-3202290428
Opcode ID: 83d2ddee1cbd4f1f821ab8dc32ab4a6b52691e33f519396b2e160e7a928be1da
Instruction ID: 00b5873d557885f3b76f76f2aace9792ee79af4b6cea6f99e20c172b434c2aea
Opcode Fuzzy Hash: 83d2ddee1cbd4f1f821ab8dc32ab4a6b52691e33f519396b2e160e7a928be1da
Instruction Fuzzy Hash: EF515A72A18B41D5EB10CF62E9603A933F5FB88B88F414135DA8DABA58DF3CE255C354

Function 00007FF66736F220 Relevance: 13.6, APIs: 9, Instructions: 142nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF66736F250
VirtualFree.KERNEL32 ref: 00007FF66736F270
VirtualAlloc.KERNEL32 ref: 00007FF66736F286
NtQuerySystemInformation.NTDLL ref: 00007FF66736F2A1
VirtualFree.KERNEL32 ref: 00007FF66736F2C2
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF66736F367
VirtualFree.KERNEL32 ref: 00007FF66736F3C3
VirtualFree.KERNEL32 ref: 00007FF66736F3FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736F437

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: Virtual$Free$InformationQuerySystem$Alloc_invalid_parameter_noinfo_noreturn_stricmp
String ID:
API String ID: 562193759-0
Opcode ID: de73c7e78ad315794530ca9c89639a921326d6ff70a50400cf3f909c5ccb5263
Instruction ID: 92d5700ed8535a3d900985333254144da324c0234005a84a4dfcb7a073f92012
Opcode Fuzzy Hash: de73c7e78ad315794530ca9c89639a921326d6ff70a50400cf3f909c5ccb5263
Instruction Fuzzy Hash: B251D862B08A46C2EB20CB26E46433A6372FF857A4F544235DA5DDB6D8DF3DE5858B00

Function 00007FF667370910 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF66737092C
memset.VCRUNTIME140 ref: 00007FF667370950
RtlCaptureContext.KERNEL32 ref: 00007FF667370959
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF667370973
RtlVirtualUnwind.KERNEL32 ref: 00007FF6673709B4
memset.VCRUNTIME140 ref: 00007FF6673709E7
IsDebuggerPresent.KERNEL32 ref: 00007FF667370A08
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF667370A29
UnhandledExceptionFilter.KERNEL32 ref: 00007FF667370A34

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 3a3f7b6156f9f1253ce8f7f467242a578426a768b2d0c5aee2506a33b1ef9736
Instruction ID: 7fe154aa258af37dfc2636047604c8c2ebf2dc6b42fb2631566bd70869d280ec
Opcode Fuzzy Hash: 3a3f7b6156f9f1253ce8f7f467242a578426a768b2d0c5aee2506a33b1ef9736
Instruction Fuzzy Hash: 3B314D72619A81C9EB608F60E8503ED73B0FB84744F444039DB8D9BB99DF39E548C714

Function 00007FF66736A700 Relevance: 9.0, APIs: 6, Instructions: 48processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF66736A726
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF66736A733
memset.VCRUNTIME140 ref: 00007FF66736A754
Process32FirstW.KERNEL32 ref: 00007FF66736A769
Process32NextW.KERNEL32 ref: 00007FF66736A781
CloseHandle.KERNEL32 ref: 00007FF66736A796

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32memset
String ID:
API String ID: 2672634495-0
Opcode ID: ff6efbfb5b425ced449d133739804b3107b5d5d0ed23d36771b0c2a69f465a45
Instruction ID: f3dfa4dafdda7a76ddd793d13fdbe2edc7a79522a119787fb6f81b987810fb09
Opcode Fuzzy Hash: ff6efbfb5b425ced449d133739804b3107b5d5d0ed23d36771b0c2a69f465a45
Instruction Fuzzy Hash: 83118432618A41C2E650CB22E46426A73B1FB84BB0F445331E97E9B7D4DF3CE506CB00

Function 00007FF667370B68 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF667370B94
GetCurrentThreadId.KERNEL32 ref: 00007FF667370BA2
GetCurrentProcessId.KERNEL32 ref: 00007FF667370BAE
QueryPerformanceCounter.KERNEL32 ref: 00007FF667370BBE

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 195a780caf0b4952fb62f880ecd92757cba55315611c2ac06db9a5d9cc98433a
Instruction ID: 20d879d2deda494ea2bc39de158ed8504598037d32e6d2cfc01c2ccec775a0ad
Opcode Fuzzy Hash: 195a780caf0b4952fb62f880ecd92757cba55315611c2ac06db9a5d9cc98433a
Instruction Fuzzy Hash: A3112E22604F41CAEB10CF61E8642A933B4FB19758F041A35EA6D8AB94DF3CE1948340

Function 00007FF667370ABC Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9418ca02b4fd9ec178474b58b1caaeded2a12ab26dff9239f5f7e46ab255eefd
Instruction ID: c47c21fbfc943f4cb69ca1b3679dca6a3a5317c2cdc7fb6ecb24395916684c45
Opcode Fuzzy Hash: 9418ca02b4fd9ec178474b58b1caaeded2a12ab26dff9239f5f7e46ab255eefd
Instruction Fuzzy Hash: 7AA0022295DC07D0E644CB04E9706312771FB50301F455031C00DE9460DF3DF400C32E

Function 00007FF66736E770 Relevance: 77.3, APIs: 24, Strings: 20, Instructions: 305
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6673612B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667361405

Part of subcall function 00007FF667368EF0: memcpy.VCRUNTIME140 ref: 00007FF667368FF0
Part of subcall function 00007FF667368EF0: memcpy.VCRUNTIME140 ref: 00007FF667369000

RegCreateKeyW.ADVAPI32 ref: 00007FF66736E853
RegSetKeyValueW.ADVAPI32 ref: 00007FF66736E895
RegCloseKey.ADVAPI32 ref: 00007FF66736E8A3
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736E8C6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736E911
RegSetKeyValueW.ADVAPI32 ref: 00007FF66736E93B
RegCloseKey.ADVAPI32 ref: 00007FF66736E949
RegCloseKey.ADVAPI32 ref: 00007FF66736E95B
GetModuleHandleA.KERNEL32 ref: 00007FF66736E968
GetProcAddress.KERNEL32 ref: 00007FF66736E984
GetProcAddress.KERNEL32 ref: 00007FF66736E997
RtlInitUnicodeString.NTDLL ref: 00007FF66736EA14
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF66736EA3F
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF66736EA4A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736EA5A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736EA89
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736EAAC
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736EACF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736EB19
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF66736EB4D
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF66736EB58
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736EB77
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736EBF8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736EC4C

Strings

4, xrefs: 00007FF66736E9E8
Type, xrefs: 00007FF66736E932
[-] Set 'VulnerableDriverBlocklistEnable' as dword to 0, xrefs: 00007FF66736EAB2
[-] Can't create 'Type' registry value, xrefs: 00007FF66736E94F
[+] NtLoadDriver Status 0x, xrefs: 00007FF66736EA22
\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF66736E9F1
[-] Can't create service key, xrefs: 00007FF66736E85D
[-] Can't create 'ImagePath' registry value, xrefs: 00007FF66736E8A9
ntdll.dll, xrefs: 00007FF66736E961
), Probably some anticheat or antivirus running blocking the load of vulnerable driver, xrefs: 00007FF66736EB61
\??\, xrefs: 00007FF66736E829
Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator., xrefs: 00007FF66736E9B3
[-] Access Denied or Insufficient Resources (0x, xrefs: 00007FF66736EB30
[-] Registry path to disable vulnerable driver list: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config, xrefs: 00007FF66736EA8F
", xrefs: 00007FF66736EB20
NtLoadDriver, xrefs: 00007FF66736E98D
RtlAdjustPrivilege, xrefs: 00007FF66736E97A
[-] Your vulnerable driver list is enabled and have blocked the driver loading, you must disable vulnerable driver list to use kdmapper with intel driver, xrefs: 00007FF66736EA6C
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF66736E7E7
ImagePath, xrefs: 00007FF66736E888

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$_invalid_parameter_noinfo_noreturn$Close$AddressProcV21@@ValueVios_base@1@memcpy$CreateHandleInitModuleStringUnicode
String ID: "$), Probably some anticheat or antivirus running blocking the load of vulnerable driver$4$Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator.$ImagePath$NtLoadDriver$RtlAdjustPrivilege$SYSTEM\CurrentControlSet\Services\$Type$[+] NtLoadDriver Status 0x$[-] Access Denied or Insufficient Resources (0x$[-] Can't create 'ImagePath' registry value$[-] Can't create 'Type' registry value$[-] Can't create service key$[-] Registry path to disable vulnerable driver list: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config$[-] Set 'VulnerableDriverBlocklistEnable' as dword to 0$[-] Your vulnerable driver list is enabled and have blocked the driver loading, you must disable vulnerable driver list to use kdmapper with intel driver$\??\$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 115755377-1790068772
Opcode ID: 3dd81763b4872d8400494d668b676379e2fd1e07951aeee8f1a5be909c7a21e7
Instruction ID: 92d8ce3a0d295c4295f35b751381c45d8649847058789299e3861d1c5ecd3882
Opcode Fuzzy Hash: 3dd81763b4872d8400494d668b676379e2fd1e07951aeee8f1a5be909c7a21e7
Instruction Fuzzy Hash: D1E17371B58B42D5FB00DB66E8A42AC2371FF44798F404635DA5DAB6A8EF3CE248C344

Function 00007FF66736C310 Relevance: 73.9, APIs: 24, Strings: 18, Instructions: 399
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF66736C3A5
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF66736C599
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C5A9
memcpy.VCRUNTIME140 ref: 00007FF66736C5B9
memcpy.VCRUNTIME140 ref: 00007FF66736C5F8
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF66736C640
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF66736C64D
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C66C
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C965

Strings

[!] Failed to find ExAllocatePool, xrefs: 00007FF66736C4F6
ExAllocatePoolWithTag, xrefs: 00007FF66736C471
[-] Invalid format of PE image, xrefs: 00007FF66736C948
[-] Failed to resolve imports, xrefs: 00007FF66736C6C7
[-] WARNING: Failed to free memory!, xrefs: 00007FF66736C824, 00007FF66736C8FC
[-] Failed to fix cookie, xrefs: 00007FF66736C6A0
[+] Memory has been released, xrefs: 00007FF66736C817, 00007FF66736C8F3
[+] Image base has been allocated at 0x, xrefs: 00007FF66736C580
[+] Freeing memory, xrefs: 00007FF66736C7BC, 00007FF66736C89A
bytes of PE Header, xrefs: 00007FF66736C656
[+] DriverEntry returned 0x, xrefs: 00007FF66736C852
[<] Calling DriverEntry 0x, xrefs: 00007FF66736C706
[-] Failed to write local image to remote image, xrefs: 00007FF66736C6F4
[+] Skipped 0x, xrefs: 00007FF66736C623
[-] Failed to allocate remote image in kernel, xrefs: 00007FF66736C519
[-] Failed to call driver entry, xrefs: 00007FF66736C788
[-] Image is not 64 bit, xrefs: 00007FF66736C386
[-] Callback returns false, failed!, xrefs: 00007FF66736C74A

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$memcpy$AllocV21@@Vios_base@1@Virtual
String ID: bytes of PE Header$ExAllocatePoolWithTag$[!] Failed to find ExAllocatePool$[+] DriverEntry returned 0x$[+] Freeing memory$[+] Image base has been allocated at 0x$[+] Memory has been released$[+] Skipped 0x$[-] Callback returns false, failed!$[-] Failed to allocate remote image in kernel$[-] Failed to call driver entry$[-] Failed to fix cookie$[-] Failed to resolve imports$[-] Failed to write local image to remote image$[-] Image is not 64 bit$[-] Invalid format of PE image$[-] WARNING: Failed to free memory!$[<] Calling DriverEntry 0x
API String ID: 3943948942-2368498643
Opcode ID: e85050eabc87d11fccc521391b061a4e56f73e79f52928a46ddf4199e58d5a21
Instruction ID: 19fa000d80a7f11120d5d2f36957301d1fc3de87f353f9e66bc61a920cf119a4
Opcode Fuzzy Hash: e85050eabc87d11fccc521391b061a4e56f73e79f52928a46ddf4199e58d5a21
Instruction Fuzzy Hash: 0B024961A18A42C6EE50DB66E9A02B923B2BF44B84F404135DE4EFF795EE3CF645C344

Function 00007FF667363B10 Relevance: 72.1, APIs: 20, Strings: 21, Instructions: 368
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF667364320: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(00000000,?,?,00000000,00007FF667363B67), ref: 00007FF66736439C

Part of subcall function 00007FF667364320: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(00000000,?,?,00000000,00007FF667363B67), ref: 00007FF667364469

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667363C00
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667363C23
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF667363C73
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF667363C83
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667363C93
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF667363CB6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF667363CC6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667363CD6

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667363D7F

Part of subcall function 00007FF6673612B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667361405

Part of subcall function 00007FF667363930: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667363A6C
Part of subcall function 00007FF667363930: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667363ABE

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736412B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667364175

Strings

PAGE, xrefs: 00007FF667363B5B, 00007FF667363B88, 00007FF667363BC8
xxxxxx, xrefs: 00007FF667363B6E
RtlDeleteElementGenericTableAvl, xrefs: 00007FF667363F75
[-] Can't lock PiDDBCacheTable, xrefs: 00007FF667363D5D
[-] Warning PiDDBLock not found, xrefs: 00007FF667363BEA
xxx????xxxxx????xxx????x????x, xrefs: 00007FF667363BAE
[+] PiDDBLock Ptr 0x, xrefs: 00007FF667363C5D
[+] PiDDBCacheTable Cleaned, xrefs: 00007FF6673640DE
[+] Found Table Entry = 0x, xrefs: 00007FF667363E0E
[+] PiDDBCacheTable Ptr 0x, xrefs: 00007FF667363C99
[+] PiDDBLock Locked, xrefs: 00007FF667363D69
[-] Can't get prev entry, xrefs: 00007FF667363DD6
[-] Warning PiDDBCacheTable not found, xrefs: 00007FF667363C54
[-] Not found in cache, xrefs: 00007FF667363DB0
[!] Failed to find RtlDeleteElementGenericTableAvl, xrefs: 00007FF667364004
[-] Can't delete from PiDDBCacheTable, xrefs: 00007FF667364027
[+] PiDDBLock found with second pattern, xrefs: 00007FF667363C0D
xxxxxx????xxxxx????xxx????xxxxx????x????xx?x, xrefs: 00007FF667363B41
[-] Can't get next entry, xrefs: 00007FF667363E02
[-] Can't set prev entry, xrefs: 00007FF667364105
[-] Can't set next entry, xrefs: 00007FF66736410E

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$V01@@$_invalid_parameter_noinfo_noreturn$V01@_V21@@Vios_base@1@$?setstate@?$basic_ios@_?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@
String ID: PAGE$RtlDeleteElementGenericTableAvl$[!] Failed to find RtlDeleteElementGenericTableAvl$[+] Found Table Entry = 0x$[+] PiDDBCacheTable Cleaned$[+] PiDDBCacheTable Ptr 0x$[+] PiDDBLock Locked$[+] PiDDBLock Ptr 0x$[+] PiDDBLock found with second pattern$[-] Can't delete from PiDDBCacheTable$[-] Can't get next entry$[-] Can't get prev entry$[-] Can't lock PiDDBCacheTable$[-] Can't set next entry$[-] Can't set prev entry$[-] Not found in cache$[-] Warning PiDDBCacheTable not found$[-] Warning PiDDBLock not found$xxx????xxxxx????xxx????x????x$xxxxxx$xxxxxx????xxxxx????xxx????xxxxx????x????xx?x
API String ID: 104082274-3657977524
Opcode ID: 477d5d5a1778ed4d96003cb5815249dbca58ca70d61b128b4ae4fc44ad3b2010
Instruction ID: 8779357431a60e9a5e9b8fcd3af794e389179736cc7f69bee33e4fe09956b247
Opcode Fuzzy Hash: 477d5d5a1778ed4d96003cb5815249dbca58ca70d61b128b4ae4fc44ad3b2010
Instruction Fuzzy Hash: A1122A71A09B42D5FB00DF66E8742B823B5BB44B88F405535D94DABB69EF3CE219C304

Function 00007FF66736BC10 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736BCF5
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736BD35
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736BE20
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736BEE0
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736BF20

Part of subcall function 00007FF6673660D0: memcpy.VCRUNTIME140 ref: 00007FF667366101

Part of subcall function 00007FF667362FB0: memset.VCRUNTIME140 ref: 00007FF66736300A
Part of subcall function 00007FF667362FB0: VirtualAlloc.KERNEL32 ref: 00007FF6673630A9
Part of subcall function 00007FF667362FB0: VirtualFree.KERNEL32 ref: 00007FF6673630E0

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736BD58

Part of subcall function 00007FF66736FFA0: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF66736708F), ref: 00007FF66736FFB0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736BFF1
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C031
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C054
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C0A3

Strings

[-] Can't set mdl pages cache, cleaning up., xrefs: 00007FF66736BF26
MmMapLockedPagesSpecifyCache, xrefs: 00007FF66736BE83
MmAllocatePagesForMdl, xrefs: 00007FF66736BC98
[-] Can't change protection for mdl pages, cleaning up, xrefs: 00007FF66736C037
[!] Failed to find MmProtectMdlSystemAddress, xrefs: 00007FF66736C014
[-] Couldn't allocate enough memory, cleaning up, xrefs: 00007FF66736BE03
[-] Can't allocate pages for mdl, xrefs: 00007FF66736BD3B
[!] Failed to find MmMapLockedPagesSpecifyCache, xrefs: 00007FF66736BF03
[-] Can't read the _MDL : byteCount, xrefs: 00007FF66736BDEF
[!] Failed to find MmAlocatePagesForMdl, xrefs: 00007FF66736BD18
[+] Allocated pages for mdl, xrefs: 00007FF66736C086
MmProtectMdlSystemAddress, xrefs: 00007FF66736BF94

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$_invalid_parameter_noinfo_noreturn$Virtual$AllocCriticalEnterFreeSectionmemcpymemset
String ID: MmAllocatePagesForMdl$MmMapLockedPagesSpecifyCache$MmProtectMdlSystemAddress$[!] Failed to find MmAlocatePagesForMdl$[!] Failed to find MmMapLockedPagesSpecifyCache$[!] Failed to find MmProtectMdlSystemAddress$[+] Allocated pages for mdl$[-] Can't allocate pages for mdl$[-] Can't change protection for mdl pages, cleaning up$[-] Can't read the _MDL : byteCount$[-] Can't set mdl pages cache, cleaning up.$[-] Couldn't allocate enough memory, cleaning up
API String ID: 1352232468-338763861
Opcode ID: faf9ab730050889ef882498f7ec94a8934ccc62aaabe8813ea574f7c8a9881b4
Instruction ID: 45e1e70c5e2008fe8396fe04b656d0a1c4198440e2dae05e1f40a47a054a7567
Opcode Fuzzy Hash: faf9ab730050889ef882498f7ec94a8934ccc62aaabe8813ea574f7c8a9881b4
Instruction Fuzzy Hash: FED15E61A08A02E5FB00DF66E9643B82375BF44794F404235EA5DEFAA9EF7CE245C704

Function 00007FF66736ECA0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 162
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF66736ECD5
RtlInitUnicodeString.NTDLL ref: 00007FF66736ED48
RegOpenKeyW.ADVAPI32 ref: 00007FF66736EDA6
RegCloseKey.ADVAPI32 ref: 00007FF66736EDBF
GetProcAddress.KERNEL32 ref: 00007FF66736EDCF

Part of subcall function 00007FF667366470: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF667366689
Part of subcall function 00007FF667366470: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF667366690
Part of subcall function 00007FF667366470: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF66736669D

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF66736EDFA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF66736EE05
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736EE15
RegDeleteTreeW.ADVAPI32 ref: 00007FF66736EE76

Part of subcall function 00007FF667366470: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF667366503
Part of subcall function 00007FF667366470: ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF66736653A
Part of subcall function 00007FF667366470: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF6673665A8
Part of subcall function 00007FF667366470: ?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF6673665F8
Part of subcall function 00007FF667366470: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF667366606
Part of subcall function 00007FF667366470: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF667366639

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736EE3C
RegDeleteTreeW.ADVAPI32 ref: 00007FF66736EE57
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736EEBD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736EF11

Strings

[+] NtUnloadDriver Status 0x, xrefs: 00007FF66736EDDD
\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF66736ED25
ntdll.dll, xrefs: 00007FF66736ECCE
", xrefs: 00007FF66736ED73
NtUnloadDriver, xrefs: 00007FF66736EDC5
[-] Driver Unload Failed!!, xrefs: 00007FF66736EE1F
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF66736ED7C

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_$?sputc@?$basic_streambuf@_$D@std@@@std@@DeleteTreeU?$char_traits@V01@@_invalid_parameter_noinfo_noreturn$?flush@?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@_?uncaught_exception@std@@?widen@?$ctype@_AddressCloseHandleInitModuleOpenOsfx@?$basic_ostream@ProcStringUnicodeV12@V21@@Vios_base@1@Vlocale@2@W@std@@
String ID: "$NtUnloadDriver$SYSTEM\CurrentControlSet\Services\$[+] NtUnloadDriver Status 0x$[-] Driver Unload Failed!!$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 3029441947-3977549460
Opcode ID: 8aa02ac224f8c6c68e2a193379f6398c8910db6acd76c3abf61c4becc9892492
Instruction ID: 865bf7505440a6744830236ba2816c8f188185f4c3f6f30152bc00aeb9e9f936
Opcode Fuzzy Hash: 8aa02ac224f8c6c68e2a193379f6398c8910db6acd76c3abf61c4becc9892492
Instruction Fuzzy Hash: 78717262B19B46D5EB10CF66E8B42AC2371FB44B98F404635DA5DAB698DF3CE249C304

Function 00007FF6673623E0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362430
CloseHandle.KERNEL32 ref: 00007FF667362443

Part of subcall function 00007FF667361760: GetTempPathW.KERNEL32 ref: 00007FF667361494
Part of subcall function 00007FF667361760: memcpy.VCRUNTIME140 ref: 00007FF667361522
Part of subcall function 00007FF667361760: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673615CC

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736249A
memset.VCRUNTIME140 ref: 00007FF6673624C9

Part of subcall function 00007FF667365AC0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF667365AF3
Part of subcall function 00007FF667365AC0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF667365B12
Part of subcall function 00007FF667365AC0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF667365B44
Part of subcall function 00007FF667365AC0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF667365B60
Part of subcall function 00007FF667365AC0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF667365BAA

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6673624EA
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF6673624F3

Part of subcall function 00007FF6673700B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF6673661AE), ref: 00007FF6673700CA

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF667362540
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF66736257E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6673625B7
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6673625E4
_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF667362603
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF667362685
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF667362690
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF66736269A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673626DA

Strings

[<] Unloading vulnerable driver, xrefs: 00007FF667362413
[+] Vul driver data destroyed before unlink, xrefs: 00007FF6673625A1
[!] Error dumping shit inside the disk, xrefs: 00007FF667362598

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$U?$char_traits@_W@std@@@std@@$V01@$?setstate@?$basic_ios@__invalid_parameter_noinfo_noreturnrand$??6?$basic_ostream@_V01@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@?uncaught_exception@std@@?write@?$basic_ostream@CloseD@std@@@1@_HandleInit@?$basic_streambuf@Osfx@?$basic_ostream@PathTempV12@V?$basic_streambuf@_wremovemallocmemcpymemset
String ID: [!] Error dumping shit inside the disk$[+] Vul driver data destroyed before unlink$[<] Unloading vulnerable driver
API String ID: 3024648514-4078119036
Opcode ID: 0314a88b68f23f562cf9c8614c019e7b2f401058eb6cf3280caed7b87f3eb0f2
Instruction ID: 2d3c0ea95a0b6b9031e289e59f064dd6e193e6f917f20fdea3fca1c122a322db
Opcode Fuzzy Hash: 0314a88b68f23f562cf9c8614c019e7b2f401058eb6cf3280caed7b87f3eb0f2
Instruction Fuzzy Hash: 9A91B272B18A46C2EF00DB26E9642BD6371FB84B94F414132DA4DABBA9DF7CE545C700

Function 00007FF66736FAE8 Relevance: 28.7, APIs: 19, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF66736FB81
GetLastError.KERNEL32 ref: 00007FF66736FB8B
__std_fs_open_handle.LIBCPMT ref: 00007FF66736FBE7
CloseHandle.KERNEL32 ref: 00007FF66736FBFC
CloseHandle.KERNEL32 ref: 00007FF66736FD62
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736FD6C

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: CloseHandle$AttributesErrorFileLast__std_fs_open_handleterminate
String ID:
API String ID: 1657120197-0
Opcode ID: 70276f9bcb9585dddc24ae70747ab01c5c0698922327de83e8fc3262c8de8dc7
Instruction ID: 8d8ef67020f4665aa52127b4997af3bc9423b292276c35625c0536d9f7d0db86
Opcode Fuzzy Hash: 70276f9bcb9585dddc24ae70747ab01c5c0698922327de83e8fc3262c8de8dc7
Instruction Fuzzy Hash: 04814032B08A03C6F7648B26A83467922B1AF457B4F140735DE6EEB6D4DF2CE5468B10

Function 00007FF6673637F0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673638C0
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,-0000000A,00007FF66736413C), ref: 00007FF667363900
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF667367F6C
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF667367F94

Part of subcall function 00007FF66736FFA0: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF66736708F), ref: 00007FF66736FFB0

Part of subcall function 00007FF6673660D0: memcpy.VCRUNTIME140 ref: 00007FF667366101

Part of subcall function 00007FF667362FB0: memset.VCRUNTIME140 ref: 00007FF66736300A
Part of subcall function 00007FF667362FB0: VirtualAlloc.KERNEL32 ref: 00007FF6673630A9
Part of subcall function 00007FF667362FB0: VirtualFree.KERNEL32 ref: 00007FF6673630E0

Strings

[!] Failed to find ExReleaseResourceLite, xrefs: 00007FF6673638E3
ntdll.dll, xrefs: 00007FF667367F65
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF6673680C2
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF66736810C
[-] Failed to load ntdll.dll, xrefs: 00007FF667367F77
ExReleaseResourceLite, xrefs: 00007FF66736385F
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667367FD5
NtAddAtom, xrefs: 00007FF667367FBD, 00007FF667368040

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AllocCriticalEnterFreeHandleModuleSection_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: ExReleaseResourceLite$NtAddAtom$[!] Failed to find ExReleaseResourceLite$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 2380966100-1591343369
Opcode ID: 9a55819e55609df80ef77bf808e43bff089201616bccec53d007c7fb8a1bbac8
Instruction ID: 79019874f9fc6d201522bd58b47a9169aeb139d2cb01911d3dedc045df172d3d
Opcode Fuzzy Hash: 9a55819e55609df80ef77bf808e43bff089201616bccec53d007c7fb8a1bbac8
Instruction Fuzzy Hash: D9915C61A19A42E5FA00DB66F8602B823B5BF45794F404131D95DFFBA5EF7CE644C700

Function 00007FF66736C0C0 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF667364320: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(00000000,?,?,00000000,00007FF667363B67), ref: 00007FF66736439C

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C13B
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C15E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C22C
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736C24F

Strings

PAGE, xrefs: 00007FF66736C1E9
[!] Failed to find MmSetPageProtection, xrefs: 00007FF66736C216
[-] Error allocating independent pages, xrefs: 00007FF66736C148
[-] Failed to change page protections, xrefs: 00007FF66736C239
PAGELK, xrefs: 00007FF66736C0F4
[!] Failed to find MmAllocateIndependentPagesEx, xrefs: 00007FF66736C125
x????xxxxxxxx????xxxxxxxxx????xxxxxxxx, xrefs: 00007FF66736C0E3
xx????x???x?x????xxxxxxx????x, xrefs: 00007FF66736C1D6

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@
String ID: PAGE$PAGELK$[!] Failed to find MmAllocateIndependentPagesEx$[!] Failed to find MmSetPageProtection$[-] Error allocating independent pages$[-] Failed to change page protections$x????xxxxxxxx????xxxxxxxxx????xxxxxxxx$xx????x???x?x????xxxxxxx????x
API String ID: 302930070-3125098887
Opcode ID: b56b588d9dd8c2ee139c9fe0190437d2656703fa9a6609ae01abd2105fc46c28
Instruction ID: ecd66b75f36ef2c613283ba6ba6771d20df87e95c8ce9ba755a01af352a0e90f
Opcode Fuzzy Hash: b56b588d9dd8c2ee139c9fe0190437d2656703fa9a6609ae01abd2105fc46c28
Instruction Fuzzy Hash: C9514561A0CA86D1EE20DB52F8601B563B5BF84B84F410136DA8DEFB65EF7CF2558704

Function 00007FF66736FE18 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF66736FE2E
GetModuleHandleW.KERNEL32 ref: 00007FF66736FE3B
GetModuleHandleW.KERNEL32 ref: 00007FF66736FE50
GetProcAddress.KERNEL32 ref: 00007FF66736FE68
GetProcAddress.KERNEL32 ref: 00007FF66736FE7B
CreateEventW.KERNEL32 ref: 00007FF66736FEA7
DeleteCriticalSection.KERNEL32 ref: 00007FF66736FEF3
CloseHandle.KERNEL32 ref: 00007FF66736FF05

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF66736FE34
SleepConditionVariableCS, xrefs: 00007FF66736FE5E
WakeAllConditionVariable, xrefs: 00007FF66736FE6E
kernel32.dll, xrefs: 00007FF66736FE49

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: e5e4f754f3f487965fad72919d86d6d4df3eb9a1f8798c2007f0e7c32e2b8c95
Instruction ID: 6f9e7b930ba94645fbb1861dee8d617ebb508783bf37593a364495448c79c66e
Opcode Fuzzy Hash: e5e4f754f3f487965fad72919d86d6d4df3eb9a1f8798c2007f0e7c32e2b8c95
Instruction Fuzzy Hash: 83213C64E1AA03D1FA64DB21FA7417823B1FF48B41F544435C90EEEAA2EE3CB645C714

Function 00007FF667367AC0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 136libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF667367B01

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667367B29
GetProcAddress.KERNEL32 ref: 00007FF667367B5C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667367C32

Strings

ntdll.dll, xrefs: 00007FF667367AFA
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF667367C57
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF667367CA1
[-] Failed to load ntdll.dll, xrefs: 00007FF667367B0C
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667367B6A
NtAddAtom, xrefs: 00007FF667367B52, 00007FF667367BD5
EtwB, xrefs: 00007FF667367CC8

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: EtwB$NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-361367663
Opcode ID: 3d84c6219891c647c69fca7b64475852b5ddfbdd79266993850f1803d0d63c17
Instruction ID: 064a2f415cff7b18f8ca286c8882499ed1566f5875cbe6c4c8ea474fc14a8741
Opcode Fuzzy Hash: 3d84c6219891c647c69fca7b64475852b5ddfbdd79266993850f1803d0d63c17
Instruction Fuzzy Hash: B2517B61F19A52D8FB00DF66A8602B827B5AF05794F800131DD5DEFA99EF7CE6458300

Function 00007FF6673671E0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF667367225

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736724D
GetProcAddress.KERNEL32 ref: 00007FF667367282
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667367358

Strings

ntdll.dll, xrefs: 00007FF66736721E
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF66736737D
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF6673673C7
[-] Failed to load ntdll.dll, xrefs: 00007FF667367230
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667367290
NtAddAtom, xrefs: 00007FF667367278, 00007FF6673672FB

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: d2bf155c53d14ee0042dbf99ce9987022f349bafadc77a487a6711574ac93195
Instruction ID: 06043bcce9e0f945e8c994755eb23df00bb2be5bd9d297c2cf9580fb61504b17
Opcode Fuzzy Hash: d2bf155c53d14ee0042dbf99ce9987022f349bafadc77a487a6711574ac93195
Instruction Fuzzy Hash: 1E519B62F08692D4FB10DFA6A8602B82372BF45798F844131DD5CEFA96DF7CA644C340

Function 00007FF667367660 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 140libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF667362D1D), ref: 00007FF6673676A5

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF667362D1D), ref: 00007FF6673676CD
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF667362D1D), ref: 00007FF6673676FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673677D0

Strings

ntdll.dll, xrefs: 00007FF66736769E
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF6673677F5
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF66736783F
[-] Failed to load ntdll.dll, xrefs: 00007FF6673676B0
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667367708
NtAddAtom, xrefs: 00007FF6673676F0, 00007FF667367773

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 5f69a67ae23bb2902702042ca96775c38ade745b8d232f53ffbc23ae1f596fee
Instruction ID: b10cbd56588094c97f164f959b3fba320ae401e8e0591458663b9fc1fa31c881
Opcode Fuzzy Hash: 5f69a67ae23bb2902702042ca96775c38ade745b8d232f53ffbc23ae1f596fee
Instruction Fuzzy Hash: 5C514C62F18A92D4FB00DB66A8602B82771BF15B94F840132DD1DFFA9ADF7CA645C310

Function 00007FF667368380 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 140libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6673683C5

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6673683ED
GetProcAddress.KERNEL32 ref: 00007FF66736841A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673684F0

Strings

ntdll.dll, xrefs: 00007FF6673683BE
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF667368515
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF66736855F
[-] Failed to load ntdll.dll, xrefs: 00007FF6673683D0
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667368428
NtAddAtom, xrefs: 00007FF667368410, 00007FF667368493

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: d5914a3aceeddefa298d63cf9fe1c31d30150c684a02f743b30f77e38ff69dc3
Instruction ID: 271ecebece78b917db684e09f4582d1e44c691460978c38ad490f1f80e631958
Opcode Fuzzy Hash: d5914a3aceeddefa298d63cf9fe1c31d30150c684a02f743b30f77e38ff69dc3
Instruction Fuzzy Hash: B8516E62F09A92D8FB00DB66A8602B82371AF4A794F404031DE5DEFA99DE7CA645C304

Function 00007FF667368150 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 140libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,00000000,?,?,-0000000A,00000000,?,?,00007FF667364047), ref: 00007FF667368195

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,00000000,?,?,-0000000A,00000000,?,?,00007FF667364047), ref: 00007FF6673681BD
GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,?,?,-0000000A,00000000,?,?,00007FF667364047), ref: 00007FF6673681EA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000), ref: 00007FF6673682C0

Strings

ntdll.dll, xrefs: 00007FF66736818E
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF6673682E5
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF66736832F
[-] Failed to load ntdll.dll, xrefs: 00007FF6673681A0
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF6673681F8
NtAddAtom, xrefs: 00007FF6673681E0, 00007FF667368263

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: cfd99600240ea865c8abca17f9a6b5a273b43b259d413c1336a8cc50b629559b
Instruction ID: 150a384ca18d4f5eff15b6f914ff9e4cd229cacf5c130557cbe3a3a4afc00e1d
Opcode Fuzzy Hash: cfd99600240ea865c8abca17f9a6b5a273b43b259d413c1336a8cc50b629559b
Instruction Fuzzy Hash: 7D517DA2F08A92D8FB00DB66A8606FC2775AF4A794F444031DD5DFFA95DE7CA645C300

Function 00007FF6673668F0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF667366932

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736695A
GetProcAddress.KERNEL32 ref: 00007FF66736698C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667366A62

Strings

ntdll.dll, xrefs: 00007FF66736692B
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF667366A87
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF667366AD1
[-] Failed to load ntdll.dll, xrefs: 00007FF66736693D
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF66736699A
NtAddAtom, xrefs: 00007FF667366982, 00007FF667366A05

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: d181614ac96272674aa025f0740ef16019df5227f5e9e5bb7aeea0a741bf88c2
Instruction ID: 201117e0ad912296d88798b2db91e921eca0777ac29ca3eb868a725198d82baa
Opcode Fuzzy Hash: d181614ac96272674aa025f0740ef16019df5227f5e9e5bb7aeea0a741bf88c2
Instruction Fuzzy Hash: AD518C62E18692D4FB00DBA6E8602B827B1AF05BD4F404136DD5CFFA96EE3CE645C700

Function 00007FF667366FA0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF667366FE2

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736700A
GetProcAddress.KERNEL32 ref: 00007FF66736703C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667367112

Strings

ntdll.dll, xrefs: 00007FF667366FDB
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF667367137
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF667367181
[-] Failed to load ntdll.dll, xrefs: 00007FF667366FED
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF66736704A
NtAddAtom, xrefs: 00007FF667367032, 00007FF6673670B5

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: fd4aca2d8a64865051f19ff153611ac29a365584bc3508e8b6c01445a04472ba
Instruction ID: 751c9d18f73b122e8bb67d24505c029ef97e89e9c8230560d9aa564f8980282e
Opcode Fuzzy Hash: fd4aca2d8a64865051f19ff153611ac29a365584bc3508e8b6c01445a04472ba
Instruction Fuzzy Hash: E8517D61F09A92E4FB00DFA6A8602B82775AF45B94F800536DD5CFFA95EF3CA645C310

Function 00007FF667366D60 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 138libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF667366DA2

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667366DCA
GetProcAddress.KERNEL32 ref: 00007FF667366DFC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667366ED2

Strings

ntdll.dll, xrefs: 00007FF667366D9B
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF667366EF7
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF667366F41
[-] Failed to load ntdll.dll, xrefs: 00007FF667366DAD
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667366E0A
NtAddAtom, xrefs: 00007FF667366DF2, 00007FF667366E75

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 7df866b1bfae26fce69b877358477c94e2d24cea98912b209813e1143ddbe160
Instruction ID: 5e4435f95911ebf976ad5c7c81cde7d1a8d1b1cdeba6cf042e07aaef573aa0f5
Opcode Fuzzy Hash: 7df866b1bfae26fce69b877358477c94e2d24cea98912b209813e1143ddbe160
Instruction Fuzzy Hash: 67516A62F09692D8FB00DB66E9602B82771AF45BD4F400135DE5DEFA9AEE3CA6458310

Function 00007FF667367D00 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,?,00007FF6673637C6), ref: 00007FF667367D42

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,?,00007FF6673637C6), ref: 00007FF667367D6A
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,?,00007FF6673637C6), ref: 00007FF667367D9C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667367E72

Strings

ntdll.dll, xrefs: 00007FF667367D3B
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF667367E97
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF667367EE1
[-] Failed to load ntdll.dll, xrefs: 00007FF667367D4D
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667367DAA
NtAddAtom, xrefs: 00007FF667367D92, 00007FF667367E15

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 25595bbf758e887c76229151383a3d9b7dfdecd2447f45c8952dfdeb4ff478cf
Instruction ID: e0b9912a56815814914f0ca541394b9eede701e1d2fd19dc69db4647f90c31a6
Opcode Fuzzy Hash: 25595bbf758e887c76229151383a3d9b7dfdecd2447f45c8952dfdeb4ff478cf
Instruction Fuzzy Hash: 17516D66F18A92D4FB00DB66A8602B82771AF457D4F800531DE5DFFA96DF7CA649C300

Function 00007FF667366B30 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF667366B72

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667366B9A
GetProcAddress.KERNEL32 ref: 00007FF667366BCC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667366CA2

Strings

ntdll.dll, xrefs: 00007FF667366B6B
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF667366CC7
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF667366D11
[-] Failed to load ntdll.dll, xrefs: 00007FF667366B7D
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667366BDA
NtAddAtom, xrefs: 00007FF667366BC2, 00007FF667366C45

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 7dff1be43380c2075c1653e5a398fea07c88866777cc68459b13cbe2b9be6b05
Instruction ID: ed172745beda163f7697f9d5e8db09a85bcd6fc07f6a6156c616d280931ebb3c
Opcode Fuzzy Hash: 7dff1be43380c2075c1653e5a398fea07c88866777cc68459b13cbe2b9be6b05
Instruction Fuzzy Hash: 2F516A62F08A92D4FB00DB66A8602B827B5AF457D4F410135DE5CEFA99EF7CA645C310

Function 00007FF667367430 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF667367472

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736749A
GetProcAddress.KERNEL32 ref: 00007FF6673674CC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673675A2

Strings

ntdll.dll, xrefs: 00007FF66736746B
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF6673675C7
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF667367611
[-] Failed to load ntdll.dll, xrefs: 00007FF66736747D
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF6673674DA
NtAddAtom, xrefs: 00007FF6673674C2, 00007FF667367545

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: e69972e1455e28ddab483bdba82815947aa41dbc40940289e3b5e9cd92b0a036
Instruction ID: f24cd66c363af5253079cab4920583cde46e4b87e08a533c41c8391f36f98e8d
Opcode Fuzzy Hash: e69972e1455e28ddab483bdba82815947aa41dbc40940289e3b5e9cd92b0a036
Instruction Fuzzy Hash: CA519DA1F18692D8FB00DB66A8602B82775AF05794F800131DE5DFFA9AEF7CE644C300

Function 00007FF66736CFD0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF66736D00E

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736D036
GetProcAddress.KERNEL32 ref: 00007FF66736D068
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736D13E

Strings

ntdll.dll, xrefs: 00007FF66736D007
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF66736D163
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF66736D1AD
[-] Failed to load ntdll.dll, xrefs: 00007FF66736D019
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF66736D076
NtAddAtom, xrefs: 00007FF66736D05E, 00007FF66736D0E1

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: fc7ebf4f9e867cc079bb03149116c4735acc596d073804fac287f1617048577e
Instruction ID: 31463e766c94360ad075dab339628f6da6581512648a77c4fc04d4e6d19fc778
Opcode Fuzzy Hash: fc7ebf4f9e867cc079bb03149116c4735acc596d073804fac287f1617048577e
Instruction Fuzzy Hash: A1518DA2F19692D4FF40DB62A8602B82371AF45794F604132DD1CFFB96EF6CA645C340

Function 00007FF667367890 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 136libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF667362E5A), ref: 00007FF6673678D2

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF667362E5A), ref: 00007FF6673678FA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF667362E5A), ref: 00007FF66736792C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667367A02

Strings

ntdll.dll, xrefs: 00007FF6673678CB
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF667367A27
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF667367A71
[-] Failed to load ntdll.dll, xrefs: 00007FF6673678DD
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF66736793A
NtAddAtom, xrefs: 00007FF667367922, 00007FF6673679A5

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$V01@@$AddressControlDeviceHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 154489249-2622504768
Opcode ID: 00ea5fb1913a1544e8fb066c0cd4c828ab647674224ae55823c4c8056406986d
Instruction ID: f8d8eb8e86c580523c74bc6c2bd580e4d19e5825ec5b4662bcf8b0d533b93d80
Opcode Fuzzy Hash: 00ea5fb1913a1544e8fb066c0cd4c828ab647674224ae55823c4c8056406986d
Instruction Fuzzy Hash: C4516A61E18692D4FB00DB66E8602B827B1AF45B94F804536DD5CFFBA5EF2CE645C300

Function 00007FF6673666D0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF667366708
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF667366730
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF667366763
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667366839

Part of subcall function 00007FF6673627E0: DeviceIoControl.KERNEL32 ref: 00007FF667362848

Part of subcall function 00007FF667362880: DeviceIoControl.KERNEL32 ref: 00007FF667362903
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF667362926
Part of subcall function 00007FF667362880: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362936

Strings

ntdll.dll, xrefs: 00007FF667366701
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF66736685E
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF6673668A8
[-] Failed to load ntdll.dll, xrefs: 00007FF667366713
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF667366771
NtAddAtom, xrefs: 00007FF667366759, 00007FF6673667DC

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ControlDeviceV01@@$AddressHandleModuleProc_invalid_parameter_noinfo_noreturn
String ID: NtAddAtom$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 368370636-2622504768
Opcode ID: 3fec9d493ada84cb4297804ef8d2f4951bff63eda7d5f7ec7d82c214cec2d980
Instruction ID: a0be62ef8a1fd86e149e46839c5a8575e17bd8d82f87985422898db38ed64dc3
Opcode Fuzzy Hash: 3fec9d493ada84cb4297804ef8d2f4951bff63eda7d5f7ec7d82c214cec2d980
Instruction Fuzzy Hash: F5515A61E08A92D4FB00DB66E8602B82775AB45BD4F404135DD5DFFA9AEF3CE645C310

Function 00007FF66736CAA0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736CAED
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736CB26

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

Strings

[+] StackCookie not defined, fix cookie skipped, xrefs: 00007FF66736CB10
[-] StackCookie already fixed!? this probably wrong, xrefs: 00007FF66736CB59
[+] Fixing stack cookie, xrefs: 00007FF66736CB86
[+] Load config directory wasn't found, probably StackCookie not defined, fix cookie skipped, xrefs: 00007FF66736CAD7

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@
String ID: [+] Fixing stack cookie$[+] Load config directory wasn't found, probably StackCookie not defined, fix cookie skipped$[+] StackCookie not defined, fix cookie skipped$[-] StackCookie already fixed!? this probably wrong
API String ID: 3392577530-4185774449
Opcode ID: 119d1a7f2ce1b52c047562b3e4f240a8331c9d7a6ca3e0cc265bb6ff5394e7aa
Instruction ID: 3e52b1329ae2c7d25f8914843e133b0349393bada56d324da9769dae08058965
Opcode Fuzzy Hash: 119d1a7f2ce1b52c047562b3e4f240a8331c9d7a6ca3e0cc265bb6ff5394e7aa
Instruction Fuzzy Hash: 15312D25B19B42C2EB44DB16E9A40642371BF88B84F846135DA4DABB24EF7CF655C700

Function 00007FF66736A4C0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF667369D90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667369E99

_CxxThrowException.VCRUNTIME140 ref: 00007FF66736A513
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF66736A570
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF66736A57E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF66736A551

Part of subcall function 00007FF667366260: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673662F4
Part of subcall function 00007FF667366260: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF66736634E

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736A5A3

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

Strings

by 0x, xrefs: 00007FF66736A55A
exists, xrefs: 00007FF66736A4D4
[!!] Crash at addr 0x, xrefs: 00007FF66736A53B
[!!] Crash, xrefs: 00007FF66736A58D

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_$D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@ExceptionOsfx@?$basic_ostream@ThrowV01@@V12@V21@@Vios_base@1@_invalid_parameter_noinfo_noreturn
String ID: by 0x$[!!] Crash$[!!] Crash at addr 0x$exists
API String ID: 2277563936-3783130642
Opcode ID: 535a1234e0204e77f2ef34367f67c725e831e19f87e0402f4d4628cd6423aad2
Instruction ID: 653c8a9dc6509b6bef9f80e8bfaf15ba5903a8600d6087eee1c4e806073cf9f4
Opcode Fuzzy Hash: 535a1234e0204e77f2ef34367f67c725e831e19f87e0402f4d4628cd6423aad2
Instruction Fuzzy Hash: 0D218061A19A4AD1EE55DB26E8702B52331FF84B84F409131EA4DEF665EF6CF284C700

Function 00007FF66736B900 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 222COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,00000000,?,?,00007FF66736B4C5), ref: 00007FF66736B9F3
memcpy.VCRUNTIME140(?,?,00000000,00000000,?,?,00007FF66736B4C5), ref: 00007FF66736BA01
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736BA3A
memcpy.VCRUNTIME140 ref: 00007FF66736BA44
memcpy.VCRUNTIME140 ref: 00007FF66736BA52
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF66736BA81
?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF66736F808,?,?,?,00007FF66736F672), ref: 00007FF66736BA9B
__std_fs_code_page.MSVCPRT ref: 00007FF66736BAD1
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF66736BB2C
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF66736BBC9

Strings

vector too long, xrefs: 00007FF66736BA94

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$__std_fs_convert_wide_to_narrow$Concurrency::cancel_current_taskXlength_error@std@@__std_fs_code_page_invalid_parameter_noinfo_noreturn
String ID: vector too long
API String ID: 3691590088-2873823879
Opcode ID: 64dd0da5c6c718c10fab4fc3bf8a8a2f09032a453412b0b66b556e69621a75d1
Instruction ID: 772d9c35436fd35b3b109e7fbd7f78dd83d9a32680ef46ab037f59b464cb164e
Opcode Fuzzy Hash: 64dd0da5c6c718c10fab4fc3bf8a8a2f09032a453412b0b66b556e69621a75d1
Instruction Fuzzy Hash: 9C71E222B08A85C5EA249F27E510269A7B1FB44BD0F544231EFADAFBD5DF7CE1818704

Function 00007FF667366470 Relevance: 13.7, APIs: 9, Instructions: 172COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF667366503
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF66736653A
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF6673665A8
?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF6673665F8
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF667366606
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF667366639
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF667366689
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF667366690
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF66736669D

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@_?uncaught_exception@std@@?widen@?$ctype@_Osfx@?$basic_ostream@V12@Vlocale@2@W@std@@
String ID:
API String ID: 2222884580-0
Opcode ID: e77928c5753ed680b28fef293076735a46cca9beb7c00ed2b32deb3eff45dfaf
Instruction ID: bf56d6830126e0ea8ef97510e773dc179d294704e8e621f2deadd911804ad37b
Opcode Fuzzy Hash: e77928c5753ed680b28fef293076735a46cca9beb7c00ed2b32deb3eff45dfaf
Instruction Fuzzy Hash: 81615B62A09A81C2EB218F1AE5A4239A7B0FB85FD5F148531CE4E9B7A4DF3ED545C300

Function 00007FF667369EC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF667369F1C

Part of subcall function 00007FF66736F8D0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF66736BAD6), ref: 00007FF66736F8D4
Part of subcall function 00007FF66736F8D0: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF66736BAD6), ref: 00007FF66736F8E3

memcpy.VCRUNTIME140 ref: 00007FF667369FEC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736A0D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736A11C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736A16A

Strings

: ", xrefs: 00007FF66736A052
", ", xrefs: 00007FF66736A085

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememcpy
String ID: ", "$: "
API String ID: 2077005984-747220369
Opcode ID: 0a6a4b3a9adcd80266947c47bd89dbf9618c69305a6b470e113da48a37139e51
Instruction ID: 3767a28a570d22a9a15a29dcbbd27d641247ac7c9cd45661d6c576f6349f71c7
Opcode Fuzzy Hash: 0a6a4b3a9adcd80266947c47bd89dbf9618c69305a6b470e113da48a37139e51
Instruction Fuzzy Hash: 9A81BD72B04B51C5EB04DF66E4643AC2372EB48B88F005531DE5EABB99DF38D291C344

Function 00007FF66736A7D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 00007FF66736A7EB
GetWindowThreadProcessId.USER32 ref: 00007FF66736A7F9

Part of subcall function 00007FF66736A700: GetCurrentProcessId.KERNEL32 ref: 00007FF66736A726
Part of subcall function 00007FF66736A700: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF66736A733
Part of subcall function 00007FF66736A700: memset.VCRUNTIME140 ref: 00007FF66736A754
Part of subcall function 00007FF66736A700: Process32FirstW.KERNEL32 ref: 00007FF66736A769
Part of subcall function 00007FF66736A700: Process32NextW.KERNEL32 ref: 00007FF66736A781
Part of subcall function 00007FF66736A700: CloseHandle.KERNEL32 ref: 00007FF66736A796

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736A827

Part of subcall function 00007FF667366260: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673662F4
Part of subcall function 00007FF667366260: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF66736634E

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736A84A
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736A857

Strings

[+] Press enter to close, xrefs: 00007FF66736A834
[+] Pausing to allow for debugging, xrefs: 00007FF66736A811

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: U?$char_traits@_V01@W@std@@@std@@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@_ProcessProcess32V01@@Window$?flush@?$basic_ostream@?get@?$basic_istream@?setstate@?$basic_ios@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@CloseCreateCurrentFirstHandleNextOsfx@?$basic_ostream@ShellSnapshotThreadToolhelp32V12@memset
String ID: [+] Pausing to allow for debugging$[+] Press enter to close
API String ID: 2421931184-3552938800
Opcode ID: d799bcc2c641e56387cb5b05c0a9e70f9737d20a39f1af464e7d864c7a967c66
Instruction ID: f1720edeb02facb1450f55901e02dfd1da4230e81a00679ae4a0f67f1f75e5e4
Opcode Fuzzy Hash: d799bcc2c641e56387cb5b05c0a9e70f9737d20a39f1af464e7d864c7a967c66
Instruction Fuzzy Hash: D101E561A1CA06C2FA50EB12E9B50792370FF88B94F801135D94EEE335EE2CF2498B04

Function 00007FF667362FB0 Relevance: 12.2, APIs: 8, Instructions: 196memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF66736300A

Part of subcall function 00007FF6673627E0: DeviceIoControl.KERNEL32 ref: 00007FF667362848

VirtualAlloc.KERNEL32 ref: 00007FF6673630A9
VirtualFree.KERNEL32 ref: 00007FF6673630E0
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF667363186
VirtualFree.KERNEL32 ref: 00007FF6673631EC
VirtualFree.KERNEL32 ref: 00007FF66736326B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6673632A7
VirtualFree.KERNEL32 ref: 00007FF6673632B9

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: Virtual$Free$AllocControlDevice_invalid_parameter_noinfo_noreturn_stricmpmemset
String ID:
API String ID: 2498276250-0
Opcode ID: 66b3e47e2253705823354aa73bcccda996f8792d3160eedf610dc4bdda25e3ed
Instruction ID: 501cdc0090b48a74984672384f51de00ee605371ea63af70a073d8785f15543e
Opcode Fuzzy Hash: 66b3e47e2253705823354aa73bcccda996f8792d3160eedf610dc4bdda25e3ed
Instruction Fuzzy Hash: 2181D362B08A45C6EB60DB26E86036963B2FB857D4F004231DE5DABB99DF3CE181C700

Function 00007FF66736F490 Relevance: 12.2, APIs: 8, Instructions: 163COMMON

Download Yara Rule

APIs

?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F4D8
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F500
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F546
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F570
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F590
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F5DE
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F632
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F67A

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@$?sbumpc@?$basic_streambuf@
String ID:
API String ID: 2679766405-0
Opcode ID: 83025bd7b9ae019ff96d57ff895ab50cb2d4f39cd8efc2b9ac4daaf6003c9158
Instruction ID: 0c58da626ee0fbd4ab11fb2b4bde76bca0ba0d7529956be030f3eec84969944d
Opcode Fuzzy Hash: 83025bd7b9ae019ff96d57ff895ab50cb2d4f39cd8efc2b9ac4daaf6003c9158
Instruction Fuzzy Hash: 1961E42290D7C3C1EA258F26A5601396AB0AF11758F188535CFAD9F691DF3CEAA8C700

Function 00007FF66736CBF0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66736F220: NtQuerySystemInformation.NTDLL ref: 00007FF66736F250
Part of subcall function 00007FF66736F220: VirtualFree.KERNEL32 ref: 00007FF66736F270
Part of subcall function 00007FF66736F220: VirtualAlloc.KERNEL32 ref: 00007FF66736F286
Part of subcall function 00007FF66736F220: NtQuerySystemInformation.NTDLL ref: 00007FF66736F2A1
Part of subcall function 00007FF66736F220: VirtualFree.KERNEL32 ref: 00007FF66736F2C2

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736CD09
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF66736CD64
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736CE79

Strings

wasn't found, xrefs: 00007FF66736CD4B
[-] Failed to resolve import , xrefs: 00007FF66736CC9C
[-] Dependency , xrefs: 00007FF66736CD1F

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$Virtual$??6?$basic_ostream@_FreeInformationQuerySystemU?$char_traits@_V01@@W@std@@@std@@$Alloc_invalid_parameter_noinfo_noreturn
String ID: wasn't found$[-] Dependency $[-] Failed to resolve import
API String ID: 4161254548-3042260135
Opcode ID: 0925f29cc72eec34a0ff72f6e2f61871d9bfd0b3e1c8f3396de838dbbfb4f2f0
Instruction ID: c420a2a825ba1a251c4cf452f4c0595611628cd9a1e0f24c80a747cb2734d00f
Opcode Fuzzy Hash: 0925f29cc72eec34a0ff72f6e2f61871d9bfd0b3e1c8f3396de838dbbfb4f2f0
Instruction Fuzzy Hash: 2B61DF62A1AB42C1EE08DB13E5641B86371AF49BC0F515536DE1DAF395EF3CF2818340

Function 00007FF667368CE0 Relevance: 10.6, APIs: 7, Instructions: 145COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF667368D74
memcpy.VCRUNTIME140 ref: 00007FF667368DBF
memcpy.VCRUNTIME140 ref: 00007FF667368DD7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667368E74
memcpy.VCRUNTIME140 ref: 00007FF667368EA9
memcpy.VCRUNTIME140 ref: 00007FF667368EC7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF667368EEA

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: cb7b4f10e26dee5128991d942973fbc3bfcb92a9b5f8e060f3fb3f666126e786
Instruction ID: a7dd31ac08eea6c000c8609c8eef390568b7aa3e60709481b2d47c02f9f209cb
Opcode Fuzzy Hash: cb7b4f10e26dee5128991d942973fbc3bfcb92a9b5f8e060f3fb3f666126e786
Instruction Fuzzy Hash: 43519032A04B81D1EA10AB26D5682A82370FB59BA4F544A35DB6C9B3D1DF3CF2A5C345

Function 00007FF667369030 Relevance: 10.6, APIs: 7, Instructions: 134COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF6673690B5
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF667369116
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF667369144
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF667369166
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6673691AD
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF6673691B4
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF6673691C1

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 2558415004-0
Opcode ID: f5842ea8b05c013ede3a4686ef5de30cbbc8f17b4fe7c7b699e31dca6ef38b2d
Instruction ID: 010d575b9d78b6dec895eff3995b674b87435eea2dd43392bf62f19808646055
Opcode Fuzzy Hash: f5842ea8b05c013ede3a4686ef5de30cbbc8f17b4fe7c7b699e31dca6ef38b2d
Instruction Fuzzy Hash: 7C516572608A41C5EB20CF1AE5A4239A7B0FB85F85F258439CE4E9B764CF3DD546C340

Function 00007FF66736D200 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF66736D293
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF66736D2E7
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF66736D30E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF66736D336
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF66736D37C
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF66736D383
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF66736D390

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_V12@W@std@@@std@@
String ID:
API String ID: 1696915518-0
Opcode ID: 5ec0a2693dc774f7ca45a3de31a3a17a0356bab5e3fa53e9ccc4ffb754c3d16b
Instruction ID: 0b7b86043cd4998b1e513833af8e0050d0d099d6565458b02e865429660b65a9
Opcode Fuzzy Hash: 5ec0a2693dc774f7ca45a3de31a3a17a0356bab5e3fa53e9ccc4ffb754c3d16b
Instruction Fuzzy Hash: 72515122618A45C1EF618F1AE5A0238A7B1FB85F95F35C635CE5E9B7A0CF3ED5468300

Function 00007FF66736D4F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF66736D56F
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF66736D5C6
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF66736D5F3
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF66736D616
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF66736D65C
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF66736D663
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF66736D670

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_V12@W@std@@@std@@
String ID:
API String ID: 1696915518-0
Opcode ID: f4ca5e86a5bc9f66354cfb4c9ce41e81ff872464d18b4223a737d3866f68204c
Instruction ID: f617cf3778960b3075f10c838e041632abd574877295ee80d107035060ea3e77
Opcode Fuzzy Hash: f4ca5e86a5bc9f66354cfb4c9ce41e81ff872464d18b4223a737d3866f68204c
Instruction Fuzzy Hash: 31515E22618A45C1EF608F1AE5A0238A7B0EB85F95F758535CF4E9BBA4CF3DD542C304

Function 00007FF66736EF50 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF66736EF91
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF66736EFB0
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF66736EFCF
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF66736F00D
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF66736F02D
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF66736F076

Part of subcall function 00007FF66736F490: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F4D8
Part of subcall function 00007FF66736F490: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F500
Part of subcall function 00007FF66736F490: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F546
Part of subcall function 00007FF66736F490: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF66736F5DE

Part of subcall function 00007FF667365EE0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF667365F43
Part of subcall function 00007FF667365EE0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF667365F5F

?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?), ref: 00007FF66736F124

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?sgetc@?$basic_streambuf@$?setstate@?$basic_ios@_Init@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@D@std@@@1@_V?$basic_streambuf@fclosememset
String ID:
API String ID: 3541683867-0
Opcode ID: b440af641cabfaf063f76f4877d2c8caeba461419372ae639d3a866274d0b941
Instruction ID: 07a1a23209ce9e3c7eb1deff85823f702c5805154c14eef157f24fededae1c2b
Opcode Fuzzy Hash: b440af641cabfaf063f76f4877d2c8caeba461419372ae639d3a866274d0b941
Instruction Fuzzy Hash: 38517032618B85C6EB10CF25E4902AEB7B0FB85758F444536EA8D97B68DF7CE505CB00

Function 00007FF6673641B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(00007FF6673644AE,00000000,?,?,00000000,00007FF667363B67), ref: 00007FF667364200

Part of subcall function 00007FF6673700B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF6673661AE), ref: 00007FF6673700CA

memset.VCRUNTIME140(00007FF6673644AE,00000000,?,?,00000000,00007FF667363B67), ref: 00007FF667364232

Part of subcall function 00007FF6673627E0: DeviceIoControl.KERNEL32 ref: 00007FF667362848

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(00007FF6673644AE,00000000,?,?,00000000,00007FF667363B67), ref: 00007FF66736426E

Strings

[-] No module address to find pattern, xrefs: 00007FF6673641E3
[-] Can't find pattern, Too big section, xrefs: 00007FF667364216
[-] Read failed in FindPatternAtKernel, xrefs: 00007FF667364251

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@ControlD@std@@@std@@DeviceOsfx@?$basic_ostream@U?$char_traits@mallocmemset
String ID: [-] Can't find pattern, Too big section$[-] No module address to find pattern$[-] Read failed in FindPatternAtKernel
API String ID: 3199127221-2370303861
Opcode ID: a5b15031b568e83adb44dbd77ee795a1e81541a5821a5e36bd780176e67dd98c
Instruction ID: f55f4c872213fc5200ade56d7a06dcb89452f85896e57c056f5942bea9f174d2
Opcode Fuzzy Hash: a5b15031b568e83adb44dbd77ee795a1e81541a5821a5e36bd780176e67dd98c
Instruction Fuzzy Hash: 9C41C051E1C69AC4FA50DB23A8302B967B2AF48BD0F954131DE4DAF796DE3CE7458304

Function 00007FF6673686C0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66736606A), ref: 00007FF6673686ED
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66736606A), ref: 00007FF667368707
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66736606A), ref: 00007FF667368739
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66736606A), ref: 00007FF667368764
std::_Facet_Register.LIBCPMT ref: 00007FF66736877D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66736606A), ref: 00007FF66736879C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6673687C7

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@W@std@@std::_
String ID:
API String ID: 3972169111-0
Opcode ID: 1455c883d76591fc276e9e02a1d90c742c4438e208f5989aa16e13b846b562ef
Instruction ID: 6c953023ce55a1fd1db19c1ca856edad23d6d51c2e3aa219f93b278f21209449
Opcode Fuzzy Hash: 1455c883d76591fc276e9e02a1d90c742c4438e208f5989aa16e13b846b562ef
Instruction Fuzzy Hash: 08317026A08B46C1EB54CF12E8601A97770FB88BD4F480631DB9DAB7A5CF3CE581C700

Function 00007FF6673685B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF6673685DD
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF6673685F7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF667368629
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF667368654
std::_Facet_Register.LIBCPMT ref: 00007FF66736866D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF66736868C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6673686B7

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 55813dc35775508b1fa826b9b8463ae929d5cf02014b1989c443db391dc86a28
Instruction ID: 4b083f9c1e4c92fb751ec198ae7f55e4ef72319f4cc1f0cc9627d182b0409640
Opcode Fuzzy Hash: 55813dc35775508b1fa826b9b8463ae929d5cf02014b1989c443db391dc86a28
Instruction Fuzzy Hash: 4F318F62A08B46C1EB54DF12E4601A97370FB8CB94F480631DB9EABBA9DF3CE551C704

Function 00007FF667365460 Relevance: 9.2, APIs: 6, Instructions: 176COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF66736550D

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 61ec44058c4cd3d8dd3c4fffd9a272c7328883b7f716a20a89009a361ef52dd4
Instruction ID: 96693d74de8aabc808ce3f00d144d4fc1b0375e12cfa6a5464fb199440427afb
Opcode Fuzzy Hash: 61ec44058c4cd3d8dd3c4fffd9a272c7328883b7f716a20a89009a361ef52dd4
Instruction Fuzzy Hash: 3D818B72B05A41D9EB00CF66D4A02AC37B1FB48768F945632DB1EA7B99DF38D695C300

Function 00007FF667365F90 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF667365FCA
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF667365FE7
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF667366010
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF66736605B

Part of subcall function 00007FF6673685B0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF6673685DD
Part of subcall function 00007FF6673685B0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF6673685F7
Part of subcall function 00007FF6673685B0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF667368629
Part of subcall function 00007FF6673685B0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF667368654
Part of subcall function 00007FF6673685B0: std::_Facet_Register.LIBCPMT ref: 00007FF66736866D
Part of subcall function 00007FF6673685B0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF66736606A), ref: 00007FF66736868C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF667366070
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF667366087

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: f45ff3f6b93f247a59edc750639a9470ae7e35f1fcf175b5cfe22a50c44a8090
Instruction ID: 0477aa2c47044d56e68fc7f1624a3acd4e155bbb4009d3fdf839b29beb8f0bf8
Opcode Fuzzy Hash: f45ff3f6b93f247a59edc750639a9470ae7e35f1fcf175b5cfe22a50c44a8090
Instruction Fuzzy Hash: 3C313632619B41C2EB50DF26A92426973B4FB48F88F041039DA8E9BB58EF3DD544C740

Function 00007FF66736E090 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF66736E1E1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736E28E
memcpy.VCRUNTIME140 ref: 00007FF66736E1F4

Part of subcall function 00007FF6673700B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF6673661AE), ref: 00007FF6673700CA

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF66736E29B

Strings

gfffffff, xrefs: 00007FF66736E671

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: gfffffff
API String ID: 1155477157-1523873471
Opcode ID: f6edf330ca5ca30059f15d38455b2e6e2e6911fa1b94adfe8bdb8e9572dd240a
Instruction ID: 244177b2e629fd54c4730a86165eab5557ac2569496feb4e0b7223f3a61d7ec3
Opcode Fuzzy Hash: f6edf330ca5ca30059f15d38455b2e6e2e6911fa1b94adfe8bdb8e9572dd240a
Instruction Fuzzy Hash: DE51CDB2B14B8AC2DE14DB26D9641A963F1FB88BC4F408536DE4D5B789DF3CE2958300

Function 00007FF66736BA90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 18COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF66736F808,?,?,?,00007FF66736F672), ref: 00007FF66736BA9B

Strings

MmAllocatePagesForMdl, xrefs: 00007FF66736BC98
[-] Can't allocate pages for mdl, xrefs: 00007FF66736BD3B
vector too long, xrefs: 00007FF66736BA94
[!] Failed to find MmAlocatePagesForMdl, xrefs: 00007FF66736BD18

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: Xlength_error@std@@
String ID: MmAllocatePagesForMdl$[!] Failed to find MmAlocatePagesForMdl$[-] Can't allocate pages for mdl$vector too long
API String ID: 1004598685-1127084285
Opcode ID: 2c5294f61749c6ed12f9d09fd890bea2904c1101e62972038d5a794ec4fecf14
Instruction ID: c07fbc8274eb3f1ce51c409bf4a36eed813acfc2c29114f60a4465136528a3b9
Opcode Fuzzy Hash: 2c5294f61749c6ed12f9d09fd890bea2904c1101e62972038d5a794ec4fecf14
Instruction Fuzzy Hash: E3B00270915849D1E544DB11EDE506413345B54711F904535C10DA5574DE1CB5D78705

Function 00007FF667368AF0 Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF667368BCF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667368C0C
memcpy.VCRUNTIME140 ref: 00007FF667368C16
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF667368C43
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667368CB0

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy$Concurrency::cancel_current_task
String ID:
API String ID: 621473597-0
Opcode ID: b7f63f3848a9eda8fa38444eb648b3e468b5ad83cce1f8edb1aa24f103f144b2
Instruction ID: 0494d27d4d3733f3bc8f6bf2bfed6d1fd95d7a7475c8bf8524139043e96fa0e0
Opcode Fuzzy Hash: b7f63f3848a9eda8fa38444eb648b3e468b5ad83cce1f8edb1aa24f103f144b2
Instruction Fuzzy Hash: A8510462B0A781C4EE14DB27E5243A8A371EB09BE4F584631CBAD9B7C5DF7CE1918304

Function 00007FF667365860 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 00007FF6673658A8

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@
String ID:
API String ID: 3551493264-0
Opcode ID: 047d4b8e94dd60f6427977f98b60e465b347fcc8b00cdb505f53d951d95db41d
Instruction ID: 4b10f0cb22e72e9e82698032e9579ce492e6be01c046a0b44f3c6e001e6a12ce
Opcode Fuzzy Hash: 047d4b8e94dd60f6427977f98b60e465b347fcc8b00cdb505f53d951d95db41d
Instruction Fuzzy Hash: B3415032709B82C5EB108B29E46036E73B4FB85BA4F544136DA9D9B7A9EF38D585C700

Function 00007FF667365AC0 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF667365AF3
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF667365B12
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF667365B44
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF667365B60

Part of subcall function 00007FF667365F90: ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF667365FCA
Part of subcall function 00007FF667365F90: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF667365FE7
Part of subcall function 00007FF667365F90: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF667366010
Part of subcall function 00007FF667365F90: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF66736605B
Part of subcall function 00007FF667365F90: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF667366070

?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF667365BAA

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@_D@std@@@1@_Fiopen@std@@U?$char_traits@_U_iobuf@@V?$basic_streambuf@Vlocale@2@W@std@@@std@@_get_stream_buffer_pointers
String ID:
API String ID: 3167182450-0
Opcode ID: ba74e8258644c3f4ba068952e4ce57b1c4bf1eb57d395062d2def3a3f7fdcbd8
Instruction ID: b29e616acac74aa0ec3c6fbd4a4d489e7833e388b982a42f91e0bdd9570ad8cf
Opcode Fuzzy Hash: ba74e8258644c3f4ba068952e4ce57b1c4bf1eb57d395062d2def3a3f7fdcbd8
Instruction Fuzzy Hash: FE212732605B41C6EB50CF29F56472977B4FB89B88F048131CA8D97724DF3DE1058B44

Function 00007FF667364320 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6673627E0: DeviceIoControl.KERNEL32 ref: 00007FF667362848

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(00000000,?,?,00000000,00007FF667363B67), ref: 00007FF66736439C
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(00000000,?,?,00000000,00007FF667363B67), ref: 00007FF667364469

Part of subcall function 00007FF667366260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E0
Part of subcall function 00007FF667366260: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663E7
Part of subcall function 00007FF667366260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF66736154C), ref: 00007FF6673663F4

Strings

[-] Can't read module headers, xrefs: 00007FF667364386
[-] Can't find section, xrefs: 00007FF667364453

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@ControlD@std@@@std@@DeviceOsfx@?$basic_ostream@U?$char_traits@
String ID: [-] Can't find section$[-] Can't read module headers
API String ID: 376834646-471806993
Opcode ID: 46807fa1b466cf5d27ac0d7d1ab7a7363cf5286f44af8c965e4c0010cec98fd9
Instruction ID: b10b22a90334b098d329ef54e0b731213d4c646256496684b7a23b4eedf36342
Opcode Fuzzy Hash: 46807fa1b466cf5d27ac0d7d1ab7a7363cf5286f44af8c965e4c0010cec98fd9
Instruction Fuzzy Hash: D5419572A09AC2C1EA10CB16E4601BA63B4FF45BD4F444235EE9DAB798DF7CE255C700

Function 00007FF667363930 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667363A6C
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667363ABE

Part of subcall function 00007FF667368380: GetModuleHandleA.KERNEL32 ref: 00007FF6673683C5
Part of subcall function 00007FF667368380: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6673683ED

Strings

RtlLookupElementGenericTableAvl, xrefs: 00007FF667363A0B
[!] Failed to find RtlLookupElementGenericTableAvl, xrefs: 00007FF667363AA1

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@$HandleModule_invalid_parameter_noinfo_noreturn
String ID: RtlLookupElementGenericTableAvl$[!] Failed to find RtlLookupElementGenericTableAvl
API String ID: 4059861771-1952825546
Opcode ID: 82cf0fd250cbaa2920a9bdd8c940fd86b4df535274d1999f57af125dd1d579a7
Instruction ID: a06ae3134c4f77da5b247fed8de9e28e3a485e15b41a94acfc7621fdae04120a
Opcode Fuzzy Hash: 82cf0fd250cbaa2920a9bdd8c940fd86b4df535274d1999f57af125dd1d579a7
Instruction Fuzzy Hash: 31418262A1CB86D2EA10DF26E460369A370FB85790F501235EA9DDBBD5DF7CE144CB00

Function 00007FF667363690 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-0000000A,00007FF667363D52), ref: 00007FF6673637A0

Part of subcall function 00007FF66736FFA0: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF66736708F), ref: 00007FF66736FFB0

Part of subcall function 00007FF6673660D0: memcpy.VCRUNTIME140 ref: 00007FF667366101

Part of subcall function 00007FF667362FB0: memset.VCRUNTIME140 ref: 00007FF66736300A
Part of subcall function 00007FF667362FB0: VirtualAlloc.KERNEL32 ref: 00007FF6673630A9
Part of subcall function 00007FF667362FB0: VirtualFree.KERNEL32 ref: 00007FF6673630E0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667363760

Strings

[!] Failed to find ExAcquireResourceExclusiveLite, xrefs: 00007FF667363783
ExAcquireResourceExclusiveLite, xrefs: 00007FF6673636FF

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AllocCriticalEnterFreeSectionU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: ExAcquireResourceExclusiveLite$[!] Failed to find ExAcquireResourceExclusiveLite
API String ID: 3663098849-2131800721
Opcode ID: 887cbdd1a3081a804e17c0299c65e203f8458d149b7f00593a1d163f9d0a08cd
Instruction ID: ea3165e8b9ae40ac8c0d721d7996b5424b3f53058b10c8fa8ee3dbdb018d91ba
Opcode Fuzzy Hash: 887cbdd1a3081a804e17c0299c65e203f8458d149b7f00593a1d163f9d0a08cd
Instruction Fuzzy Hash: 233181B1A1CA42D1EA50DB26F9603796371AF857E0F405131E65DEFBA6EE7CE284C700

Function 00007FF667362BF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF667362CF8

Part of subcall function 00007FF66736FFA0: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF66736708F), ref: 00007FF66736FFB0

Part of subcall function 00007FF6673660D0: memcpy.VCRUNTIME140 ref: 00007FF667366101

Part of subcall function 00007FF667362FB0: memset.VCRUNTIME140 ref: 00007FF66736300A
Part of subcall function 00007FF667362FB0: VirtualAlloc.KERNEL32 ref: 00007FF6673630A9
Part of subcall function 00007FF667362FB0: VirtualFree.KERNEL32 ref: 00007FF6673630E0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF667362CB8

Strings

MmUnmapLockedPages, xrefs: 00007FF667362C57
[!] Failed to find MmUnmapLockedPages, xrefs: 00007FF667362CDB

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AllocCriticalEnterFreeSectionU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: MmUnmapLockedPages$[!] Failed to find MmUnmapLockedPages
API String ID: 3663098849-2848997145
Opcode ID: 2634cfcc20b9850ddd5d598bede792e8ed12be9122a38ff57198395de4790ca7
Instruction ID: 58fb4a250f51b3fb4403b96386400826c36883a4e559d38507fc8a9b1512ac28
Opcode Fuzzy Hash: 2634cfcc20b9850ddd5d598bede792e8ed12be9122a38ff57198395de4790ca7
Instruction Fuzzy Hash: D331A672A18A46D1EA10DB16F8603692371AF84BE0F401131EA5DEFB95EF3CE584C700

Function 00007FF667362E70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF66736BE3C), ref: 00007FF667362F82

Part of subcall function 00007FF66736FFA0: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF66736708F), ref: 00007FF66736FFB0

Part of subcall function 00007FF6673660D0: memcpy.VCRUNTIME140 ref: 00007FF667366101

Part of subcall function 00007FF667362FB0: memset.VCRUNTIME140 ref: 00007FF66736300A
Part of subcall function 00007FF667362FB0: VirtualAlloc.KERNEL32 ref: 00007FF6673630A9
Part of subcall function 00007FF667362FB0: VirtualFree.KERNEL32 ref: 00007FF6673630E0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF66736BE3C), ref: 00007FF667362F40

Strings

[!] Failed to find ExAllocatePool, xrefs: 00007FF667362F65
ExFreePool, xrefs: 00007FF667362EDF

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AllocCriticalEnterFreeSectionU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: ExFreePool$[!] Failed to find ExAllocatePool
API String ID: 3663098849-3091510598
Opcode ID: cbd3235423878d68549747824a181f698f0a4e05e09ad4a0383578c5c1cd946d
Instruction ID: 6e2c0f51d797366b7ede0398e0e0fe166b9f0ff9a352ee76834209e1b7e7f35d
Opcode Fuzzy Hash: cbd3235423878d68549747824a181f698f0a4e05e09ad4a0383578c5c1cd946d
Instruction Fuzzy Hash: AA319E61A0DA46E1EE10DB16F9602796375BF847D0F404231EA9DEFBA6EF3CE6408700

Function 00007FF667362D30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF66736BE31), ref: 00007FF667362E37

Part of subcall function 00007FF66736FFA0: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF66736708F), ref: 00007FF66736FFB0

Part of subcall function 00007FF6673660D0: memcpy.VCRUNTIME140 ref: 00007FF667366101

Part of subcall function 00007FF667362FB0: memset.VCRUNTIME140 ref: 00007FF66736300A
Part of subcall function 00007FF667362FB0: VirtualAlloc.KERNEL32 ref: 00007FF6673630A9
Part of subcall function 00007FF667362FB0: VirtualFree.KERNEL32 ref: 00007FF6673630E0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF66736BE31), ref: 00007FF667362DF7

Strings

[!] Failed to find MmFreePagesFromMdl, xrefs: 00007FF667362E1A
MmFreePagesFromMdl, xrefs: 00007FF667362D96

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AllocCriticalEnterFreeSectionU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemcpymemset
String ID: MmFreePagesFromMdl$[!] Failed to find MmFreePagesFromMdl
API String ID: 3663098849-1029121595
Opcode ID: 793d0ce5824efa901dae09877a5f25384ef1e47cf3b41f159a3ede0084faa407
Instruction ID: f1c1f762ff7e7ba46546140f7c17e4daac1f950942cbc8798e49a3682eb7e555
Opcode Fuzzy Hash: 793d0ce5824efa901dae09877a5f25384ef1e47cf3b41f159a3ede0084faa407
Instruction Fuzzy Hash: 77317571A0CA42D1EA10DB16F96037963B1FF84794F415231E69DEB7A5DE3CE694C700

Function 00007FF667362AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF667364320: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(00000000,?,?,00000000,00007FF667363B67), ref: 00007FF66736439C

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF667362B51

Strings

PAGE, xrefs: 00007FF667362B1C
xxxxxxxxx????xxxxxxx, xrefs: 00007FF667362B09
[!] Failed to find MmFreeIndependentPages, xrefs: 00007FF667362B3B

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@W@std@@@std@@
String ID: PAGE$[!] Failed to find MmFreeIndependentPages$xxxxxxxxx????xxxxxxx
API String ID: 302930070-3730907401
Opcode ID: 2e524db7402ccccccec1bf18dfb0146a85c470eb90c20110a5108008e21500d1
Instruction ID: 4967d6d6f4591db9a74c6f7c293eab798d937d5bbf6ba5098219e5f2c134088e
Opcode Fuzzy Hash: 2e524db7402ccccccec1bf18dfb0146a85c470eb90c20110a5108008e21500d1
Instruction Fuzzy Hash: D8213961A18B42D1EA00CF12E9A07B563B4FF88784F811135EA8EAF765DF7CE245C740

Function 00007FF66736A1B0 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF66736A2C1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736A2ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736A41B
__std_exception_copy.VCRUNTIME140 ref: 00007FF66736A45D

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 493b706f516ae84df4b5478a5c742185c21df3b43785bedc8f4f6859583b16f9
Instruction ID: 37531f34d3f647d5fcc76e11017900e95b4c10429f3e67151eab98dc512729d5
Opcode Fuzzy Hash: 493b706f516ae84df4b5478a5c742185c21df3b43785bedc8f4f6859583b16f9
Instruction Fuzzy Hash: 8381BF72604A85D1EB04CF2AE4A836C2376FB44F88F908036D74D5B66ADF79D9D4C340

Function 00007FF6673660D0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF667366101
memcpy.VCRUNTIME140 ref: 00007FF6673661C6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736621A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF667366221

Part of subcall function 00007FF6673700B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF6673661AE), ref: 00007FF6673700CA

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 71607f1d556e088dd11d655bbba62e82d4fc23a91cc1b010c831f17a59419ccb
Instruction ID: 7c0fb28dc0fb6573960a0df19d3e5a4020ee3d7fea142e3f0073b8fbd1901c2c
Opcode Fuzzy Hash: 71607f1d556e088dd11d655bbba62e82d4fc23a91cc1b010c831f17a59419ccb
Instruction Fuzzy Hash: 64411272B09A89C5EE18DB67D5642386271AB04FE4F144630CE2DAB7D6EE3CE5828301

Function 00007FF6673687D0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF6673688E8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736892B
memcpy.VCRUNTIME140 ref: 00007FF667368935

Part of subcall function 00007FF6673700B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF6673661AE), ref: 00007FF6673700CA

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF667368970

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 2105ef64bd8c2709b0877f5f345279e0cb74be18507c369e4501b6cae12024c2
Instruction ID: a25aa0e7f2c4da6e4bbe011828a7a268f026e6c93aab346a99d00da916fbda15
Opcode Fuzzy Hash: 2105ef64bd8c2709b0877f5f345279e0cb74be18507c369e4501b6cae12024c2
Instruction Fuzzy Hash: 4D41FD72B08B42C1EA109B23A5641A9A3B5EB0ABF4F540731DE7D9BBD5EE3CE151C304

Function 00007FF66736F6A0 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00007FF66736F672), ref: 00007FF66736F783
memcpy.VCRUNTIME140(?,?,?,00007FF66736F672), ref: 00007FF66736F796
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF66736F672), ref: 00007FF66736F7FC

Part of subcall function 00007FF6673700B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF6673661AE), ref: 00007FF6673700CA

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF66736F809

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 79702250229d4f11bbe9b27d259316ebdb0cd84ea214da641715860fab525b69
Instruction ID: 6200022758fcf399c95cc1eb6cb839c41b8d68de6d8be7487bc8ba6082db1cac
Opcode Fuzzy Hash: 79702250229d4f11bbe9b27d259316ebdb0cd84ea214da641715860fab525b69
Instruction Fuzzy Hash: E441D162719B8AC5ED14DF27D1642B9A7A1AB04BD0F248531EBAD9B7D5DE3CE240C300

Function 00007FF667369200 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF6673692F4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736932C
memcpy.VCRUNTIME140 ref: 00007FF667369336
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF66736935F

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 301210f45aa0c2a89f331fa54ccdb207e425740bf550326a3284023867a91a6b
Instruction ID: 6f8404c91b6a34990ecf2d6e5588c1b35f0b95065ca0e3781419d5248bb7e958
Opcode Fuzzy Hash: 301210f45aa0c2a89f331fa54ccdb207e425740bf550326a3284023867a91a6b
Instruction Fuzzy Hash: CF31E571B09645C4EE249F17A52427CA372AB08BF0F580735DA7D9F7D5DE7CE1418204

Function 00007FF66736B620 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF667369F56), ref: 00007FF66736B6FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF667369F56), ref: 00007FF66736B72E
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF667369F56), ref: 00007FF66736B738
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF66736B75B

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: c61de400fb73a06a11d061661f365d8bb49d412696654f8ef0c51e24c3d5ed98
Instruction ID: 3439c624e0f7e3d3abf9ebc3b12a9a8e06d6ba99931b019b3d43baa50937a148
Opcode Fuzzy Hash: c61de400fb73a06a11d061661f365d8bb49d412696654f8ef0c51e24c3d5ed98
Instruction Fuzzy Hash: 3231B271B19741C5EE249F17A5242B8A371AF04BE0F680731EB6D9F7D5DE3CE1518604

Function 00007FF667368EF0 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF667368FBF

Part of subcall function 00007FF6673700B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF6673661AE), ref: 00007FF6673700CA

memcpy.VCRUNTIME140 ref: 00007FF667368FF0
memcpy.VCRUNTIME140 ref: 00007FF667369000
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF667369023

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: b4015fddf09147aaab7c03480a9f974cb24aaec6581656856fa90672ee1efeb8
Instruction ID: 630207ab9c313057b3e6a0d2599d582b37a8f53d89e15d9197f36373d06dc805
Opcode Fuzzy Hash: b4015fddf09147aaab7c03480a9f974cb24aaec6581656856fa90672ee1efeb8
Instruction Fuzzy Hash: 4931AC32B0AA45D0EA24DB12A4202B962A1AB48BF4F584B31DB7DDF7D0DE3CE1558300

Function 00007FF66736FA1C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF66736FA65
GetLastError.KERNEL32 ref: 00007FF66736FA73
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF66736B542), ref: 00007FF66736FAA8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF66736B542), ref: 00007FF66736FAB6

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 7e20026105950b9a8a8157f3b8ca2520a27d39f809ec044d8ec0fb3d82313544
Instruction ID: fec6dd1091fdd6eb5b2b1780f478df8e0ff69b5316951147341287e2f4232369
Opcode Fuzzy Hash: 7e20026105950b9a8a8157f3b8ca2520a27d39f809ec044d8ec0fb3d82313544
Instruction Fuzzy Hash: 80215B76A18B86C7E3208F16E85432EB6B4FB89B94F140139DB88A7B58DF3CD5458F04

Function 00007FF66736E2B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF66736E58D

Strings

gfffffff, xrefs: 00007FF66736E50C
gfffffff, xrefs: 00007FF66736E2D4

Memory Dump Source

Source File: 00000000.00000002.1672807010.00007FF667361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF667360000, based on PE: true

Associated: 00000000.00000002.1672791823.00007FF667360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672841161.00007FF667384000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672856140.00007FF667385000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff667360000_KrMhCpCNtm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: gfffffff$gfffffff
API String ID: 3668304517-161084747
Opcode ID: 37f5fb826b2345107f2ec240f921a2a54887c14404dff841389612428914b1b7
Instruction ID: cc172782dc03e5ac520751c074f4a1b89aa2dbe08942b8405d0500a0cc9f6608
Opcode Fuzzy Hash: 37f5fb826b2345107f2ec240f921a2a54887c14404dff841389612428914b1b7
Instruction Fuzzy Hash: 2581ABB2A04B8982DE10CF26F8542A973A1F758BC4F549236DF8D9B755EF38E294C301

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KrMhCpCNtm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: KrMhCpCNtm.exePID: 7056, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7080, Parent PID: 7056

General

Chronological Activities

Disassembly

Analysis Process: KrMhCpCNtm.exePID: 7056, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
KrMhCpCNtm.exe

Function 00007FF6673704A0 Relevance: 13.6, APIs: 9, Instructions: 94
COMMON

Function 00007FF667366260 Relevance: 10.6, APIs: 7, Instructions: 135
COMMON

Function 00007FF667366430 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Function 00007FF667361760 Relevance: 66.8, APIs: 22, Strings: 16, Instructions: 320
filethreadCOMMON

Function 00007FF667361CE0 Relevance: 49.4, APIs: 14, Strings: 14, Instructions: 425
COMMON

Function 00007FF66736B770 Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 430
COMMON

Function 00007FF6673632E0 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 226
nativememoryCOMMON

Function 00007FF66736E770 Relevance: 77.3, APIs: 24, Strings: 20, Instructions: 305
registrylibraryloaderCOMMON

Function 00007FF66736C310 Relevance: 73.9, APIs: 24, Strings: 18, Instructions: 399
memoryCOMMON

Function 00007FF667363B10 Relevance: 72.1, APIs: 20, Strings: 21, Instructions: 368
COMMON

Function 00007FF66736BC10 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 270
COMMON

Function 00007FF66736ECA0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 162
registrylibraryloaderCOMMON

Function 00007FF6673623E0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 196
COMMON

Function 00007FF66736FAE8 Relevance: 28.7, APIs: 19, Instructions: 200
COMMON

Function 00007FF6673637F0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 202
COMMON