Edit tour

Windows Analysis Report
yoyo.exe

Overview

General Information

Sample name:	yoyo.exe
Analysis ID:	1546036
MD5:	0ced0787f8e64762035adea6c6aff9e2
SHA1:	3f3822cccdd892f20a8535a8137420e4e1b49344
SHA256:	79937a1b5c371c64c42abd995ddc3beff64be580f3f11ece7aceaccf1b306cee
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

yoyo.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\yoyo.exe" -install MD5: 0CED0787F8E64762035ADEA6C6AFF9E2)

conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

yoyo.exe (PID: 2676 cmdline: "C:\Users\user\Desktop\yoyo.exe" /install MD5: 0CED0787F8E64762035ADEA6C6AFF9E2)

conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

yoyo.exe (PID: 5852 cmdline: "C:\Users\user\Desktop\yoyo.exe" /load MD5: 0CED0787F8E64762035ADEA6C6AFF9E2)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\yoyo.exe

Code function: 0_2_00007FF6BDD115E4 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,

0_2_00007FF6BDD115E4

Source: yoyo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: yoyo.exe

Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmFilterCreateEnumHandle0, FwpmFilterDeleteById0, FwpmFilterDestroyEnumHandle0, FwpmFilterEnum0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDeleteByKey0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0

Source: C:\Users\user\Desktop\yoyo.exe

Code function: 0_2_00007FF6BDD19170

0_2_00007FF6BDD19170

Source: C:\Users\user\Desktop\yoyo.exe

Code function: String function: 00007FF6BDD11550 appears 50 times

Source: yoyo.exe

Static PE information: Number of sections : 18 > 10

Source: classification engine

Classification label: sus24.troj.winEXE@6/3@0/0

Source: C:\Users\user\Desktop\yoyo.exe

Code function: 0_2_00007FF6BDD12AE8 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,CloseHandle,

0_2_00007FF6BDD12AE8

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: yoyo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\yoyo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yoyo.exe	String found in binary or memory: --help
Source: yoyo.exe	String found in binary or memory: --help
Source: yoyo.exe	String found in binary or memory: --help
Source: yoyo.exe	String found in binary or memory: --help
Source: yoyo.exe	String found in binary or memory: 3DRS1l3nc3r.3xe unbl0ck <f1lt3r 1d>-h--helpblockedrblock[-] Missing second argument. Please provide the full path of the process to block.
Source: yoyo.exe	String found in binary or memory: 3DRS1l3nc3r.3xe unbl0ck <f1lt3r 1d>-h--helpblockedrblock[-] Missing second argument. Please provide the full path of the process to block.

Source: unknown	Process created: C:\Users\user\Desktop\yoyo.exe "C:\Users\user\Desktop\yoyo.exe" -install
Source: C:\Users\user\Desktop\yoyo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\yoyo.exe "C:\Users\user\Desktop\yoyo.exe" /install
Source: C:\Users\user\Desktop\yoyo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\yoyo.exe "C:\Users\user\Desktop\yoyo.exe" /load
Source: C:\Users\user\Desktop\yoyo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\yoyo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyo.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: yoyo.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: yoyo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: yoyo.exe	Static PE information: section name: .xdata
Source: yoyo.exe	Static PE information: section name: /4
Source: yoyo.exe	Static PE information: section name: /19
Source: yoyo.exe	Static PE information: section name: /31
Source: yoyo.exe	Static PE information: section name: /45
Source: yoyo.exe	Static PE information: section name: /57
Source: yoyo.exe	Static PE information: section name: /70
Source: yoyo.exe	Static PE information: section name: /81
Source: yoyo.exe	Static PE information: section name: /92

Source: C:\Users\user\Desktop\yoyo.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-3793

Source: C:\Users\user\Desktop\yoyo.exe

API coverage: 7.4 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\yoyo.exe

Code function: 0_2_00007FF6BDD11190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,

0_2_00007FF6BDD11190

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	1 Network Sniffing	1 Network Sniffing	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Process Injection	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546036
Start date and time:	2024-10-31 12:00:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yoyo.exe
Detection:	SUS
Classification:	sus24.troj.winEXE@6/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: yoyo.exe

Process:	C:\Users\user\Desktop\yoyo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.452819531114783
Encrypted:	false
SSDEEP:	3:34F3Xlslovn:qqly
MD5:	CAF0F008F51248BD8771E99EE040C51A
SHA1:	F92EFA13B109747BCB1726C52B16DAAC1091887F
SHA-256:	2179C85F3082CDCCB0E59E8421FA8E83B13DD51DD540A5299E4AECC8149A0D11
SHA-512:	1DFCD3A3B88063F3D8DFB645380D96ECD85B65C1A9B59BC2A40E34175D31DC97FB47CC87096D96732C20CA0BBEBE1434345B315E3A41F951F93FE55A1F817B1F
Malicious:	false
Reputation:	low
Preview:	[-] Invalid argument: "/load"...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.752655646033032
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yoyo.exe
File size:	591'348 bytes
MD5:	0ced0787f8e64762035adea6c6aff9e2
SHA1:	3f3822cccdd892f20a8535a8137420e4e1b49344
SHA256:	79937a1b5c371c64c42abd995ddc3beff64be580f3f11ece7aceaccf1b306cee
SHA512:	4dbb7e2f3a28bdbf27db5a818567f44be6df0439736dc1326117440c05f1370d02178ef859734f4c830337a9b2f1dd3cfe74fb9cad33d996c54f2af36c2d8743
SSDEEP:	6144:oOvmKmAUS+NKnkg2RuO2NKVuciE0HyViv7LI3nDsq6KSTm+tmogOKietNDFBsY7v:oumpQ/kLIFU48EDLeDslh98BBXD
TLSH:	C0C44B94B744FDFADC894BB408D323096379F081971AEF2F1624FE380D5AB98DD6254A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h]#g.*..(.....&....&.......................@..........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400014f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67235D68 [Thu Oct 31 10:35:20 2024 UTC]
TLS Callbacks:	0x400033b0, 0x1, 0x40003380, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5123fa917cc2430dc63d9ccf1a383aab

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0000DF95h]
mov dword ptr [eax], 00000000h
call 00007FB09101A2DFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FB091024814h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FB09101A629h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push ebx
dec eax
sub esp, 38h
dec eax
lea ebp, dword ptr [esp+30h]
dec eax
mov dword ptr [ebp+20h], ecx
dec eax
mov dword ptr [ebp+28h], edx
dec esp
mov dword ptr [ebp+30h], eax
dec esp
mov dword ptr [ebp+38h], ecx
dec eax
lea eax, dword ptr [ebp+28h]
dec eax
mov dword ptr [ebp-10h], eax
dec eax
mov ebx, dword ptr [ebp-10h]
mov ecx, 00000001h
dec eax
mov eax, dword ptr [0000AD1Dh]
call eax
dec ecx
mov eax, ebx
dec eax
mov edx, dword ptr [ebp+20h]
dec eax
mov ecx, eax
call 00007FB09101D651h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 38h
pop ebx
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov dword ptr [ebp+10h], ecx
dec eax
mov dword ptr [ebp+18h], edx
dec esp
mov dword ptr [ebp+20h], eax
dec esp
mov dword ptr [ebp+00h], ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13000	0xef4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x10000	0x660	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0x108	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xeae0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13394	0x330	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xaf58	0xb000	87d6448fb1725c8a624296c524e428d9	False	0.4808016690340909	data	6.189659237557355	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xc000	0x300	0x400	26de311d7ec811c685d04f170c782cb8	False	0.21484375	dBase III DBT, version number 0, next free block index 10, 1st item "P\277"	2.1522558928735593	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xd000	0x2b10	0x2c00	09edab67c4bb3a99a8dc238b39fef2ec	False	0.4169034090909091	data	5.411947680544488	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x10000	0x660	0x800	2f27b18be013dad0f05c18b4bd023de0	False	0.419921875	data	3.9472676031765923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x11000	0x660	0x800	dc29bd5bc044883f211409fbac249752	False	0.275390625	data	3.9137802324692066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x12000	0xba0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x13000	0xef4	0x1000	2cef9d1d111be37139b89822d5c7a267	False	0.3212890625	data	4.365882503662465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x14000	0x68	0x200	b103b8c6870eb0d3294fa1bfed9225d9	False	0.072265625	data	0.3406417195159507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x15000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x16000	0x108	0x200	d2b6819971e2f0cbe7af8659321c305b	False	0.419921875	data	2.999927855757088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/4	0x17000	0x740	0x800	2f86504001f606364ee31c1afbafdd1f	False	0.21435546875	data	1.8239951159683898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x18000	0x49eca	0x4a000	09fcac5b714ca8b81488d89da2f10b04	False	0.30402766047297297	data	6.072112238318745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0x62000	0x425e	0x4400	d6e26d5fb092f81946a3d5aeb0cbd025	False	0.16015625	data	4.657520941799018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x67000	0x9c40	0x9e00	ce7e71fc681abc9652cb1d4600c1f62c	False	0.3764833860759494	data	5.422244785088024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x71000	0x1d90	0x1e00	a6a7c2bffce6316833498b3ac3038077	False	0.2779947916666667	data	4.608007288379467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x73000	0x97b	0xa00	64d168a85f1d435ee925ff8405f7551f	False	0.361328125	data	4.67227975326816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/81	0x74000	0x15637	0x15800	676f3b91b2c25d7337b13e53ba8992f7	False	0.22447311046511628	data	2.7222671694363108	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/92	0x8a000	0x1390	0x1400	bf97901156be399597c5a46ddadc47ca	False	0.2099609375	data	1.864343230941564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	AdjustTokenPrivileges, CryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, LookupPrivilegeValueA, OpenProcessToken, OpenThreadToken
fwpuclnt.dll	FwpmEngineClose0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmFilterCreateEnumHandle0, FwpmFilterDeleteById0, FwpmFilterDestroyEnumHandle0, FwpmFilterEnum0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDeleteByKey0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0
KERNEL32.dll	CloseHandle, CreateToolhelp32Snapshot, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentThread, GetFileAttributesW, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LocalAlloc, LocalFree, MultiByteToWideChar, OpenProcess, Process32First, Process32Next, QueryDosDeviceW, QueryFullProcessImageNameW, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte
msvcrt.dll	__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _lock, _onexit, _stricmp, fwprintf, _unlock, abort, calloc, exit, fprintf, fputc, fputwc, free, fwrite, islower, isspace, isupper, localeconv, malloc, memcpy, signal, strcmp, strerror, strlen, strncmp, towlower, vfprintf, wcschr, wcscmp, wcslen, wcsncpy

Target ID:	0
Start time:	07:01:09
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\yoyo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\yoyo.exe" -install
Imagebase:	0x7ff6bdd10000
File size:	591'348 bytes
MD5 hash:	0CED0787F8E64762035ADEA6C6AFF9E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:01:09
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:01:11
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\yoyo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\yoyo.exe" /install
Imagebase:	0x7ff6bdd10000
File size:	591'348 bytes
MD5 hash:	0CED0787F8E64762035ADEA6C6AFF9E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:01:11
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:01:13
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\yoyo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\yoyo.exe" /load
Imagebase:	0x7ff6bdd10000
File size:	591'348 bytes
MD5 hash:	0CED0787F8E64762035ADEA6C6AFF9E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:01:13
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	792
Total number of Limit Nodes:	5

Executed Functions

Function 00007FF6BDD11190 Relevance: 12.2, APIs: 8, Instructions: 203
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6BDD111F6
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6BDD11268
malloc.MSVCRT ref: 00007FF6BDD11332
strlen.MSVCRT ref: 00007FF6BDD11355
malloc.MSVCRT ref: 00007FF6BDD11361
memcpy.MSVCRT ref: 00007FF6BDD11375
GetStartupInfoA.KERNEL32 ref: 00007FF6BDD11473

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: 8e8e1c4fcdddae686a3859912da9df7e63c832aa451dfcbd3b3ed6f6b2078654
Instruction ID: 6c12f547560d7c93304b4728c3c010cf56d9e524d958faa7b860fcd1e3bfabb4
Opcode Fuzzy Hash: 8e8e1c4fcdddae686a3859912da9df7e63c832aa451dfcbd3b3ed6f6b2078654
Instruction Fuzzy Hash: 4A816632A0962685FA289F6DE45177967A5EF46B84F844335EF8CCF395FE2DE8408300

Function 00007FF6BDD1261A Relevance: 18.1, APIs: 3, Strings: 9, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

block, xrefs: 00007FF6BDD126DC
[-] Missing argument for 'unblock' command. Please provide the filter id., xrefs: 00007FF6BDD12773
blockedr, xrefs: 00007FF6BDD126B4
unblock, xrefs: 00007FF6BDD12756
[-] Missing second argument. Please provide the full path of the process to block., xrefs: 00007FF6BDD126F5
unblockall, xrefs: 00007FF6BDD1272E
--help, xrefs: 00007FF6BDD12670
[-] Invalid argument: "%s"., xrefs: 00007FF6BDD1280B
[-] Please provide filter id in digits., xrefs: 00007FF6BDD127DC

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID:
String ID: --help$[-] Invalid argument: "%s".$[-] Missing argument for 'unblock' command. Please provide the filter id.$[-] Missing second argument. Please provide the full path of the process to block.$[-] Please provide filter id in digits.$block$blockedr$unblock$unblockall
API String ID: 0-1343951423
Opcode ID: a1f5a942b81b39526af0c875133be3563ea7c3f539a1f4775d90065ddb0e0c2e
Instruction ID: 296e7f85346154ed480a524d31bfa7755535469070e97e68c74e47c2da8a3ffe
Opcode Fuzzy Hash: a1f5a942b81b39526af0c875133be3563ea7c3f539a1f4775d90065ddb0e0c2e
Instruction Fuzzy Hash: 4A51EA61F08A2785FF589B5DD8422B92B60EF50B88F404635DB9DCF7A6FE6DE4508380

Function 00007FF6BDD128F2 Relevance: 4.6, APIs: 3, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FF6BDD129BB

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5ebe81de34f8a81fd4ad5d0e22b75095c2bceccae0736c6ab83d0423507e7119
Instruction ID: efb4105c98a927b404f8e3a3d7af37e0fae4d5972acb5dd2b3099649e631fff6
Opcode Fuzzy Hash: 5ebe81de34f8a81fd4ad5d0e22b75095c2bceccae0736c6ab83d0423507e7119
Instruction Fuzzy Hash: F3511D31B14A1989FB58CBAEEC5136D27A4FB48B88F104536CE9CDB764EE3DDA018700

Function 00007FF6BDD163B3 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(null), xrefs: 00007FF6BDD168A3

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID:
String ID: (null)
API String ID: 0-3941151225
Opcode ID: 277a38aae66470e09b00c03dd7e63efea3c016a318b3a435c9f7eab8fcab638c
Instruction ID: 0b59f4e19e7a668026eea2e9e4418349de71382a923f2310fcfeb8b0601c0b70
Opcode Fuzzy Hash: 277a38aae66470e09b00c03dd7e63efea3c016a318b3a435c9f7eab8fcab638c
Instruction Fuzzy Hash: 23F06850B0956281D918AE4A94142B91340FF46BC0F998335EFCDCF341FE2CE004C300

Non-executed Functions

Function 00007FF6BDD19170 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 1312COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6BDD1A7E2
NaN, xrefs: 00007FF6BDD193FB
, xrefs: 00007FF6BDD1A588
Infinity, xrefs: 00007FF6BDD19486

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 746a551bc9c21b6dcb8ca8af37f64b55f7c17c2e536a855da10a888d86e291d5
Instruction ID: 9d6db48fafedcf161e4faf0a8ddff1f4915ee2ffb5b3071340542bf643176af0
Opcode Fuzzy Hash: 746a551bc9c21b6dcb8ca8af37f64b55f7c17c2e536a855da10a888d86e291d5
Instruction Fuzzy Hash: B8C2C972A1D6628AD7298F29E04076A77A0FF85784F105335EBDD9BB85EF3DE4418B00

Function 00007FF6BDD115E4 Relevance: 5.1, Strings: 4, Instructions: 91COMMON

Download Yara Rule

Strings

[-] CryptCreateHash failed, xrefs: 00007FF6BDD11677
[-] CryptGetHashParam failed, xrefs: 00007FF6BDD1172B
[-] CryptHashData failed, xrefs: 00007FF6BDD116C9
[-] CryptAcquireContext failed, xrefs: 00007FF6BDD11638

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID:
String ID: [-] CryptAcquireContext failed$[-] CryptCreateHash failed$[-] CryptGetHashParam failed$[-] CryptHashData failed
API String ID: 0-1349797346
Opcode ID: 0d549a6b189c3e7ec0395dca60d590b3758f91a51c5070be1aff903a9f3de338
Instruction ID: f045713543d899727527471c3af8fbbc7524935d4661918722d0d6293e812cfa
Opcode Fuzzy Hash: 0d549a6b189c3e7ec0395dca60d590b3758f91a51c5070be1aff903a9f3de338
Instruction Fuzzy Hash: C441FF31B14A1588FB54DB6AE85037D6360EB54B88F104635CE9D9BB64FF3DD7058350

Function 00007FF6BDD12AE8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

SeDebugPrivilege, xrefs: 00007FF6BDD12B87

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID:
String ID: SeDebugPrivilege
API String ID: 0-2896544425
Opcode ID: 15ef276a64f916bf1306cb3ce0f6ba863cb929d9ad5c7e86edde9c1118fa826e
Instruction ID: 7a89530b7417a6cb0ac296840be7f74c2488aed15410305682e739277c708ab6
Opcode Fuzzy Hash: 15ef276a64f916bf1306cb3ce0f6ba863cb929d9ad5c7e86edde9c1118fa826e
Instruction Fuzzy Hash: A8313D20B08B0688FB498B6EEC513696765EF44B88F00427ACE9CDF7B4FE6DD6458340

Function 00007FF6BDD12206 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FwpmEngineOpen0.FWPUCLNT ref: 00007FF6BDD1226D

Strings

[-] FwpmPr0v1d3rD3l3t3ByK3y0 fa1l3d w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD12410
[-] FwpmF1lt3rEnum0 fa1l3d w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD122FC
D3l3t3d f1lt3r 1d: %llu., xrefs: 00007FF6BDD123A2
D3l3t3d cu5t0m WFP pr0v1d3r., xrefs: 00007FF6BDD1241E
[-] Fa1l3d t0 d3l3t3 f1lt3r 1d: %llu w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD123C0
[-] FwpmF1lt3rCr3@t3EnumH@ndl30 fa1l3d w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD122B7
[-] Un@bl3 t0 f1nd @ny WFP f1lt3r cr3@t3d by th1s t00l., xrefs: 00007FF6BDD12430
[-] Fwpm3n9in30p3n0 fa1l3d w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD12280

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: EngineFwpmOpen0
String ID: D3l3t3d cu5t0m WFP pr0v1d3r.$D3l3t3d f1lt3r 1d: %llu.$[-] Fa1l3d t0 d3l3t3 f1lt3r 1d: %llu w1th 3rr0r c0d3: 0x%x.$[-] Fwpm3n9in30p3n0 fa1l3d w1th 3rr0r c0d3: 0x%x.$[-] FwpmF1lt3rCr3@t3EnumH@ndl30 fa1l3d w1th 3rr0r c0d3: 0x%x.$[-] FwpmF1lt3rEnum0 fa1l3d w1th 3rr0r c0d3: 0x%x.$[-] FwpmPr0v1d3rD3l3t3ByK3y0 fa1l3d w1th 3rr0r c0d3: 0x%x.$[-] Un@bl3 t0 f1nd @ny WFP f1lt3r cr3@t3d by th1s t00l.
API String ID: 3955677900-2486579242
Opcode ID: 5469e4bc3f2a37ee838d28c19d4839e425a73c37482a8dede6d7aaa6909bcc82
Instruction ID: 554553cdc4b60703dab7f7b9c222bb55cb17fc926424027027b074007e99c17c
Opcode Fuzzy Hash: 5469e4bc3f2a37ee838d28c19d4839e425a73c37482a8dede6d7aaa6909bcc82
Instruction Fuzzy Hash: A2613C32F04A2699FB04DBA9E4453AD3BB0EB04798F504235DF8DABB99EE38D1448740

Function 00007FF6BDD117DC Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FwpmEngineOpen0.FWPUCLNT ref: 00007FF6BDD11860

Strings

[-] CreateToolhelp32Snapshot failed with error code: 0x%x., xrefs: 00007FF6BDD118BD
Added WFP filter for "%S" (Filter id: %d, IPv4 layer)., xrefs: 00007FF6BDD11C69
;9rJ, xrefs: 00007FF6BDD11C75
[-] Process32First failed with error code: 0x%x., xrefs: 00007FF6BDD118FD
Detected EDR process: %s (PID: %d), xrefs: 00007FF6BDD119B9
Added WFP filter for "%S" (Filter id: %d, IPv6 layer)., xrefs: 00007FF6BDD11CDC
[-] FwpmEngineOpen0 failed with error code: 0x%x., xrefs: 00007FF6BDD1187C
[-] No EDR process was detected., xrefs: 00007FF6BDD11D47

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: EngineFwpmOpen0
String ID: ;9rJ$Added WFP filter for "%S" (Filter id: %d, IPv4 layer).$Added WFP filter for "%S" (Filter id: %d, IPv6 layer).$Detected EDR process: %s (PID: %d)$[-] CreateToolhelp32Snapshot failed with error code: 0x%x.$[-] FwpmEngineOpen0 failed with error code: 0x%x.$[-] No EDR process was detected.$[-] Process32First failed with error code: 0x%x.
API String ID: 3955677900-4237853555
Opcode ID: 83c8f3ecb41d1a42e4bf191b75c24cf6198a7e900ae99d7db97f2324be9af394
Instruction ID: 378b0405934133e1f2495aa4358ea51174b7bfdce06b85ad945749bba722ec9d
Opcode Fuzzy Hash: 83c8f3ecb41d1a42e4bf191b75c24cf6198a7e900ae99d7db97f2324be9af394
Instruction Fuzzy Hash: 2CE11A72A05B9689EB24DF69D8543E933A0EB0478CF404239DB8C8FB99EF79D644C344

Function 00007FF6BDD11D80 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FwpmEngineOpen0.FWPUCLNT ref: 00007FF6BDD11EA5

Strings

;9rJ, xrefs: 00007FF6BDD12160
[-] Failed to add filter in IPv6 layer with error code: 0x%x., xrefs: 00007FF6BDD121D4
Added WFP filter for "%s" (Filter id: %d, IPv6 layer)., xrefs: 00007FF6BDD121BE
[-] FwpmPr0v1d3r@dd0 fa1l3d w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD120D4
Added WFP filter for "%s" (Filter id: %d, IPv4 layer)., xrefs: 00007FF6BDD1213E
[-] Fwpm3n9in30p3n0 fa1l3d w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD11EC1
[-] Failed to add filter in IPv4 layer with error code: 0x%x., xrefs: 00007FF6BDD12154

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: EngineFwpmOpen0
String ID: ;9rJ$Added WFP filter for "%s" (Filter id: %d, IPv4 layer).$Added WFP filter for "%s" (Filter id: %d, IPv6 layer).$[-] Failed to add filter in IPv4 layer with error code: 0x%x.$[-] Failed to add filter in IPv6 layer with error code: 0x%x.$[-] Fwpm3n9in30p3n0 fa1l3d w1th 3rr0r c0d3: 0x%x.$[-] FwpmPr0v1d3r@dd0 fa1l3d w1th 3rr0r c0d3: 0x%x.
API String ID: 3955677900-487333015
Opcode ID: c7d430b2df92e523775ff3ccf861fa4d0579403a6dc2d8b5553dd8021caba58e
Instruction ID: 36f11cbbcbb62bf4d20266c98e4f27b6f679487efb747eff6af9ca1842f88091
Opcode Fuzzy Hash: c7d430b2df92e523775ff3ccf861fa4d0579403a6dc2d8b5553dd8021caba58e
Instruction Fuzzy Hash: 07B10A72A04B968AEB25DF69D8443ED37A4F708788F404129DB4D8FB98EF79D244C740

Function 00007FF6BDD12462 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

FwpmProviderDeleteByKey0.FWPUCLNT ref: 00007FF6BDD1254A
FwpmEngineClose0.FWPUCLNT ref: 00007FF6BDD12587

Strings

[-] Th3 f1lt3r d035 n0t 3x15t., xrefs: 00007FF6BDD12504
[-] FwpmPr0v1d3rD3l3t3ByK3y0 fa1l3d w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD12566
D3l3t3d f1lt3r 1d: %llu., xrefs: 00007FF6BDD124ED
D3l3t3d cu5t0m WFP pr0v1d3r., xrefs: 00007FF6BDD12574
[-] Fa1l3d t0 d3l3t3 f1lt3r 1d: %llu w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD1251C
[-] Fwpm3n9in30p3n0 fa1l3d w1th 3rr0r c0d3: 0x%x., xrefs: 00007FF6BDD124BF

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: Fwpm$Close0DeleteEngineKey0Provider
String ID: D3l3t3d cu5t0m WFP pr0v1d3r.$D3l3t3d f1lt3r 1d: %llu.$[-] Fa1l3d t0 d3l3t3 f1lt3r 1d: %llu w1th 3rr0r c0d3: 0x%x.$[-] Fwpm3n9in30p3n0 fa1l3d w1th 3rr0r c0d3: 0x%x.$[-] FwpmPr0v1d3rD3l3t3ByK3y0 fa1l3d w1th 3rr0r c0d3: 0x%x.$[-] Th3 f1lt3r d035 n0t 3x15t.
API String ID: 1345698549-3345345927
Opcode ID: 6491f3e0c504a0de250c1059ee2f2ca5589d67ee8cadecfff803922eb0c39b58
Instruction ID: 6b1c33c800b928c80815175a0940df9cfeba0092d9793e49f5d7216cc857097f
Opcode Fuzzy Hash: 6491f3e0c504a0de250c1059ee2f2ca5589d67ee8cadecfff803922eb0c39b58
Instruction Fuzzy Hash: 26312721F09622D9FB08DB69D4553BD37B0EB04388F504A35DA8D9BA99FE38EA048740

Function 00007FF6BDD13560 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF6BDD13679

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF6BDD137CC
Address %p has no image-section, xrefs: 00007FF6BDD135D0, 00007FF6BDD137E0
VirtualProtect failed with code 0x%x, xrefs: 00007FF6BDD13772
Mingw-w64 runtime failure:, xrefs: 00007FF6BDD13598

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 6087b65781e204cf0afe2e745eb8bf4e038d8ac1a1228aa1d9b9705cc89b1a57
Instruction ID: 1e9e7efa51d45f7d0102e9d1039e1d289637075c46abb026627b8c09f38fe272
Opcode Fuzzy Hash: 6087b65781e204cf0afe2e745eb8bf4e038d8ac1a1228aa1d9b9705cc89b1a57
Instruction Fuzzy Hash: 2771BE72B09A5296EA189B19E84566977A1FF49BA4F444339EFDC8B390FE3CE445C300

Function 00007FF6BDD16B00 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110COMMON

Download Yara Rule

Strings

%.*S, xrefs: 00007FF6BDD16C68
%*.*S, xrefs: 00007FF6BDD16C3D
%-*.*S, xrefs: 00007FF6BDD16C76

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID:
String ID: %*.*S$%-*.*S$%.*S
API String ID: 0-2115465065
Opcode ID: 8f6010bd01fc55410a588afeb82d4736cb3e88d09d33c926a748f7f23b714659
Instruction ID: 3bb1ebf5811b649ab34becd72c68a550f68813b16d4a16fb3f0a827fb66b26c0
Opcode Fuzzy Hash: 8f6010bd01fc55410a588afeb82d4736cb3e88d09d33c926a748f7f23b714659
Instruction Fuzzy Hash: 2D41A162B1866246E7689A2D980067966A1EF80BA4F54C335DF8CCF6C5FE3DE445CB00

Function 00007FF6BDD14370 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF6BDD144B8

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 909c1372ab14b6a71416b492c74b6a6203f2a409b4f7504a691434fc22b79b3b
Instruction ID: 3e1b8c721c3adec81875a6c22498e3b209393f6f796cf6772b52f52dd5ae9e4e
Opcode Fuzzy Hash: 909c1372ab14b6a71416b492c74b6a6203f2a409b4f7504a691434fc22b79b3b
Instruction Fuzzy Hash: AD41F262E4D17745FB6C9A29644027E2585EF52BA4F4A4B31DFADCE2C1FE6CF8414310

Function 00007FF6BDD13077 Relevance: 9.1, APIs: 6, Instructions: 107COMMON

Download Yara Rule

APIs

FwpmEngineOpen0.FWPUCLNT ref: 00007FF6BDD130CC
FwpmEngineClose0.FWPUCLNT ref: 00007FF6BDD1310C

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: EngineFwpm$Close0Open0
String ID:
API String ID: 431531443-0
Opcode ID: 23963c6e1ceab36a91c4e0780c7f23d270fd552aa5a9d020ed4792f4a6e72049
Instruction ID: bccf3afe73215d40f543d7930f15d2e3d4bd8c1536d76981f67e8a6acdbd0a14
Opcode Fuzzy Hash: 23963c6e1ceab36a91c4e0780c7f23d270fd552aa5a9d020ed4792f4a6e72049
Instruction Fuzzy Hash: D341D7B2F04B1599EB08DBA9D4453AD27B0F749B88F108535DF4DAB798EE38D540C750

Function 00007FF6BDD16DC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100COMMON

Download Yara Rule

Strings

%-*.*s, xrefs: 00007FF6BDD16F03
%.*s, xrefs: 00007FF6BDD16EF5
%*.*s, xrefs: 00007FF6BDD16ECD

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID:
String ID: %*.*s$%-*.*s$%.*s
API String ID: 0-4054516066
Opcode ID: 9a2473fad39f57d63a0765dbd41b26620c007b0df2ca1b1e8c962e3d4ed68ac3
Instruction ID: f0acb442c2e05026d0e54328e3856d9525ade6d05a7ed9293eb72851503e0821
Opcode Fuzzy Hash: 9a2473fad39f57d63a0765dbd41b26620c007b0df2ca1b1e8c962e3d4ed68ac3
Instruction Fuzzy Hash: 4D418F72E1827286E7649F6DD400679A691EB44BA8F44C335DF88CF6C5FE2DE4448B40

Function 00007FF6BDD13B40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF6BDD13BEA

Strings

CCG , xrefs: 00007FF6BDD13B56

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 71339bac849ff795efb7dad8ad0ba29a631eac14b50d2440d44dd8416b36b288
Instruction ID: 9ae1325dadf2041cf0963c1a5640f5a1b6080e3b01f0bc5473e9b66f9e6fc834
Opcode Fuzzy Hash: 71339bac849ff795efb7dad8ad0ba29a631eac14b50d2440d44dd8416b36b288
Instruction Fuzzy Hash: E0218C60E0C96646FA7C566D894133A2182DF4A764F294B36D7ADCE3D5FE2CF8C58302

Function 00007FF6BDD1B730 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF6BDD1B78A
MultiByteToWideChar.KERNEL32 ref: 00007FF6BDD1B7CA

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 719a1811eea54039a073c7f1979f7e0563c35b4499fffa9b358b1604118e1c60
Instruction ID: 019be41c580c169d73bcea6e1e99a254e3d78fe6a8fbf79167e089544ccafb0b
Opcode Fuzzy Hash: 719a1811eea54039a073c7f1979f7e0563c35b4499fffa9b358b1604118e1c60
Instruction Fuzzy Hash: 3431D072B0C69186E3648F28B80036976A4FB96B84F548335EBD8CB7C5EE3DD481CB00

Function 00007FF6BDD1A9A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000000,Infinity,00007FF6BDD1AADF,?,?,?,?,00000000,Infinity,00007FF6BDD18F84,?,00000000,00000003,00007FF6BDD19498), ref: 00007FF6BDD1A9CD
InitializeCriticalSection.KERNEL32(?,?,00000000,Infinity,00007FF6BDD1AADF,?,?,?,?,00000000,Infinity,00007FF6BDD18F84,?,00000000,00000003,00007FF6BDD19498), ref: 00007FF6BDD1AA0D
InitializeCriticalSection.KERNEL32(?,?,00000000,Infinity,00007FF6BDD1AADF,?,?,?,?,00000000,Infinity,00007FF6BDD18F84,?,00000000,00000003,00007FF6BDD19498), ref: 00007FF6BDD1AA16

Strings

Infinity, xrefs: 00007FF6BDD1A9A0

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: CriticalInitializeSection$Sleep
String ID: Infinity
API String ID: 1960909292-1015270809
Opcode ID: fe68115341655507fac7a5e65c84e8d05918a00e25df231b9126952d901fa10b
Instruction ID: b287729242fbaa6cb935e1989d9e1ebc88fc711376c3b86b5b73b32ca6da89c5
Opcode Fuzzy Hash: fe68115341655507fac7a5e65c84e8d05918a00e25df231b9126952d901fa10b
Instruction Fuzzy Hash: 27117F30D4851396EA3E8B0CE8912742650EF54318F851732D78ECE6A4FE6DE886D344

Function 00007FF6BDD137F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF6BDD13AB4
Unknown pseudo relocation protocol version %d., xrefs: 00007FF6BDD13AC8

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: ab1b1461c1574895d2ef1156bf81071586de4da46f9f2b1bd83f5815ecde538a
Instruction ID: 6ba41235a9b811100349416c9176d499a4c756f42da4c82104c13f4401e3c2f1
Opcode Fuzzy Hash: ab1b1461c1574895d2ef1156bf81071586de4da46f9f2b1bd83f5815ecde538a
Instruction Fuzzy Hash: 7B71C366F18AA686EB289B68E8007696761FF44BA4F544335DF8C8F794FE3CE440C700

Function 00007FF6BDD13450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6BDD134D0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6BDD134B7
Unknown error, xrefs: 00007FF6BDD1353C

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 90e88a1994a8f56d1943ba1a015a7a35234d3b3ad551aa24c19f31a31182a9cf
Instruction ID: 6e0199c88cb6d39c3bcb72864a6452127f47cb537cab191d8f1513e0597a066e
Opcode Fuzzy Hash: 90e88a1994a8f56d1943ba1a015a7a35234d3b3ad551aa24c19f31a31182a9cf
Instruction Fuzzy Hash: 11013063D0CF9482E6058F1CE8001BA7321FB5E749F259325EBCD6A555EF28E592C700

Function 00007FF6BDD13520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6BDD134D0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6BDD134B7
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF6BDD13520

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 95f7cd6b8717c6c260e518c2d3a1e79c173d45bc2a5dc27e434b5e21a29e404d
Instruction ID: 8f790d5d5ef151e1ded296b431a57114ddb465f9887632163f22ace3cc3aa158
Opcode Fuzzy Hash: 95f7cd6b8717c6c260e518c2d3a1e79c173d45bc2a5dc27e434b5e21a29e404d
Instruction Fuzzy Hash: FDF06256D0CE9882D2068F2CA8000BB7331FF9EB88F155325EFCD6A155EF28E582D700

Function 00007FF6BDD13530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6BDD134D0

Strings

Total loss of significance (TLOSS), xrefs: 00007FF6BDD13530
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6BDD134B7

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: e74b8f9372f4c907cf8708f922d89ae43dd751588af47c5d2918d3a6693e446c
Instruction ID: 0535e257e4b58c23e7817a0ed4ec2f729aa8cc3ee0c06fba08cfc989c991bc93
Opcode Fuzzy Hash: e74b8f9372f4c907cf8708f922d89ae43dd751588af47c5d2918d3a6693e446c
Instruction Fuzzy Hash: 68F06252D08E9882D2068F2CA8000BB7331FF9EB88F155325EFCD6A515EF28E5828700

Function 00007FF6BDD13500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6BDD134D0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6BDD134B7
Partial loss of significance (PLOSS), xrefs: 00007FF6BDD13500

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 9748ff417ba001e94c17b93b011cec9efba528c82cf32164129251f4d645d3cd
Instruction ID: dbbbab96204bd08bdadfc26ea9a024bf9470f376936c9c53ca88f9c336419edc
Opcode Fuzzy Hash: 9748ff417ba001e94c17b93b011cec9efba528c82cf32164129251f4d645d3cd
Instruction Fuzzy Hash: 47F06856D08E5482D2068F2CA8000BB7331FF5E788F155325EFCD6A555DF18E5828700

Function 00007FF6BDD13510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6BDD134D0

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF6BDD13510
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6BDD134B7

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 7ddcb7567db3766a8d64565dc4b8ba1e2b9ddb24f8c809585b501ce0173cbcd2
Instruction ID: 6a6cbfb57f25a27d81a0ddc60a53d8f321352212f55b0d3d50b656268aa54bb3
Opcode Fuzzy Hash: 7ddcb7567db3766a8d64565dc4b8ba1e2b9ddb24f8c809585b501ce0173cbcd2
Instruction Fuzzy Hash: 1FF06256D08E9882D2068F2CA8000BB7331FF9EB88F155325EFCD6A155EF28E5828700

Function 00007FF6BDD134F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6BDD134D0

Strings

Argument domain error (DOMAIN), xrefs: 00007FF6BDD134F0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6BDD134B7

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: c6b21b1e3a6d3837ff740fa96d0214551b81b147243a76b771e3c52cbede429d
Instruction ID: 81dcfab8f8026b2eae5547a53a83f40f8088de2d256de1fc3f3bf1882538fa6b
Opcode Fuzzy Hash: c6b21b1e3a6d3837ff740fa96d0214551b81b147243a76b771e3c52cbede429d
Instruction Fuzzy Hash: 3CF06256D08E9882D2068F2CA8000BB7331FF9EB88F155325EFCD6E155EF28E5828700

Function 00007FF6BDD13488 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6BDD134D0

Strings

Argument singularity (SIGN), xrefs: 00007FF6BDD13488
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6BDD134B7

Memory Dump Source

Source File: 00000000.00000002.2036628316.00007FF6BDD11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BDD10000, based on PE: true

Associated: 00000000.00000002.2036615117.00007FF6BDD10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036643572.00007FF6BDD1C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036658852.00007FF6BDD1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036676610.00007FF6BDD23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036691586.00007FF6BDD26000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bdd10000_yoyo.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 2aa678699bbd0232d1878c2e39d5425d08b44f71664612745e3759cc57e195dc
Instruction ID: 233b9e484c3a737a1acc4dd0c53c8dc84e6e454701254b8c87775d5fa515e5dc
Opcode Fuzzy Hash: 2aa678699bbd0232d1878c2e39d5425d08b44f71664612745e3759cc57e195dc
Instruction Fuzzy Hash: 84F03056D08E9882D616DF2CA8001AB7331FF9EB99F155326EFCD6A515EF28E582C700

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Command: Command Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yoyo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: yoyo.exePID: 6388, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 1892, Parent PID: 6388

General

Chronological Activities

Analysis Process: yoyo.exePID: 2676, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 7100, Parent PID: 2676

General

Chronological Activities

Analysis Process: yoyo.exePID: 5852, Parent PID: 1028

General

Windows Analysis Report
yoyo.exe

Function 00007FF6BDD11190 Relevance: 12.2, APIs: 8, Instructions: 203
sleepstringCOMMON

Function 00007FF6BDD1261A Relevance: 18.1, APIs: 3, Strings: 9, Instructions: 133
COMMON

Function 00007FF6BDD128F2 Relevance: 4.6, APIs: 3, Instructions: 126
COMMON

Function 00007FF6BDD163B3 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30
COMMON

Function 00007FF6BDD12206 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 142
COMMON

Function 00007FF6BDD117DC Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 260
COMMON

Function 00007FF6BDD11D80 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187
COMMON