Edit tour

Windows Analysis Report
LightSpoofer.exe

Overview

General Information

Sample name:	LightSpoofer.exe
Analysis ID:	1579340
MD5:	a65f59764e28b0a433ff248ea6af608a
SHA1:	c9f27343545ba7bb35e76d0886c4670fb2bbbbce
SHA256:	6ebfc0f62cd8b3d496858cbbbc489808087df835709a54415835e31208d1b515
Tags:	exeuser-aachum
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Potential thread-based time evasion detected

Query firmware table information (likely to detect VMs)

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Tries to harvest and steal browser information (history, passwords, etc)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

LightSpoofer.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\LightSpoofer.exe" MD5: A65F59764E28B0A433FF248EA6AF608A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LightSpoofer.exe PID: 7328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LightSpoofer.exe.2cca0b881d0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T19:51:03.189071+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	104.26.9.59	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: LightSpoofer.exe	Virustotal: Detection: 36%			Perma Link
Source: LightSpoofer.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LightSpoofer.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.26.9.59:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: LightSpoofer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

IP Address: 104.26.9.59 104.26.9.59

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 104.26.9.59:443

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43Host: api.myip.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43Host: api.myip.com

Source: global traffic

DNS traffic detected: DNS query: api.myip.com

Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://https/:://websocketpp.processorGeneric
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0E92000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/Russia
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: LightSpoofer.exe, LightSpoofer.exe, 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage
Source: LightSpoofer.exe, 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage(Hold
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mic
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1759955726.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1838201876.000002CCA2A22000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1869770850.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1869770850.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1821874330.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1815010928.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA29E3000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA2810000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.2306930819.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1825870311.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1939921750.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1787880746.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1762675022.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1920670025.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1751522050.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1805800803.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.2304535540.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1894061014.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1759955726.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1825870311.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA29A8000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA29FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1838201876.000002CCA2A22000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1833082467.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA29E3000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1844370263.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.3433586346.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1906545811.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA29E4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1787880746.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1739398693.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1760758571.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1741934343.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1779684507.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1912255604.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1859449285.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA29A8000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA29FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17kies
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17okiesyB
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.26.9.59:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: LightSpoofer.exe	Static PE information: section name: .}]=
Source: LightSpoofer.exe	Static PE information: section name: .:=`
Source: LightSpoofer.exe	Static PE information: section name: ..f;

Source: C:\Users\user\Desktop\LightSpoofer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB8A74	0_2_00007FF661CB8A74
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CDC1D0	0_2_00007FF661CDC1D0
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CD251C	0_2_00007FF661CD251C
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CDACE4	0_2_00007FF661CDACE4
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CD2C90	0_2_00007FF661CD2C90
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB6D94	0_2_00007FF661CB6D94
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CBA110	0_2_00007FF661CBA110
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CCA920	0_2_00007FF661CCA920
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB28BC	0_2_00007FF661CB28BC
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB8028	0_2_00007FF661CB8028
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CA3F78	0_2_00007FF661CA3F78
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB97AC	0_2_00007FF661CB97AC

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\LightSpoofer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\DZY48GZ0.htm

Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA28A7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: LightSpoofer.exe	Virustotal: Detection: 36%
Source: LightSpoofer.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LightSpoofer.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LightSpoofer.exe

Static file information: File size 3796992 > 1048576

Source: LightSpoofer.exe

Static PE information: Raw size of ..f; is bigger than: 0x100000 < 0x39c600

Source: LightSpoofer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: ..f;

Source: LightSpoofer.exe	Static PE information: section name: .}]=
Source: LightSpoofer.exe	Static PE information: section name: .:=`
Source: LightSpoofer.exe	Static PE information: section name: ..f;

Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CA8C32 pushfq ; retn 0042h		0_2_00007FF661CA8C39
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF6620DCB2B push rdx; retf		0_2_00007FF6620DCB56

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\LightSpoofer.exe	Memory written: PID: 7328 base: 7FFE2237000D value: E9 BB CB EC FF			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Memory written: PID: 7328 base: 7FFE2223CBC0 value: E9 5A 34 13 00			Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Malware Analysis System Evasion

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\LightSpoofer.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Special instruction interceptor: First address: 7FF6624B2055 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\LightSpoofer.exe	Special instruction interceptor: First address: 7FF6624B2076 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Users\user\Desktop\LightSpoofer.exe

File opened / queried: VBoxMiniRdrDN

Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe

Code function: 0_2_00007FF66213F8A2 rdtsc

0_2_00007FF66213F8A2

Source: C:\Users\user\Desktop\LightSpoofer.exe	Window / User API: threadDelayed 5782			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Window / User API: foregroundWindowGot 1687			Jump to behavior

Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware ToolsNOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/LoadLibraryA
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsdvboxserviceu
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: Kernel32.dllKernel32.dll\\.\VBoxMiniRdrDN
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtrayx64dbgh
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4130559701.000002CCA0999000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: wiresharkvmwareuseri
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-gaVGAuthServicevmwaretrayv

Source: C:\Users\user\Desktop\LightSpoofer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LightSpoofer.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\LightSpoofer.exe

Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe

Code function: 0_2_00007FF66213F8A2 rdtsc

0_2_00007FF66213F8A2

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662309FA1	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF66216B64E	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF6622D8A27	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF6621A84F7	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662171C72	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF662171C51	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtSetInformationProcess: Direct from: 0x7FF662309991	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662306851	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF6621C842C	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF66230F56F	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF6621D1F6B	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF6621B996E	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtSetInformationThread: Direct from: 0x7FF6621A8523	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF6622DBDC8	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF66248A3B6	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662171F10	Jump to behavior

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: LightSpoofer.exe, 00000000.00000003.2184192889.000002CCA09F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: LightSpoofer.exe, 00000000.00000003.2184192889.000002CCA09F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Jaxx
Source: LightSpoofer.exe, 00000000.00000002.4131031186.000002CCA0A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ming\Exodus\exodus.wallet
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Daedalus Mainnet\Ethereum\Guarda\Local Storage\leveldb\Zcash
Source: LightSpoofer.exe, 00000000.00000002.4131031186.000002CCA0A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ming\Exodus\exodus.wallet
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match	File source: 0.2.LightSpoofer.exe.2cca0b881d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LightSpoofer.exe PID: 7328, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	22 Virtualization/Sandbox Evasion	1 Credential API Hooking	531 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	21 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LightSpoofer.exe	36%	Virustotal		Browse
LightSpoofer.exe	45%	ReversingLabs	Win64.Trojan.Generic
LightSpoofer.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.myip.com	104.26.9.59	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.myip.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://https://https/:://websocketpp.processorGeneric	LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	false	unknown
https://duckduckgo.com/chrome_newtab	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://go.mic	LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1759955726.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1838201876.000002CCA2A22000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1869770850.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1869770850.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1821874330.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1815010928.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA29E3000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA2810000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.2306930819.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1825870311.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1939921750.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1787880746.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1762675022.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1920670025.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1751522050.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1805800803.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.2304535540.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1894061014.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1759955726.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1825870311.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.myip.com/Russia	LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	false	high
https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage(Hold	LightSpoofer.exe, 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1838201876.000002CCA2A22000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1833082467.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA29E3000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1844370263.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.3433586346.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1906545811.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA29E4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1787880746.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1739398693.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1760758571.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1741934343.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1779684507.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1912255604.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1859449285.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17kies	LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage	LightSpoofer.exe, LightSpoofer.exe, 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA29A8000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA29FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17okiesyB	LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA29A8000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA29FD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.9.59	api.myip.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579340
Start date and time:	2024-12-21 19:50:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	LightSpoofer.exe
Detection:	MAL
Classification:	mal96.spyw.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target LightSpoofer.exe, PID 7328 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:51:36	API Interceptor	15143797x Sleep call for process: LightSpoofer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.9.59	Nexus-Executor.exe	Get hash	malicious	Unknown	Browse
	WaveExecutor.exe	Get hash	malicious	Unknown	Browse
	Nexus-Executor.exe	Get hash	malicious	Unknown	Browse
	Fortexternal.exe	Get hash	malicious	Unknown	Browse
	Fortexternal.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Ailurophile Stealer, Amadey, LummaC Stealer, Stealc	Browse
	ZoomInstaller.exe	Get hash	malicious	Unknown	Browse
	ZoomInstaller.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.myip.com	Fortexternal.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	WaveExecutor.exe	Get hash	malicious	Unknown	Browse	104.26.8.59
	Nexus-Executor.exe	Get hash	malicious	Unknown	Browse	104.26.9.59
	WaveExecutor.exe	Get hash	malicious	Unknown	Browse	104.26.9.59
	Nexus-Executor.exe	Get hash	malicious	Unknown	Browse	104.26.9.59
	Fortexternal.exe	Get hash	malicious	Unknown	Browse	104.26.9.59
	Fortexternal.exe	Get hash	malicious	Unknown	Browse	104.26.9.59
	file.exe	Get hash	malicious	Unknown	Browse	104.26.9.59

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Solara-3.0.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.21.67.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.67.146
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	104.21.16.1
	https://shibe-rium.net/	Get hash	malicious	Unknown	Browse	104.18.18.237
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.197.170
	finathot.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.67.178.25
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	BigProject.exe	Get hash	malicious	LummaC	Browse	172.67.197.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.26.9.59
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	104.26.9.59
	Company Information.pdf.lnk	Get hash	malicious	Unknown	Browse	104.26.9.59
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	104.26.9.59
	BigProject.exe	Get hash	malicious	LummaC	Browse	104.26.9.59
	setup.msi	Get hash	malicious	Unknown	Browse	104.26.9.59
	jqplot.hta	Get hash	malicious	Unknown	Browse	104.26.9.59
	Set-up!.exe	Get hash	malicious	LummaC	Browse	104.26.9.59
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.26.9.59

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.946732230069257
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LightSpoofer.exe
File size:	3'796'992 bytes
MD5:	a65f59764e28b0a433ff248ea6af608a
SHA1:	c9f27343545ba7bb35e76d0886c4670fb2bbbbce
SHA256:	6ebfc0f62cd8b3d496858cbbbc489808087df835709a54415835e31208d1b515
SHA512:	06126887a27bd7ea877895cd0b1acccb6689444c4475fdb052016526052dc7fb285b6757f1231b4b22c7de741f5c4c246425199da675218dd0a347cf5e9adc84
SSDEEP:	98304:LzLwyJXF+IXrrwu28pejllEEYp//EDZ3:bn+Qr5eUNp/sV3
TLSH:	D806236369B325FEC187CB70C0916C4E707AFF62E9D9961866855C48CEBB748AC34738
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....eg.........."....)......,.....a5d........@..........................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140643561
Entrypoint Section:	..f;
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6765A802 [Fri Dec 20 17:23:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72580ba63cb613cbe6fa975818c06da5

Entrypoint Preview

Instruction
inc ecx
push ebp
pushfd
dec ecx
mov ebp, 1D335327h
mov bh, 3Fh
or al, 3Dh
push 42A0153Ah
inc ecx
push edi
inc esp
add byte ptr [esp+08h], ch
inc ecx
bswap ebp
dec esi
mov ebp, dword ptr [esp+ebp-27533305h]
dec eax
mov dword ptr [esp+18h], 248C8ECBh
push dword ptr [esp+10h]
popfd
dec eax
lea esp, dword ptr [esp+18h]
call 00007F5C60DEE735h
push esi
adc al, byte ptr [edx-1BF23443h]
popad
add byte ptr [eax-48E52152h], ah
mov eax, dword ptr [8B9F8BE0h]
sal byte ptr [ecx+7Fh], 1
int3
pop ecx
insb
pop ss
out dx, eax
popfd
or ebx, esi
lds edx, ecx
fiadd dword ptr [edi]
push es
aad B6h
or edx, dword ptr [ecx+3Dh]
cmpsd
cwde
in eax, dx
nop
mov ebp, dword ptr [edx]
jns 00007F5C60C17236h
aas
pop ss
movsd
pop bx
int 59h
xor eax, 79ED7F6Fh
sub esi, FFFFFFCDh
in eax, B1h
ret
jle 00007F5C60C172B7h
stosb
push esi
xor byte ptr [ecx+045078A6h], ah
outsb
sub al, 8Dh
imul ebx
leave
wait
mov edi, F1BC33F7h
sub dword ptr [esi], ecx
cdq
add byte ptr [edi+5Ah], bh
fst dword ptr [esi+42A708B1h]
test eax, 4FA81106h
mov dl, byte ptr [ecx+3Eh]
inc ecx
mov eax, E6A9BA7Fh
imul esi, eax, 5E71C207h
mov dword ptr [eax], edx
pminsw mm0, mm1
scasb
adc dword ptr [ebx-10B556A0h], edx
push esp
cdq
push ss
pop ss
in al, F1h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x668080	0x190	..f;
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x860000	0x1d5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x858aa0	0x4a94	..f;
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85e000	0x1560	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x505c50	0x28	..f;
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x858960	0x140	..f;
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4c0000	0x158	.:=`
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4b27a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4d000	0x13f98	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x61000	0x2ab5c0	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x30d000	0x2130	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.}]=	0x310000	0x1afa3e	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.:=`	0x4c0000	0xc40	0xe00	ed35bbab5f4af39434a2f8e7294dd315	False	0.04017857142857143	data	0.25303836941042945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
..f;	0x4c1000	0x39c534	0x39c600	adb6d1c25f4ef1428ecf4c6615bfb5df	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x85e000	0x1560	0x1600	d085f27c37002db0cb244fc281fd5322	False	0.19460227272727273	GLS_BINARY_LSB_FIRST	5.470532552125455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x860000	0x1d5	0x200	f825266105ec1afd518e4b3f93a43607	False	0.525390625	data	4.701503258251789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x860058	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
d3d9.dll	Direct3DCreate9
KERNEL32.dll	QueryPerformanceFrequency
USER32.dll	UnregisterClassA
ADVAPI32.dll	RegOpenKeyExA
SHELL32.dll	SHBrowseForFolderA
ole32.dll	CoTaskMemFree
IMM32.dll	ImmSetCompositionWindow
MSVCP140.dll	_Cnd_do_broadcast_at_thread_exit
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memset
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-string-l1-1-0.dll	strcmp
api-ms-win-crt-heap-l1-1-0.dll	free
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type
api-ms-win-crt-math-l1-1-0.dll	ceilf
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T19:51:03.189071+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	104.26.9.59	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 19:51:01.463673115 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:01.463768959 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:01.463906050 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:01.481693029 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:01.481766939 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:02.703286886 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:02.703383923 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:02.796348095 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:02.796437025 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:02.796924114 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:02.797138929 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:02.800672054 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:02.847408056 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:03.189121962 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:03.189204931 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:03.189244986 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:03.189271927 CET	443	49730	104.26.9.59	192.168.2.4
Dec 21, 2024 19:51:03.189311981 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:03.189340115 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:03.190217018 CET	49730	443	192.168.2.4	104.26.9.59
Dec 21, 2024 19:51:03.190249920 CET	443	49730	104.26.9.59	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 19:51:01.305403948 CET	54357	53	192.168.2.4	1.1.1.1
Dec 21, 2024 19:51:01.453023911 CET	53	54357	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2024 19:51:01.305403948 CET	192.168.2.4	1.1.1.1	0x6188	Standard query (0)	api.myip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 21, 2024 19:51:01.453023911 CET	1.1.1.1	192.168.2.4	0x6188	No error (0)	api.myip.com	104.26.9.59	A (IP address)	IN (0x0001)	false
Dec 21, 2024 19:51:01.453023911 CET	1.1.1.1	192.168.2.4	0x6188	No error (0)	api.myip.com	104.26.8.59	A (IP address)	IN (0x0001)	false
Dec 21, 2024 19:51:01.453023911 CET	1.1.1.1	192.168.2.4	0x6188	No error (0)	api.myip.com	172.67.75.163	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.myip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.9.59	443	7328	C:\Users\user\Desktop\LightSpoofer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 18:51:02 UTC	182	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43 Host: api.myip.com
2024-12-21 18:51:03 UTC	780	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 18:51:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fNDBsqCogaWh0ehO8pz3ztbpvUF3zcoOsWTBK%2FJQtPsYGWol%2BD0gfxOcw%2Bu9GpOHxT2GsCjO7RLD%2BTuxjGiD8HvnBWV9txMjClrOUvOzyIjPLAsRk4YeoZG7ZZ1weQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a0faf9a5943bf-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1660&rtt_var=644&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=820&delivery_rate=1759036&cwnd=252&unsent_bytes=0&cid=b4c2f38e5a58d350&ts=502&x=0"
2024-12-21 18:51:03 UTC	63	IN	Data Raw: 33 39 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 63 22 3a 22 55 53 22 7d 0d 0a Data Ascii: 39{"ip":"8.46.123.189","country":"United States","cc":"US"}
2024-12-21 18:51:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:50:58
Start date:	21/12/2024
Path:	C:\Users\user\Desktop\LightSpoofer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LightSpoofer.exe"
Imagebase:	0x7ff661ca0000
File size:	3'796'992 bytes
MD5 hash:	A65F59764E28B0A433FF248EA6AF608A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF661CA6B9C Relevance: .0, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cceadd2f513bbd15ea4d4e48f82805dce07ee13dcb50de0267751e307043009
Instruction ID: e02241efa1281e9b6d774b4398a79a791ffb89b3cd3782cfd15f9a4c449418e9
Opcode Fuzzy Hash: 4cceadd2f513bbd15ea4d4e48f82805dce07ee13dcb50de0267751e307043009
Instruction Fuzzy Hash: 93E04F61B08681C2DA05AB16E5844AAA3B1FF48FC4F589131EE1C4B79ADE2CE8918700

Non-executed Functions

Function 00007FF661CB8A74 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 477COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB8B61
_scwprintf.LIBCMT ref: 00007FF661CB8DC0
_scwprintf.LIBCMT ref: 00007FF661CB8F27

Strings

<NULL>, xrefs: 00007FF661CB8DAB
g.NavMoveDir != ImGuiDir_None && g.NavMoveClipDir != ImGuiDir_None, xrefs: 00007FF661CB8B1B
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB8B14, 00007FF661CB8B37, 00007FF661CB924C
[nav] NavMoveRequest: clamp NavRectRel for gamepad move, xrefs: 00007FF661CB8F20
[nav] NavInitRequest: from move, window "%s", layer=%d, xrefs: 00007FF661CB8DB9
g.NavMoveFlags & ImGuiNavMoveFlags_Forwarded, xrefs: 00007FF661CB8B3E
!scoring_rect.IsInverted(), xrefs: 00007FF661CB9253
[nav] NavMoveRequestForward %d, xrefs: 00007FF661CB8B5A

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: !scoring_rect.IsInverted()$<NULL>$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$[nav] NavInitRequest: from move, window "%s", layer=%d$[nav] NavMoveRequest: clamp NavRectRel for gamepad move$[nav] NavMoveRequestForward %d$g.NavMoveDir != ImGuiDir_None && g.NavMoveClipDir != ImGuiDir_None$g.NavMoveFlags & ImGuiNavMoveFlags_Forwarded
API String ID: 1992661772-1751011103
Opcode ID: 91ee76e84013a3f459193a88e53ed52d1db64132504fec99d48bfb1be99ab8c2
Instruction ID: e6989ae7df09abfa1f5feaf223fcd23c3833ef98d9496bc0d35a547ac644e87a
Opcode Fuzzy Hash: 91ee76e84013a3f459193a88e53ed52d1db64132504fec99d48bfb1be99ab8c2
Instruction Fuzzy Hash: 6E32E832D186CBC6E7129B3680416FD7370EF69B94F288732DE58AA2E1DF3C75919610

Function 00007FF661CB28BC Relevance: 14.2, Strings: 11, Instructions: 425COMMON

Download Yara Rule

Strings

Processed, xrefs: 00007FF661CB2DC1
button >= 0 && button < ImGuiMouseButton_COUNT, xrefs: 00007FF661CB2A2A
C:\Users\55yar\Desktop\imgui-master\imgui_internal.h, xrefs: 00007FF661CB2B5D, 00007FF661CB2B6B, 00007FF661CB2BE3
0 && "Unknown event!", xrefs: 00007FF661CB2CD9
it >= Data && it < Data + Size && it_last >= it && it_last <= Data + Size, xrefs: 00007FF661CB2E9A, 00007FF661CB2EA1
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB28BF, 00007FF661CB2A23, 00007FF661CB2B0B, 00007FF661CB2CD2
n >= 0 && n < BITCOUNT, xrefs: 00007FF661CB2B64, 00007FF661CB2BEA
key != ImGuiKey_None, xrefs: 00007FF661CB2B12
Remaining, xrefs: 00007FF661CB2DB6
i >= 0 && i < Size, xrefs: 00007FF661CB2965, 00007FF661CB2D4A, 00007FF661CB2DA6
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CB28C3, 00007FF661CB295E, 00007FF661CB2D43, 00007FF661CB2D9F, 00007FF661CB2E93

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: 0 && "Unknown event!"$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$C:\Users\55yar\Desktop\imgui-master\imgui_internal.h$Processed$Remaining$button >= 0 && button < ImGuiMouseButton_COUNT$i >= 0 && i < Size$it >= Data && it < Data + Size && it_last >= it && it_last <= Data + Size$key != ImGuiKey_None$n >= 0 && n < BITCOUNT
API String ID: 0-1923509833
Opcode ID: 025c5516b99d47756667b76403939c3d7a89bbc37e317f3209d15e7c68ab30aa
Instruction ID: c7ac8ee6b2584866e2f6afef82375a07a4ca6b29134f979b91292190b0c81e8f
Opcode Fuzzy Hash: 025c5516b99d47756667b76403939c3d7a89bbc37e317f3209d15e7c68ab30aa
Instruction Fuzzy Hash: 7602EB22B082C6DAEB29CB3591A03BEB7B0EB55B48F645135CA8DCB691DF2CF515C701

Function 00007FF661CB8028 Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 604COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB81B4

Strings

g.NavActivateDownId == g.NavActivateId, xrefs: 00007FF661CB85EF
g.NavWindow != 0, xrefs: 00007FF661CB87BE
g.NavMoveDir == ImGuiDir_None, xrefs: 00007FF661CB8699
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB82AA, 00007FF661CB85E8, 00007FF661CB85F6, 00007FF661CB8692, 00007FF661CB87B7
g.NavLayer == ImGuiNavLayer_Main || g.NavLayer == ImGuiNavLayer_Menu, xrefs: 00007FF661CB82B1, 00007FF661CB82B8
[nav] NavInitRequest: ApplyResult: NavID 0x%08X in Layer %d Window "%s", xrefs: 00007FF661CB81A6

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$[nav] NavInitRequest: ApplyResult: NavID 0x%08X in Layer %d Window "%s"$g.NavActivateDownId == g.NavActivateId$g.NavLayer == ImGuiNavLayer_Main || g.NavLayer == ImGuiNavLayer_Menu$g.NavMoveDir == ImGuiDir_None$g.NavWindow != 0
API String ID: 1992661772-2167808928
Opcode ID: 7a3ac99af7bf75451db7c6883e28a7a4e62e8fd089ae6296b729805d3edc00ef
Instruction ID: a6e6cec76ccb6bb49aeaee0f144411867ca2559b7ff75af079206a9d4aef7002
Opcode Fuzzy Hash: 7a3ac99af7bf75451db7c6883e28a7a4e62e8fd089ae6296b729805d3edc00ef
Instruction Fuzzy Hash: D752BC32A086C2CAEB658F359140AFD67B1EF45F48F284235DE18EB2E5DF7C68609711

Function 00007FF661CD2C90 Relevance: 9.2, Strings: 7, Instructions: 479COMMON

Download Yara Rule

Strings

button >= 0 && button < ImGuiMouseButton_COUNT, xrefs: 00007FF661CD2F4C, 00007FF661CD329B, 00007FF661CD333E
C:\Users\55yar\Desktop\imgui-master\imgui_internal.h, xrefs: 00007FF661CD2F45, 00007FF661CD3294, 00007FF661CD3337
id != 0, xrefs: 00007FF661CD2E56
Enable Asserts, xrefs: 00007FF661CD2CA1
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CD326A
button >= 0 && button < ((int)(sizeof(g.IO.MouseDown) / sizeof(*(g.IO.MouseDown)))), xrefs: 00007FF661CD3271
C:\Users\55yar\Desktop\imgui-master\imgui_widgets.cpp, xrefs: 00007FF661CD2E4F

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui_internal.h$C:\Users\55yar\Desktop\imgui-master\imgui_widgets.cpp$Enable Asserts$button >= 0 && button < ((int)(sizeof(g.IO.MouseDown) / sizeof(*(g.IO.MouseDown))))$button >= 0 && button < ImGuiMouseButton_COUNT$id != 0
API String ID: 0-4274794215
Opcode ID: 64e98ad2264faa6da31e854a1638a10ed97e9b4cc9c84ce4149af17e0527d872
Instruction ID: ac0a3905935d9ef1cf617f7ac9f294c69b79aa1cecf332eb41e6a50ef3ae5348
Opcode Fuzzy Hash: 64e98ad2264faa6da31e854a1638a10ed97e9b4cc9c84ce4149af17e0527d872
Instruction Fuzzy Hash: 0122C562E4C2C6C6F769CB26A4502BE76B1AF81F44F245539CA9A8B2D2CF3DF445C700

Function 00007FF661CB97AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB9832

Strings

[nav] NavUpdateCancelRequest(), xrefs: 00007FF661CB982B
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB98B1
child_window->ChildId != 0, xrefs: 00007FF661CB98B8

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$[nav] NavUpdateCancelRequest()$child_window->ChildId != 0
API String ID: 1992661772-2037531206
Opcode ID: c5e46211852f9e651af237de402c02204190211dd0944d8f4458bd80777f54a0
Instruction ID: bff474a97afff73bf3f3ff4a1c36fdec13a2fa655f91528c8eea982915b0ed55
Opcode Fuzzy Hash: c5e46211852f9e651af237de402c02204190211dd0944d8f4458bd80777f54a0
Instruction Fuzzy Hash: 0761BF62E0C6C6C5EB65CF3690412BD77B0EF65F44F68823ADA4C9B695CF2DE8418B00

Function 00007FF661CBA110 Relevance: 4.3, Strings: 3, Instructions: 507COMMON

Download Yara Rule

Strings

C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CBA46A
shared_mods != 0, xrefs: 00007FF661CBA471
###NavUpdateWindowing, xrefs: 00007FF661CBA1B6

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: ###NavUpdateWindowing$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$shared_mods != 0
API String ID: 0-1578170595
Opcode ID: 07e2f4351f6af5c209a9b8b2390d0f5c3c4fbf44878a4e4aabe9f2bb28e7d85b
Instruction ID: 9a32179ec047f7a733c38da1cdb185f96968e3e1be2591d3cac2519ae7c847a3
Opcode Fuzzy Hash: 07e2f4351f6af5c209a9b8b2390d0f5c3c4fbf44878a4e4aabe9f2bb28e7d85b
Instruction Fuzzy Hash: FE32B122A08786D6E769CA3581402BDB3B1FF95B44F684635DB9DDB2A2DF3CF464C600

Function 00007FF661CA3F78 Relevance: 3.2, Strings: 2, Instructions: 702COMMON

Download Yara Rule

Strings

imgui.ini, xrefs: 00007FF661CA4001
imgui_log.txt, xrefs: 00007FF661CA400C

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: imgui.ini$imgui_log.txt
API String ID: 0-3179804127
Opcode ID: fceff639b748b5d5efc416f066de71199d959e339248a5c6287fa5425b9a7020
Instruction ID: d3d67b5782da3f3d9cfb0543bf2dd776c536b64d0d67907c9506082b9715e33d
Opcode Fuzzy Hash: fceff639b748b5d5efc416f066de71199d959e339248a5c6287fa5425b9a7020
Instruction Fuzzy Hash: 59929D73505BC18AD301CF25A9882DE37E8F754F48F284A39DE884BA59DF7481A5E738

Function 00007FF661CB6D94 Relevance: 2.8, Strings: 2, Instructions: 277COMMONLIBRARYCODE

Download Yara Rule

Strings

C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB6E48
(window->ChildFlags | g.NavWindow->ChildFlags) & ImGuiChildFlags_NavFlattened, xrefs: 00007FF661CB6E4F

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: (window->ChildFlags | g.NavWindow->ChildFlags) & ImGuiChildFlags_NavFlattened$C:\Users\55yar\Desktop\imgui-master\imgui.cpp
API String ID: 0-3836044477
Opcode ID: 65b2ec386b742d105aa7b141acca05feb5781312cd47e822c81fb4d593aaa9bd
Instruction ID: 6fe63b99ba240c8a885999ad0b5e106045ab44c8f35c4d69ab0b1635a9354ca9
Opcode Fuzzy Hash: 65b2ec386b742d105aa7b141acca05feb5781312cd47e822c81fb4d593aaa9bd
Instruction Fuzzy Hash: 06D1B523D08B9EC5E322563780421BD63B09F6EB85F299732EE5CFA5E1DF2C75859600

Function 00007FF661CD251C Relevance: 2.8, Strings: 2, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

Strings

NULL, xrefs: 00007FF661CD2527
Calling PopStyleColor() too many times!, xrefs: 00007FF661CD2529

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: Calling PopStyleColor() too many times!$NULL
API String ID: 0-2240636588
Opcode ID: cea83e0a8e9de7919641c9fc2f914eabdbc702984660795e491bcec252367e26
Instruction ID: 9095ddb082adccc9688b7b524e88cc5a5dc413483615c51d032925bcad455626
Opcode Fuzzy Hash: cea83e0a8e9de7919641c9fc2f914eabdbc702984660795e491bcec252367e26
Instruction Fuzzy Hash: C2C11733F08BC4C9E7119B3685422FDB371AF69788F259331EE487AAA5DF286156D700

Function 00007FF661CCA920 Relevance: 2.6, Strings: 2, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

Strings

C:\Users\55yar\Desktop\imgui-master\imgui_draw.cpp, xrefs: 00007FF661CCA987, 00007FF661CCA995
text_end != 0, xrefs: 00007FF661CCA98E

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui_draw.cpp$text_end != 0
API String ID: 0-48455972
Opcode ID: b08756f0a77f921d74d93357212b84ffc2a2d812b46ff87ad6c3b13b72de54b4
Instruction ID: 3bf26f1878049eebdac8c4ce2b3cb67a567918a2954a6aa8ba96cfb137d4c368
Opcode Fuzzy Hash: b08756f0a77f921d74d93357212b84ffc2a2d812b46ff87ad6c3b13b72de54b4
Instruction Fuzzy Hash: 8241EC21A14789C9E721862691452BE7371AF9EF44F6AC733E9496B364EF3CED818700

Function 00007FF661CDACE4 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ddccf032b24f38c7035c8f89c4fa0bdaecd41f599ebf399d9222721942b2cc
Instruction ID: e2ec7f8278f76fdea291d7f19802609f912479805bcbfc100f4bee2adbcd355c
Opcode Fuzzy Hash: 95ddccf032b24f38c7035c8f89c4fa0bdaecd41f599ebf399d9222721942b2cc
Instruction Fuzzy Hash: 97129333E08685DAE715CA7690403BDB7B0FF5AB44F248635EF48AA6A5DF3DA454CB00

Function 00007FF661CDC1D0 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbdf2d5dc00a2e2ad6810e3e2164745c74cca57859381502eacb5b210f656f9
Instruction ID: 6a7b80c5e3740e7e2d855c33cc08256f89a67ecc130dc148d69215a4919d39a0
Opcode Fuzzy Hash: 3bbdf2d5dc00a2e2ad6810e3e2164745c74cca57859381502eacb5b210f656f9
Instruction Fuzzy Hash: FBE1E022D8C282CAEB758A21A1407BE77B0EF51F48F245538DE9A8B6D1DF3CE944D744

Function 00007FF66213F8A2 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa01ce6f2409a58654475f4e4bc6eecf7a30bce9697a98f1841c79704636fec
Instruction ID: e521a722fc0f4c9562919fb4b3ffa9353c01a92a393478cd9e89b9b6821fabc1
Opcode Fuzzy Hash: ffa01ce6f2409a58654475f4e4bc6eecf7a30bce9697a98f1841c79704636fec
Instruction Fuzzy Hash: 0FB01202C1D0ABD3FF20325481253FC85A00B0771CE259170F35CC47C38D9CD0844121

Function 00007FF661CB3E6C Relevance: 33.3, APIs: 8, Strings: 11, Instructions: 82COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB3EC5
_scwprintf.LIBCMT ref: 00007FF661CB3ED1
_scwprintf.LIBCMT ref: 00007FF661CB3EDD
_scwprintf.LIBCMT ref: 00007FF661CB3EE9
_scwprintf.LIBCMT ref: 00007FF661CB3EFA
_scwprintf.LIBCMT ref: 00007FF661CB3F44
_scwprintf.LIBCMT ref: 00007FF661CB3FA4
_scwprintf.LIBCMT ref: 00007FF661CB3FE2

Strings

Set io.ConfigDebugHighlightIdConflicts=false to disable this warning in non-programmers builds., xrefs: 00007FF661CB3EE2
Open FAQ->About ID Stack System, xrefs: 00007FF661CB3F59
Enable Asserts, xrefs: 00007FF661CB3FB9
https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage, xrefs: 00007FF661CB3F75
Empty label e.g. Button("") == same ID as parent widget/node. Use Button("##xx") instead!, xrefs: 00007FF661CB3ED6
Code should use PushID()/PopID() in loops, or append "##xx" to same-label identifiers!, xrefs: 00007FF661CB3ECA
Programmer error: %d visible items with conflicting ID!, xrefs: 00007FF661CB3EBE
Item Picker, xrefs: 00007FF661CB3F0F
(Hold CTRL to: use, xrefs: 00007FF661CB3EF3
to break in item call-stack, or, xrefs: 00007FF661CB3F3D
(Hold CTRL to:, xrefs: 00007FF661CB3F9D

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: (Hold CTRL to:$(Hold CTRL to: use$Code should use PushID()/PopID() in loops, or append "##xx" to same-label identifiers!$Empty label e.g. Button("") == same ID as parent widget/node. Use Button("##xx") instead!$Enable Asserts$Item Picker$Open FAQ->About ID Stack System$Programmer error: %d visible items with conflicting ID!$Set io.ConfigDebugHighlightIdConflicts=false to disable this warning in non-programmers builds.$https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage$to break in item call-stack, or
API String ID: 1992661772-3893620544
Opcode ID: 8276c37f1f8461788a813fbb995bbdc2c3c1a03fb2782fde7e549926f8cee5eb
Instruction ID: 16696b8f935bbe6d6f67a0439c55a4570c9c74585935ea2f06a2e09aa3f74c0a
Opcode Fuzzy Hash: 8276c37f1f8461788a813fbb995bbdc2c3c1a03fb2782fde7e549926f8cee5eb
Instruction Fuzzy Hash: D5416720D8C547DAEB01EB35A8812BC2370AF94F44F686171E95CDE1E2DF6CB489C790

Function 00007FF661CB2700 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 102COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB275C
_scwprintf.LIBCMT ref: 00007FF661CB27A4
_scwprintf.LIBCMT ref: 00007FF661CB27F1
_scwprintf.LIBCMT ref: 00007FF661CB285D
_scwprintf.LIBCMT ref: 00007FF661CB2883
_scwprintf.LIBCMT ref: 00007FF661CB28A7

Strings

[io] %s: AppFocused %d, xrefs: 00007FF661CB289D
[io] %s: Key "%s" %s, xrefs: 00007FF661CB2850
Down, xrefs: 00007FF661CB27CC, 00007FF661CB2833
[io] %s: MouseWheel (%.3f, %.3f) (%s), xrefs: 00007FF661CB2815
[io] %s: MousePos (%.1f, %.1f) (%s), xrefs: 00007FF661CB277B
[io] %s: MouseButton %d %s (%s), xrefs: 00007FF661CB27E7
[io] %s: MousePos (-FLT_MAX, -FLT_MAX), xrefs: 00007FF661CB2755
[io] %s: Text: %c (U+%08X), xrefs: 00007FF661CB2876

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: Down$[io] %s: AppFocused %d$[io] %s: Key "%s" %s$[io] %s: MouseButton %d %s (%s)$[io] %s: MousePos (%.1f, %.1f) (%s)$[io] %s: MousePos (-FLT_MAX, -FLT_MAX)$[io] %s: MouseWheel (%.3f, %.3f) (%s)$[io] %s: Text: %c (U+%08X)
API String ID: 1992661772-49713677
Opcode ID: 8490d105cba8c7835c02a0e9e241db267cf4a22d4dab3efa64c36c52961c6a18
Instruction ID: a486679df0935e1cdd5099fd3aadfdc1f233d1b58979c8358154a2128165567e
Opcode Fuzzy Hash: 8490d105cba8c7835c02a0e9e241db267cf4a22d4dab3efa64c36c52961c6a18
Instruction Fuzzy Hash: 91518A6290C782C6EB218B22995017D6771AF86F90F688331EA6CDB6E5CF2DF455CB01

Function 00007FF661CB10BC Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB11C8
_scwprintf.LIBCMT ref: 00007FF661CB1230
_scwprintf.LIBCMT ref: 00007FF661CB12EB
_scwprintf.LIBCMT ref: 00007FF661CB1333

Strings

owner_id != ((ImGuiID)0) && owner_id != ((ImGuiID)-1), xrefs: 00007FF661CB112E
ImIsPowerOfTwo(flags & ImGuiInputFlags_RouteTypeMask_), xrefs: 00007FF661CB1109
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB1102, 00007FF661CB1127, 00007FF661CB114F
SetShortcutRouting(%s, flags=%04X, owner_id=0x%08X) -> filtered as potential char input, xrefs: 00007FF661CB1223
SetShortcutRouting(%s, flags=%04X, owner_id=0x%08X) -> always, no register, xrefs: 00007FF661CB11BB
--> granting current route, xrefs: 00007FF661CB132C
flags & ImGuiInputFlags_RouteGlobal, xrefs: 00007FF661CB1156
SetShortcutRouting(%s, flags=%04X, owner_id=0x%08X) -> score %d, xrefs: 00007FF661CB12E1

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: --> granting current route$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$ImIsPowerOfTwo(flags & ImGuiInputFlags_RouteTypeMask_)$SetShortcutRouting(%s, flags=%04X, owner_id=0x%08X) -> always, no register$SetShortcutRouting(%s, flags=%04X, owner_id=0x%08X) -> filtered as potential char input$SetShortcutRouting(%s, flags=%04X, owner_id=0x%08X) -> score %d$flags & ImGuiInputFlags_RouteGlobal$owner_id != ((ImGuiID)0) && owner_id != ((ImGuiID)-1)
API String ID: 1992661772-941165894
Opcode ID: c74d416f55f33e98f5d01bcd6e8266f502d03cfc3483422cf63e4126e5d06e1c
Instruction ID: 0199e02d4170a90f86bffc4ec91abf72e62f0ee9c72f690ba8b4552c326be1ba
Opcode Fuzzy Hash: c74d416f55f33e98f5d01bcd6e8266f502d03cfc3483422cf63e4126e5d06e1c
Instruction Fuzzy Hash: 1B719A61B08282C6FF289A6AE4852BD67B1AF45F80F244139DA0DCF6D1CF3CE911C742

Function 00007FF661CB3CB4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB3D1A
_scwprintf.LIBCMT ref: 00007FF661CB3D4F
_scwprintf.LIBCMT ref: 00007FF661CB3DA9
_scwprintf.LIBCMT ref: 00007FF661CB3E28

Strings

(and more errors), xrefs: 00007FF661CB3E21
[imgui-error] In window '%s': %s, xrefs: 00007FF661CB3D48
NULL, xrefs: 00007FF661CB3CCD
In window '%s': %s, xrefs: 00007FF661CB3D9F
[imgui-error] (current settings: Assert=%d, Log=%d, Tooltip=%d), xrefs: 00007FF661CB3D09

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: (and more errors)$In window '%s': %s$NULL$[imgui-error] (current settings: Assert=%d, Log=%d, Tooltip=%d)$[imgui-error] In window '%s': %s
API String ID: 1992661772-3358333416
Opcode ID: 61158601240847e806a5f747d206479786c78dce3043cb2d68ffc5a89fc31de4
Instruction ID: b6534f196db56ee6107372d9f89a3d41ba27a6674f81291dd0899996476edfbd
Opcode Fuzzy Hash: 61158601240847e806a5f747d206479786c78dce3043cb2d68ffc5a89fc31de4
Instruction Fuzzy Hash: 3141A062A0CAC2D6E725CB2694443BD6BB0EB45F80F289132DA9D9B696CF3CF455C701

Function 00007FF661CBBF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF661CBBF84
_cwprintf_s_l.LIBCMT ref: 00007FF661CBBF92

Strings

Size > 0, xrefs: 00007FF661CBC0C5
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CBBFEB
old_size >= 0 && new_size >= old_size && new_size >= EndOffset, xrefs: 00007FF661CBBFF2, 00007FF661CBBFF9
[%05d] , xrefs: 00007FF661CBBF8B
[%s] [%05d] , xrefs: 00007FF661CBBF7A
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CBC0BE

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$Size > 0$[%05d] $[%s] [%05d] $old_size >= 0 && new_size >= old_size && new_size >= EndOffset
API String ID: 2941638530-3442575901
Opcode ID: 5591030452e1f9e794293d5ec5ca7d0a0890c3e8b6f15fc1a61cd83795757827
Instruction ID: 81422084b859f2aeb287e583878ce755464d512e4d537c8f522bf22f326d747e
Opcode Fuzzy Hash: 5591030452e1f9e794293d5ec5ca7d0a0890c3e8b6f15fc1a61cd83795757827
Instruction Fuzzy Hash: D981DE32A08B86D6E711DB26D4442BD73B0EF49B84F548236EE1CAB695DF3DE681C704

Function 00007FF661CA9020 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CA9119

Strings

..., xrefs: 00007FF661CA9228
[io] Calling Platform_SetImeDataFn(): WantVisible: %d, InputPos (%.2f,%.2f), xrefs: 00007FF661CA90FA
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CA904E, 00007FF661CA9083, 00007FF661CA92FA
g.Initialized, xrefs: 00007FF661CA9055
g.Windows.Size == g.WindowsTempSortBuffer.Size, xrefs: 00007FF661CA9301
g.WithinFrameScope && "Forgot to call ImGui::NewFrame()?", xrefs: 00007FF661CA908A

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: ...$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$[io] Calling Platform_SetImeDataFn(): WantVisible: %d, InputPos (%.2f,%.2f)$g.Initialized$g.Windows.Size == g.WindowsTempSortBuffer.Size$g.WithinFrameScope && "Forgot to call ImGui::NewFrame()?"
API String ID: 1992661772-1859298919
Opcode ID: 7fbebeff2b21bf4d84c394af473c64504f22f155c205fbab57eb8f1c16c664a3
Instruction ID: 0474518d2bee02ac8c19283009390f173d6ce0dd9db66763cbce84853e334853
Opcode Fuzzy Hash: 7fbebeff2b21bf4d84c394af473c64504f22f155c205fbab57eb8f1c16c664a3
Instruction Fuzzy Hash: F7B15932A086C2C6EB12DF25D4852ED3BB1EB45F88F284135DA5D9F69ACF3DA550C720

Function 00007FF661CA9AA6 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF661CA9BB5
__swprintf_l.LIBCMT ref: 00007FF661CA9BC7

Strings

id != 0, xrefs: 00007FF661CA9AF0
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CA9AE9
%s/%08X, xrefs: 00007FF661CA9BBC
##Child, xrefs: 00007FF661CA9C18
%s/%s_%08X, xrefs: 00007FF661CA9BA9

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: __swprintf_l
String ID: ##Child$%s/%08X$%s/%s_%08X$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$id != 0
API String ID: 1488884202-1414757225
Opcode ID: 6b05d22b40f1feb12df9ee8b376a3ebf6314683f1975e601f72ba553d9da6d5d
Instruction ID: 2f06278068b28886f0b7a67f865578699554788f6319c74f51d14754dfa82448
Opcode Fuzzy Hash: 6b05d22b40f1feb12df9ee8b376a3ebf6314683f1975e601f72ba553d9da6d5d
Instruction Fuzzy Hash: 88518E32908A81C6E711DF26A4411ED73B0FF88F84F684236EE499B5A5DF3DE591CB40

Function 00007FF661CB5CCC Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 115COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB5E41

Strings

<NULL>, xrefs: 00007FF661CB5E33
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB5D6C
(popup.Window->Flags & ImGuiWindowFlags_Popup) != 0, xrefs: 00007FF661CB5D73
i >= 0 && i < Size, xrefs: 00007FF661CB5D3B, 00007FF661CB5DAC
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CB5D34, 00007FF661CB5DA5
[popup] ClosePopupsOverWindow("%s"), xrefs: 00007FF661CB5E3A

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: (popup.Window->Flags & ImGuiWindowFlags_Popup) != 0$<NULL>$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$[popup] ClosePopupsOverWindow("%s")$i >= 0 && i < Size
API String ID: 1992661772-3150109516
Opcode ID: a9687306c9dee0c71e03ed0e444f1ae3756663d4878e1b518346136b637ae929
Instruction ID: 1e28c265458925e0a9bdda060b2a604c7b1174f60cce8d07a4c2d08908f9fb0c
Opcode Fuzzy Hash: a9687306c9dee0c71e03ed0e444f1ae3756663d4878e1b518346136b637ae929
Instruction Fuzzy Hash: 0741DB22B097D6DAEB1A8B21D5805BD6BB0AF40F84FA48035DE0DCB791DE6CF456C741

Function 00007FF661CA6404 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CA644F
_scwprintf.LIBCMT ref: 00007FF661CA64BF

Strings

SetActiveID() cancel MovingWindow, xrefs: 00007FF661CA6448
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CA6540
SetActiveID() old:0x%08X (window "%s") -> new:0x%08X (window "%s"), xrefs: 00007FF661CA64B8
g.ActiveIdSource != ImGuiInputSource_None, xrefs: 00007FF661CA6547

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$SetActiveID() cancel MovingWindow$SetActiveID() old:0x%08X (window "%s") -> new:0x%08X (window "%s")$g.ActiveIdSource != ImGuiInputSource_None
API String ID: 1992661772-3636884292
Opcode ID: 48b22a653d81a9f7bf32e9117bbe967dff3d9a9de8dd65dd5ffefef69f48f242
Instruction ID: 629efcba4d22ee854442f32e9f9b9e0aedc3d7f8c7fae5edc2e25fd9bc45794c
Opcode Fuzzy Hash: 48b22a653d81a9f7bf32e9117bbe967dff3d9a9de8dd65dd5ffefef69f48f242
Instruction Fuzzy Hash: 4141F672A08BD2C6E712CF29D0553ED26B1EB54F88F288039DE488E699DF7CD945C720

Function 00007FF661CBA978 Relevance: 10.1, Strings: 8, Instructions: 148COMMON

Download Yara Rule

Strings

###NavWindowingList, xrefs: 00007FF661CBA9DA, 00007FF661CBAAD2
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CBA9A4, 00007FF661CBAB3F
g.NavWindowingTarget != 0, xrefs: 00007FF661CBA9AB
##MainMenuBar, xrefs: 00007FF661CBABBD
i >= 0 && i < Size, xrefs: 00007FF661CBAB1C
window != 0, xrefs: 00007FF661CBAB46
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CBAB15, 00007FF661CBAB23
*Missing Text*, xrefs: 00007FF661CBABA7, 00007FF661CBABE7

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: ###NavWindowingList$##MainMenuBar$*Missing Text*$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$g.NavWindowingTarget != 0$i >= 0 && i < Size$window != 0
API String ID: 0-1733574533
Opcode ID: d95d5bdb2f43657a91a5f7b71bcf017ec90a19d5a63932ae4373f890bd4db931
Instruction ID: 574a045e977317663e4e938ef9f5000f327cf1b906d9b6722bd339c012ceeba8
Opcode Fuzzy Hash: d95d5bdb2f43657a91a5f7b71bcf017ec90a19d5a63932ae4373f890bd4db931
Instruction Fuzzy Hash: A6717B32A08686CAEB11DB26D4413BC37B0FF88F48F658635DA5C9A6A6CF3DE145C740

Function 00007FF661CAEE6C Relevance: 10.1, Strings: 8, Instructions: 141COMMON

Download Yara Rule

Strings

g.WindowsFocusOrder[n]->FocusOrder == n, xrefs: 00007FF661CAF030
Size > 0, xrefs: 00007FF661CAEF1F
window == window->RootWindow, xrefs: 00007FF661CAEEA8
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CAEEA1, 00007FF661CAEEFC, 00007FF661CAF029, 00007FF661CAF037
Calling PopStyleColor() too many times!, xrefs: 00007FF661CAEE80
i >= 0 && i < Size, xrefs: 00007FF661CAEED6, 00007FF661CAEF6B, 00007FF661CAEF95, 00007FF661CAEFC8, 00007FF661CAEFFD, 00007FF661CAF05F
g.WindowsFocusOrder[cur_order] == window, xrefs: 00007FF661CAEF03
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CAEEBD, 00007FF661CAEEE0, 00007FF661CAF069

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$Calling PopStyleColor() too many times!$Size > 0$g.WindowsFocusOrder[cur_order] == window$g.WindowsFocusOrder[n]->FocusOrder == n$i >= 0 && i < Size$window == window->RootWindow
API String ID: 0-3197409515
Opcode ID: d96a85479d426c2db2d2b46e0d8bdca8a2dfb2d1788322e7b19ed8df3f9be860
Instruction ID: 1583d04857f1d7c073826ea4c8e2bdc585e7e39f16e0dd4edd083c67cb4534a4
Opcode Fuzzy Hash: d96a85479d426c2db2d2b46e0d8bdca8a2dfb2d1788322e7b19ed8df3f9be860
Instruction Fuzzy Hash: 8B614B32608686EAEB11DF12D4812ED2775FB85F88F684035EE4D8F695CE3DE249C781

Function 00007FF661CAF3D4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CAF4F4

Strings

[focus] FocusWindow("%s", UnlessBelowModal): prevented by "%s"., xrefs: 00007FF661CAF4ED
<NULL>, xrefs: 00007FF661CAF4E2
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CAF580
window == 0 || window->RootWindow != 0, xrefs: 00007FF661CAF587

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: <NULL>$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$[focus] FocusWindow("%s", UnlessBelowModal): prevented by "%s".$window == 0 || window->RootWindow != 0
API String ID: 1992661772-4291879612
Opcode ID: 68788c230609c07a847797335c407862e79a055d8c9f33968f4671ce23e8e9f4
Instruction ID: 957c5070ba0f0e9cf048fdce139dd1deaa8e604a05d9fd114c3acc9298d3e627
Opcode Fuzzy Hash: 68788c230609c07a847797335c407862e79a055d8c9f33968f4671ce23e8e9f4
Instruction Fuzzy Hash: C8615B22A096C2DBFF6A9A2591453BD66B0AF00F44F2C4035DA9D8F2D6DF7CF8518351

Function 00007FF661CA3A04 Relevance: 7.7, Strings: 6, Instructions: 249COMMON

Download Yara Rule

Strings

index >= 0, xrefs: 00007FF661CA3B12
PackIdMouseCursors != -1, xrefs: 00007FF661CA3AE6
C:\Users\55yar\Desktop\imgui-master\imgui_draw.cpp, xrefs: 00007FF661CA3ADF
i >= 0 && i < Size, xrefs: 00007FF661CA3B34
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CA3B0B, 00007FF661CA3B2D
##Foreground, xrefs: 00007FF661CA3C92

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: ##Foreground$C:\Users\55yar\Desktop\imgui-master\imgui.h$C:\Users\55yar\Desktop\imgui-master\imgui_draw.cpp$PackIdMouseCursors != -1$i >= 0 && i < Size$index >= 0
API String ID: 0-1778269986
Opcode ID: 2d79ffd0411e9f130eb0e86052e325923920507ec6c260163a96db9a8f8216c6
Instruction ID: 8daf3a90dc47bdad7b6f63f5249c87821169a3c3db22bded9552168727b8db56
Opcode Fuzzy Hash: 2d79ffd0411e9f130eb0e86052e325923920507ec6c260163a96db9a8f8216c6
Instruction Fuzzy Hash: F6C1A432A14B88DAE711CB3694411BDB370FF6D784F289722EE8C66665DF38E195DB00

Function 00007FF661CA4F5C Relevance: 7.7, Strings: 6, Instructions: 247COMMON

Download Yara Rule

Strings

Window, xrefs: 00007FF661CA4FA9
C:\Users\55yar\Desktop\imgui-master\imgui_internal.h, xrefs: 00007FF661CA531B
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CA4F95, 00007FF661CA4FA3
n >= 0 && n < BITCOUNT, xrefs: 00007FF661CA5322
!g.Initialized && !g.SettingsLoaded, xrefs: 00007FF661CA4F9C
Table, xrefs: 00007FF661CA500D

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: !g.Initialized && !g.SettingsLoaded$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui_internal.h$Table$Window$n >= 0 && n < BITCOUNT
API String ID: 0-1899103642
Opcode ID: 02e04d83e55b622ad02bd6503e6b7f1b96a1e895010b96ba7ec76927af956e50
Instruction ID: a3d217eea525d878c5977bf449ce71fe1a40ee56e9c473555ff01ac025e40239
Opcode Fuzzy Hash: 02e04d83e55b622ad02bd6503e6b7f1b96a1e895010b96ba7ec76927af956e50
Instruction Fuzzy Hash: 41C13932A05B82D6E705CB64E9802AD33F5FB44B48F68863ADA4D9BB55DF3CE461C350

Function 00007FF661CD3E5C Relevance: 7.7, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

idx == 0 || idx == 1, xrefs: 00007FF661CD3F1F, 00007FF661CD400C, 00007FF661CD4025, 00007FF661CD4052, 00007FF661CD406B, 00007FF661CD4096, 00007FF661CD40E8
#SCROLLX, xrefs: 00007FF661CD3EBC
#SCROLLY, xrefs: 00007FF661CD3E83
C:\Users\55yar\Desktop\imgui-master\imgui_widgets.cpp, xrefs: 00007FF661CD3F49
scrollbar_size > 0.0f, xrefs: 00007FF661CD3F50
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CD3ED5, 00007FF661CD40A0

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: #SCROLLX$#SCROLLY$C:\Users\55yar\Desktop\imgui-master\imgui.h$C:\Users\55yar\Desktop\imgui-master\imgui_widgets.cpp$idx == 0 || idx == 1$scrollbar_size > 0.0f
API String ID: 0-3683736980
Opcode ID: 26e9cfdfcee1ab6e48f8009b297e48db4d46d7729d55e73472f149fdd4525472
Instruction ID: 012191a5ca53b650cbdadb924a571b5935606bcfc49b8bed5275b344d620b2c7
Opcode Fuzzy Hash: 26e9cfdfcee1ab6e48f8009b297e48db4d46d7729d55e73472f149fdd4525472
Instruction Fuzzy Hash: 41811422B14A85D5E7128B3684426FD7371FF9AB88F159331EE0C6B661CF39A696C700

Function 00007FF661CA9F48 Relevance: 7.6, Strings: 6, Instructions: 139COMMON

Download Yara Rule

Strings

it >= Data && it < Data + Size, xrefs: 00007FF661CAA10E
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CA9FD7, 00007FF661CAA065, 00007FF661CAA073
i >= 0 && i < Size, xrefs: 00007FF661CAA045, 00007FF661CAA0AA
!g.WindowsFocusOrder.contains(window), xrefs: 00007FF661CA9FDE
g.WindowsFocusOrder[window->FocusOrder] == window, xrefs: 00007FF661CAA06C
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CAA03E, 00007FF661CAA0A3, 00007FF661CAA107

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: !g.WindowsFocusOrder.contains(window)$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$g.WindowsFocusOrder[window->FocusOrder] == window$i >= 0 && i < Size$it >= Data && it < Data + Size
API String ID: 0-3130785268
Opcode ID: a7f7664b5203fd6f2ba7a1c06e6e527c329203bbec9bcbc23641aa937cab132d
Instruction ID: ef0ff1a77f611c82d3c3df27b8ba991585229d7fc4e385427fe422646a24fa1f
Opcode Fuzzy Hash: a7f7664b5203fd6f2ba7a1c06e6e527c329203bbec9bcbc23641aa937cab132d
Instruction Fuzzy Hash: 7F519F32A08692E6EB15DB15D4812FD6770FB80F84F608431DB1E8B6A4DF7EE556C780

Function 00007FF661CB3714 Relevance: 7.5, Strings: 6, Instructions: 47COMMON

Download Yara Rule

Strings

g.CurrentWindowStack[0].Window->IsFallbackWindow, xrefs: 00007FF661CB37B2
(key_mods == 0 || g.IO.KeyMods == key_mods) && "Mismatching io.KeyCtrl/io.KeyShift/io.KeyAlt/io.KeySuper vs io.KeyMods", xrefs: 00007FF661CB373F
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB3738, 00007FF661CB375B, 00007FF661CB37AB
g.CurrentWindowStack.Size == 1, xrefs: 00007FF661CB3762
i >= 0 && i < Size, xrefs: 00007FF661CB3785
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CB377E

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: (key_mods == 0 || g.IO.KeyMods == key_mods) && "Mismatching io.KeyCtrl/io.KeyShift/io.KeyAlt/io.KeySuper vs io.KeyMods"$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$g.CurrentWindowStack.Size == 1$g.CurrentWindowStack[0].Window->IsFallbackWindow$i >= 0 && i < Size
API String ID: 0-4064706654
Opcode ID: 20d5e0f087f135f08ac1dc9288cddfb7ce34003cb165ef31751b55a4168bca40
Instruction ID: 3dd65a1ec0873119a64593d7adc8bd5a8d429ad7a01bc38c1a94782cd0f47981
Opcode Fuzzy Hash: 20d5e0f087f135f08ac1dc9288cddfb7ce34003cb165ef31751b55a4168bca40
Instruction Fuzzy Hash: 73216AA6E08683E6FB10DB14D8942B82770EF85F49F686035DA0CCF295DE2CE645C740

Function 00007FF661CB609C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB61EA

Strings

i >= 0 && i < Size, xrefs: 00007FF661CB60E3, 00007FF661CB6113, 00007FF661CB6152, 00007FF661CB6159, 00007FF661CB6185
[popup] CloseCurrentPopup %d -> %d, xrefs: 00007FF661CB61DE
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CB60DC, 00007FF661CB610C, 00007FF661CB614B, 00007FF661CB617E

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.h$[popup] CloseCurrentPopup %d -> %d$i >= 0 && i < Size
API String ID: 1992661772-2508444311
Opcode ID: 556f2e7e88570f14facfa64f5209849845418a47ee03c26f6376404a6f42d68b
Instruction ID: 64f7f9db68ee1e9f387ab8e679e7c87dcfeb40cc7352e79bea3ba9bc66841828
Opcode Fuzzy Hash: 556f2e7e88570f14facfa64f5209849845418a47ee03c26f6376404a6f42d68b
Instruction Fuzzy Hash: 6F415732A08AD2D9EB10DF25D0906AC2772EF90F88F589035DE4CCF296DE6DE946C751

Function 00007FF661CC6A40 Relevance: 6.5, Strings: 5, Instructions: 268COMMON

Download Yara Rule

Strings

it >= Data && it < Data + Size, xrefs: 00007FF661CC6BBB
Size > 0, xrefs: 00007FF661CC6D95, 00007FF661CC6D9C
i >= 0 && i < Size, xrefs: 00007FF661CC6AEC, 00007FF661CC6B55, 00007FF661CC6D02
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CC6AE5, 00007FF661CC6B4E, 00007FF661CC6BB4, 00007FF661CC6CFB, 00007FF661CC6D8E
##Foreground, xrefs: 00007FF661CC6A4C

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: ##Foreground$C:\Users\55yar\Desktop\imgui-master\imgui.h$Size > 0$i >= 0 && i < Size$it >= Data && it < Data + Size
API String ID: 0-3182287476
Opcode ID: d38bb8bca4e43099c6e68e0c607211c95e0797b1fb3f318919a220294931ceb2
Instruction ID: 340b12eb04b8d6b01adda09277d2d37579853d6e4aae9f5fbac52f3a0aa5c761
Opcode Fuzzy Hash: d38bb8bca4e43099c6e68e0c607211c95e0797b1fb3f318919a220294931ceb2
Instruction Fuzzy Hash: 1AC16B72A14A92CAEB24CF15E6416BD6370FB44B88F608135DB8E8B745DF3CE992C740

Function 00007FF661CC6F28 Relevance: 6.4, Strings: 5, Instructions: 131COMMON

Download Yara Rule

Strings

draw_list->VtxBuffer.Size == 0 || draw_list->_VtxWritePtr == draw_list->VtxBuffer.Data + draw_list->VtxBuffer.Size, xrefs: 00007FF661CC6F99
draw_list->_VtxCurrentIdx < (1 << 16) && "Too many vertices in ImDrawList using 16-bit indices. Read comment above", xrefs: 00007FF661CC700F
C:\Users\55yar\Desktop\imgui-master\imgui_draw.cpp, xrefs: 00007FF661CC6F74
draw_list->IdxBuffer.Size == 0 || draw_list->_IdxWritePtr == draw_list->IdxBuffer.Data + draw_list->IdxBuffer.Size, xrefs: 00007FF661CC6FC7
(int)draw_list->_VtxCurrentIdx == draw_list->VtxBuffer.Size, xrefs: 00007FF661CC6FF0

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: (int)draw_list->_VtxCurrentIdx == draw_list->VtxBuffer.Size$C:\Users\55yar\Desktop\imgui-master\imgui_draw.cpp$draw_list->IdxBuffer.Size == 0 || draw_list->_IdxWritePtr == draw_list->IdxBuffer.Data + draw_list->IdxBuffer.Size$draw_list->VtxBuffer.Size == 0 || draw_list->_VtxWritePtr == draw_list->VtxBuffer.Data + draw_list->VtxBuffer.Size$draw_list->_VtxCurrentIdx < (1 << 16) && "Too many vertices in ImDrawList using 16-bit indices. Read comment above"
API String ID: 0-1275842224
Opcode ID: af44674d26490b6a1525eb3739a19658aa740c9ac00af0e8631c6393b37dfe22
Instruction ID: d328fa95dffad70289c39072c366c18ac708fa875bcc2393d6fdc10516f64379
Opcode Fuzzy Hash: af44674d26490b6a1525eb3739a19658aa740c9ac00af0e8631c6393b37dfe22
Instruction Fuzzy Hash: 54516676A09B52C6EBA48B15D19037C37B0FB44F88F258136CA5D8B695DF3CE896C740

Function 00007FF661CB08E4 Relevance: 6.3, Strings: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

Strings

Shift+, xrefs: 00007FF661CB0952
%s%s%s%s%s, xrefs: 00007FF661CB0967
Super+, xrefs: 00007FF661CB0947
Ctrl+, xrefs: 00007FF661CB099D
Alt+, xrefs: 00007FF661CB0973

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: %s%s%s%s%s$Alt+$Ctrl+$Shift+$Super+
API String ID: 0-2491121921
Opcode ID: de3bc86cc0cbad49a08cd501826ca6fc9dd09288c3da5442e29603c22915087a
Instruction ID: 3d141a826329231803eec5d537e660c7a2ee23ec5ee7ce2a2d2deb7168a28ea9
Opcode Fuzzy Hash: de3bc86cc0cbad49a08cd501826ca6fc9dd09288c3da5442e29603c22915087a
Instruction Fuzzy Hash: 8221C065E08BD5C8F7118B11A5411AD67B1EB80F90F64023ADA6DDB795CE3CE616C341

Function 00007FF661CB1598 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

button >= 0 && button < ImGuiMouseButton_COUNT, xrefs: 00007FF661CB166D, 00007FF661CB1674
C:\Users\55yar\Desktop\imgui-master\imgui_internal.h, xrefs: 00007FF661CB1666
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB15CE, 00007FF661CB1613
(flags & ~ImGuiInputFlags_SupportedByIsMouseClicked) == 0, xrefs: 00007FF661CB161A
button >= 0 && button < ((int)(sizeof(g.IO.MouseDown) / sizeof(*(g.IO.MouseDown)))), xrefs: 00007FF661CB15D5

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: (flags & ~ImGuiInputFlags_SupportedByIsMouseClicked) == 0$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui_internal.h$button >= 0 && button < ((int)(sizeof(g.IO.MouseDown) / sizeof(*(g.IO.MouseDown))))$button >= 0 && button < ImGuiMouseButton_COUNT
API String ID: 0-529116099
Opcode ID: 7981f9960679e8831b346edbfdc0e852e0b5d96df11300f89831c8ae13b668f9
Instruction ID: 8dda6994c16f67a0d8b4db5539740e91e20754727b95644d7d3358bf7a613e24
Opcode Fuzzy Hash: 7981f9960679e8831b346edbfdc0e852e0b5d96df11300f89831c8ae13b668f9
Instruction Fuzzy Hash: 02312522E08786C2F7119B29A5412BD3370FF58B84F298231DE4CEB2A5DF2DFA558340

Function 00007FF661CA2CC4 Relevance: 6.3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

Strings

Size > 0, xrefs: 00007FF661CA2D37, 00007FF661CA2DAC
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CA2D05
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CA2D30, 00007FF661CA2DA5
(0) && "Calling PopStyleVar() too many times!", xrefs: 00007FF661CA2D0C
Calling PopStyleVar() too many times!, xrefs: 00007FF661CA2CEF

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: (0) && "Calling PopStyleVar() too many times!"$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$Calling PopStyleVar() too many times!$Size > 0
API String ID: 1992661772-3246081790
Opcode ID: f77a26e184c7a97676af96b870d03ce21a862e30b70a56b26a5bbe95dd668fdf
Instruction ID: 0341c1b49fc3f82b8d0db2eb368d6a10b268e78d3f7a6123e142237bcc7480de
Opcode Fuzzy Hash: f77a26e184c7a97676af96b870d03ce21a862e30b70a56b26a5bbe95dd668fdf
Instruction Fuzzy Hash: 83319032A08682EBEB01DF25D8500AD3770FB84B48F684035EE5D8B25ACF3CE941CB91

Function 00007FF661CAFAF0 Relevance: 6.3, Strings: 5, Instructions: 54COMMON

Download Yara Rule

Strings

Size > 0, xrefs: 00007FF661CAFB73, 00007FF661CAFB9B, 00007FF661CAFBA2
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CAFB2E
(0) && "Calling EndDisabled() too many times!", xrefs: 00007FF661CAFB35
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CAFB6C, 00007FF661CAFB94
Calling EndDisabled() too many times!, xrefs: 00007FF661CAFB14

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: (0) && "Calling EndDisabled() too many times!"$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$Calling EndDisabled() too many times!$Size > 0
API String ID: 1992661772-2021065837
Opcode ID: 1445fa8653edbde96356817167664dd37956e1724efed72bce1c2fa07d4772ee
Instruction ID: 6db4670430b89eaeee4362e5ac098986a402a4c9aa31d4b4ec7c04674ec4411e
Opcode Fuzzy Hash: 1445fa8653edbde96356817167664dd37956e1724efed72bce1c2fa07d4772ee
Instruction Fuzzy Hash: E4212536A18682D6EB219F14E4514EC2771FB84F88F685031DE0D8FA9ADF7DE941C790

Function 00007FF661CA299C Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

Size > 0, xrefs: 00007FF661CA2A02, 00007FF661CA2A4F
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CA29D3
(0) && "Calling PopStyleColor() too many times!", xrefs: 00007FF661CA29DA
Calling PopStyleColor() too many times!, xrefs: 00007FF661CA29BD
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CA29FB, 00007FF661CA2A48

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: (0) && "Calling PopStyleColor() too many times!"$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$Calling PopStyleColor() too many times!$Size > 0
API String ID: 1992661772-3916413245
Opcode ID: 518199179bbfe2c5af7c550a87f54b2f1ef160d9e8a3cf99876a9895cbab328c
Instruction ID: 88819e93181e7fd880418f235b4e53ed4ab943f0b5aa42f1de85056bc2158906
Opcode Fuzzy Hash: 518199179bbfe2c5af7c550a87f54b2f1ef160d9e8a3cf99876a9895cbab328c
Instruction Fuzzy Hash: E7218032F08AC2E2EB15CB15D5916FC2371FB88B84F541130EA1D8B252DFADE995C380

Function 00007FF661CB26A8 Relevance: 6.3, Strings: 5, Instructions: 20COMMON

Download Yara Rule

Strings

((int)(sizeof(mouse_source_names) / sizeof(*(mouse_source_names)))) == ImGuiMouseSource_COUNT && source >= 0 && source < ImGuiMous, xrefs: 00007FF661CB26E7
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB26E0
Pen, xrefs: 00007FF661CB26C9
Mouse, xrefs: 00007FF661CB26AE
TouchScreen, xrefs: 00007FF661CB26BD

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: ((int)(sizeof(mouse_source_names) / sizeof(*(mouse_source_names)))) == ImGuiMouseSource_COUNT && source >= 0 && source < ImGuiMous$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$Mouse$Pen$TouchScreen
API String ID: 0-658767308
Opcode ID: 5a9206b499d7cf96e26f1ed10e7ca434978d770e99206333bde87cecba947fc8
Instruction ID: d968636ae0066b1c37bcd5242a9e1bc4b7d45af66f796c2ff142c7a5726a62c5
Opcode Fuzzy Hash: 5a9206b499d7cf96e26f1ed10e7ca434978d770e99206333bde87cecba947fc8
Instruction Fuzzy Hash: C4F01C61A19B46D5EF21DB40F8800AD6375BF84B45FA44136D99C8A724EF2CE265C704

Function 00007FF661CABDCC Relevance: 5.3, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

window->BeginCount == 0, xrefs: 00007FF661CABE3D
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CABE36
0, xrefs: 00007FF661CAC117
@, xrefs: 00007FF661CABF3A

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: 0$@$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$window->BeginCount == 0
API String ID: 0-2946187744
Opcode ID: 2a2ea888c1760cf5679cac6938c878b1ca82fe4e34e17367a479067106de9e9e
Instruction ID: 87eb1583cfadf2062d23333906bcda49d957f9077437262de8f82896ae9568ca
Opcode Fuzzy Hash: 2a2ea888c1760cf5679cac6938c878b1ca82fe4e34e17367a479067106de9e9e
Instruction Fuzzy Hash: 90F19133A14B89DAE312CB7684412BCB370FF59748F189721EB487B6A5DF28B1A5D700

Function 00007FF661CB1F20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FF661CB1F90

Strings

NULL, xrefs: 00007FF661CB1F82
[io] LockWheelingWindow() "%s", xrefs: 00007FF661CB1F89

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID: _scwprintf
String ID: NULL$[io] LockWheelingWindow() "%s"
API String ID: 1992661772-295439587
Opcode ID: 191c053521ccf4dd6ab20d1a7a6c06522311a47c8427ed5cc5f5ea2b89b5b2e9
Instruction ID: df34b98af65002a9b6c38f27cf589186504417a668aa65092f61f59c200f71bd
Opcode Fuzzy Hash: 191c053521ccf4dd6ab20d1a7a6c06522311a47c8427ed5cc5f5ea2b89b5b2e9
Instruction Fuzzy Hash: 19115832908B86C9E745CF29A4811BC7370EF94FD4F288331DA6C8E9A9CF2CA591C610

Function 00007FF661CD4C44 Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

ImIsPowerOfTwo(flags & (ImGuiSeparatorFlags_Horizontal | ImGuiSeparatorFlags_Vertical)), xrefs: 00007FF661CD4CBA
thickness > 0.0f, xrefs: 00007FF661CD4CDE
--------------------------------, xrefs: 00007FF661CD4EDB
C:\Users\55yar\Desktop\imgui-master\imgui_widgets.cpp, xrefs: 00007FF661CD4CB3, 00007FF661CD4CD7

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: --------------------------------$C:\Users\55yar\Desktop\imgui-master\imgui_widgets.cpp$ImIsPowerOfTwo(flags & (ImGuiSeparatorFlags_Horizontal | ImGuiSeparatorFlags_Vertical))$thickness > 0.0f
API String ID: 0-3029266753
Opcode ID: f7594a02da61380f4b3f8b0a4a1e47ae803e08f548a3c966cb148a3c1198f4f6
Instruction ID: 5639aca2b60f8bbf6faf6a2ca27d185ffa3367360dff04d575033dde29fb99b8
Opcode Fuzzy Hash: f7594a02da61380f4b3f8b0a4a1e47ae803e08f548a3c966cb148a3c1198f4f6
Instruction Fuzzy Hash: 4E818E32E18A86E9E711DB36C4413FCB3B0EF99B48F189331DA486A9A5DF2CA555C740

Function 00007FF661CB41D4 Relevance: 5.1, Strings: 4, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

Strings

id != window->ID && "Cannot have an empty ID at the root of a window. If you need an empty label, use ## and read the FAQ about ho, xrefs: 00007FF661CB43E8
MESSAGE FROM DEAR IMGUI, xrefs: 00007FF661CB41E6
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB42DB, 00007FF661CB43E1
(flags & ~ImGuiInputFlags_SupportedBySetNextItemShortcut) == 0, xrefs: 00007FF661CB42E2

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: (flags & ~ImGuiInputFlags_SupportedBySetNextItemShortcut) == 0$C:\Users\55yar\Desktop\imgui-master\imgui.cpp$MESSAGE FROM DEAR IMGUI$id != window->ID && "Cannot have an empty ID at the root of a window. If you need an empty label, use ## and read the FAQ about ho
API String ID: 0-127099100
Opcode ID: 8dc80f6067248878907d3f2de2fbdb2eabc2efaf8f7c29f4867dba78a4cdfeef
Instruction ID: c077d7e3c805022b1c6742c77af12641c25e0724069c9464ebb7b6fd8b2bb9e1
Opcode Fuzzy Hash: 8dc80f6067248878907d3f2de2fbdb2eabc2efaf8f7c29f4867dba78a4cdfeef
Instruction Fuzzy Hash: D6715A33908682CAEB658B29D4402FDB7B0FB44F48F694536DB5AAB285DF7CB5418B10

Function 00007FF661CA1640 Relevance: 5.1, Strings: 4, Instructions: 124COMMON

Download Yara Rule

Strings

Ctx != 0, xrefs: 00007FF661CA1681
ImGui::IsAliasKey(key) == false, xrefs: 00007FF661CA170A
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CA167A, 00007FF661CA16DE, 00007FF661CA16EC, 00007FF661CA1703
ImGui::IsNamedKeyOrMod(key), xrefs: 00007FF661CA16E5

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$Ctx != 0$ImGui::IsAliasKey(key) == false$ImGui::IsNamedKeyOrMod(key)
API String ID: 0-601232655
Opcode ID: 41387cddf5280d513df23039338a8babadcebfbac084843ded3a7198578e621f
Instruction ID: db3620fefe01e8e57f79e3bd5b559a8ce5402bc88c3b6ad56b989100a807322a
Opcode Fuzzy Hash: 41387cddf5280d513df23039338a8babadcebfbac084843ded3a7198578e621f
Instruction Fuzzy Hash: D6518321A08786C7FB628B2991802BD6BF0EB85F80F745135DB8DDB695DF3DE9458B00

Function 00007FF661CDC034 Relevance: 5.1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

Strings

C:\Users\55yar\Desktop\imgui-master\imgui_widgets.cpp, xrefs: 00007FF661CDC094, 00007FF661CDC0D7, 00007FF661CDC155, 00007FF661CDC163
storage->RangeSrcItem != ((ImGuiSelectionUserData)-1) && storage->RangeSelected != -1, xrefs: 00007FF661CDC15C
id != 0 && (ms->KeyMods & ImGuiMod_Shift) != 0, xrefs: 00007FF661CDC0DE
g.NextItemData.FocusScopeId == g.CurrentFocusScopeId && "Forgot to call SetNextItemSelectionUserData() prior to item, required in , xrefs: 00007FF661CDC09B, 00007FF661CDC0A2

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui_widgets.cpp$g.NextItemData.FocusScopeId == g.CurrentFocusScopeId && "Forgot to call SetNextItemSelectionUserData() prior to item, required in $id != 0 && (ms->KeyMods & ImGuiMod_Shift) != 0$storage->RangeSrcItem != ((ImGuiSelectionUserData)-1) && storage->RangeSelected != -1
API String ID: 0-3247314278
Opcode ID: 31d9c5387f5731045b7223a52664f36d1d37b395da59732c716bb49010548a10
Instruction ID: 4b01ff2466a55a2016399356ccff89055cab1d6b638315f66f34301ba497a7b8
Opcode Fuzzy Hash: 31d9c5387f5731045b7223a52664f36d1d37b395da59732c716bb49010548a10
Instruction Fuzzy Hash: 0951A172E48792D9EB258F75D5403BC2BB1EB05FA8F64023ADA68862D5CF3CE495C304

Function 00007FF661CB0DB8 Relevance: 5.1, Strings: 4, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

Strings

C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB0E3D
i >= 0 && i < Size, xrefs: 00007FF661CB0E7F, 00007FF661CB0EF7
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CB0E78, 00007FF661CB0EF0, 00007FF661CB0EFE
IsNamedKey(key), xrefs: 00007FF661CB0E44

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$IsNamedKey(key)$i >= 0 && i < Size
API String ID: 0-438473942
Opcode ID: 4f9a0d62e4d8893db61bcc8923423f70efd57c30195b20bec18ec23d341ba560
Instruction ID: e6c840f3e7e915df486631d37e3c10bd9b327c6cae5729ecf545f903b9a74542
Opcode Fuzzy Hash: 4f9a0d62e4d8893db61bcc8923423f70efd57c30195b20bec18ec23d341ba560
Instruction Fuzzy Hash: AD419062B08686D2EB20CB15E4812BE73B0FB84F54F644532EA9DCB295DF7CE591C700

Function 00007FF661CAF0A0 Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

Size > 0, xrefs: 00007FF661CAF0D9
Calling PopStyleColor() too many times!, xrefs: 00007FF661CAF0B3
i >= 0 && i < Size, xrefs: 00007FF661CAF12C, 00007FF661CAF16B, 00007FF661CAF19B, 00007FF661CAF1EA
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CAF0C0, 00007FF661CAF1F4

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.h$Calling PopStyleColor() too many times!$Size > 0$i >= 0 && i < Size
API String ID: 0-1293346709
Opcode ID: 5f44bd817e318c3a496c57ad36ab38516e1ebacc718757f7c2b9b8ccaf9ab156
Instruction ID: c9df71df9fc8b11a8b5269888cd3f1d49f95931d6b868abc531fa9f3e41e05e6
Opcode Fuzzy Hash: 5f44bd817e318c3a496c57ad36ab38516e1ebacc718757f7c2b9b8ccaf9ab156
Instruction Fuzzy Hash: B8415732A08A82DAEB128B15D4801AD67B0FB85F84F998132DA5D8F799CF3CF645C350

Function 00007FF661CB5990 Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB59C3
id == 0, xrefs: 00007FF661CB59CA
i >= 0 && i < Size, xrefs: 00007FF661CB5A26, 00007FF661CB5A73
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CB5A1F, 00007FF661CB5A6C

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$i >= 0 && i < Size$id == 0
API String ID: 0-2347856535
Opcode ID: d0c94b9b9f0ed4a0562dc51d0dff25ab48d8a18b4b390b9db418c98b4938017a
Instruction ID: 98f6839ba57d39da6532426d06f1f40529ab7e0d849892ffd616216e68871033
Opcode Fuzzy Hash: d0c94b9b9f0ed4a0562dc51d0dff25ab48d8a18b4b390b9db418c98b4938017a
Instruction Fuzzy Hash: EC319A32A08396CAEB108F15E5820BD2771EB91F88FA51432ED0DEF698DE7CE4428750

Function 00007FF661CB0814 Relevance: 5.1, Strings: 4, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

Strings

C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB085F
Unknown, xrefs: 00007FF661CB08C3
IsNamedKeyOrMod(key) && "Support for user key indices was dropped in favor of ImGuiKey. Please update backend and user code.", xrefs: 00007FF661CB0866
None, xrefs: 00007FF661CB0820

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$IsNamedKeyOrMod(key) && "Support for user key indices was dropped in favor of ImGuiKey. Please update backend and user code."$None$Unknown
API String ID: 0-1584183111
Opcode ID: 2e5bee5c53b718578edf02ba383ba2863b1a90edef34e62729d07a48f6d3e445
Instruction ID: 3523aaa1939d86d50b2e936e2182aeda93347e4df61571c92004940446f3fbaf
Opcode Fuzzy Hash: 2e5bee5c53b718578edf02ba383ba2863b1a90edef34e62729d07a48f6d3e445
Instruction Fuzzy Hash: AA11F250E08706D8FBB59288E2C93BD22B0EF54B41F741136C94DCE1D6DE5FAAA5C681

Function 00007FF661CAFBE8 Relevance: 5.0, Strings: 4, Instructions: 43COMMON

Download Yara Rule

Strings

Size > 0, xrefs: 00007FF661CAFC42, 00007FF661CAFC6A
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CAFC19
g.DisabledStackSize > 0, xrefs: 00007FF661CAFC20
C:\Users\55yar\Desktop\imgui-master\imgui.h, xrefs: 00007FF661CAFC3B, 00007FF661CAFC63

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui.h$Size > 0$g.DisabledStackSize > 0
API String ID: 0-52321738
Opcode ID: 14c18fc12a6f2c68ddb9d15c8e7bed111f73007a52e84daef0c2224370f4a500
Instruction ID: cc25f0fe8b12e4ca2ba946be3d94bf2625cedf1cf1732b49b453ea3f1b546cb3
Opcode Fuzzy Hash: 14c18fc12a6f2c68ddb9d15c8e7bed111f73007a52e84daef0c2224370f4a500
Instruction Fuzzy Hash: 71213432A08A82D7E711DF25E8414ED2770FB84B88F585135EE594B69ADF3CE180CB90

Function 00007FF661CB1510 Relevance: 5.0, Strings: 4, Instructions: 39COMMON

Download Yara Rule

Strings

button >= 0 && button < ImGuiMouseButton_COUNT, xrefs: 00007FF661CB1565
C:\Users\55yar\Desktop\imgui-master\imgui_internal.h, xrefs: 00007FF661CB155E
C:\Users\55yar\Desktop\imgui-master\imgui.cpp, xrefs: 00007FF661CB1534
button >= 0 && button < ((int)(sizeof(g.IO.MouseDown) / sizeof(*(g.IO.MouseDown)))), xrefs: 00007FF661CB153B

Memory Dump Source

Source File: 00000000.00000002.4136713574.00007FF661CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF661CA0000, based on PE: true

Associated: 00000000.00000002.4136682684.00007FF661CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136907424.00007FF661FAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136938598.00007FF661FB0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4136980326.00007FF661FE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137015548.00007FF661FEA000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137130428.00007FF662160000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137161391.00007FF662161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4137421539.00007FF6624FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff661ca0000_LightSpoofer.jbxd

Similarity

API ID:
String ID: C:\Users\55yar\Desktop\imgui-master\imgui.cpp$C:\Users\55yar\Desktop\imgui-master\imgui_internal.h$button >= 0 && button < ((int)(sizeof(g.IO.MouseDown) / sizeof(*(g.IO.MouseDown))))$button >= 0 && button < ImGuiMouseButton_COUNT
API String ID: 0-3749727450
Opcode ID: b3ab518d7548295a698cbf3a60913d7960f566a979a7e8dd439225948d215974
Instruction ID: df92a647cfc88bb3afa143cb7301b267952456c2e87adb9e25e4ec5906ca0cb3
Opcode Fuzzy Hash: b3ab518d7548295a698cbf3a60913d7960f566a979a7e8dd439225948d215974
Instruction Fuzzy Hash: 3301C022F186C3D6EB608B24E4401BD2771FB82B94F584032D95D8B68ADE2CF65AC700

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LightSpoofer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
LightSpoofer.exe